Debugging Windows Applications with IDA Bochs Plugin

Copyright 2009 Hex-Rays SA

Quick overview:
In IDA 5.4, we implemented an interface, using the open source x! emulator "ochs, allowing IDA to
de#ug malware and chunks of code in a safe$emulated environment.
%o get started, &ou need to install supported "ochs version 'v(.).* at the time of writing+ from
http:$$#ochs.sourceforge.net$
After installing it, make sure &ou , -witch De#ugger . and select the "ochs de#ugger.
%here is not much to configure if &ou need a /uickstart. IDA can automaticall& detect where "ochs is
installed, #ut if it fails &ou can alwa&s reconfigure it in the De#ugger -etup $ -pecific De#ugger
options:
In this screen, , De#ugger specific options ., we configure the "ochs plugin:
BOCHSDBG
This parameter specifies the path to the bochsdbg.exe executable.
IDA tries to guess it by looi!g at the B"SHA#$ e!%iro!me!t %ariable a!d
by checi!g the system registry for bochs eys
BOCHS#C
This is the path to the Bochs co!figuratio! file template. It co!tai!s
special %ariables prefixed &ith '('. These %ariables should !ot be
modified or cha!ged by the user) they are automatically filled by the
plugi!. Other e!tries ca! be modified as !eeded.
*oader type
The user ca! choose bet&ee! Dis Image) IDB) +$ loader
Delete image files upo! sessio! e!d
If e!abled) IDA &ill automatically delete the Bochs dis images used for
the debuggi!g sessio! ,this optio! o!ly applies to IDB a!d +$ loaders-.
If the IDB loader fi!ds a pre%iously created image) it %erifies that it
correspo!ds to the database a!d uses it as is. .!checi!g this optio!
for the IDB loader &ill speed up lau!chi!g the debugger.
0inall& there are two #uttons that are used to configure ID" or 12 loaders specificall&.
%here are ) t&pes of loaders each used for a specific goal:
Disk image loader: 1oint to a prepared disk image and de#ug it
ID" loader: De#ug the contents of the data#ase
12 loader: De#ug an 3- 4indows 12 files
De#ugging a "ochs disk image:
4ith the disk image loader it is possi#le to de#ug an& "ochs disk image.
In this example, we will show &ou how to setup IDA "ochs 1lugin to de#ug a disk image of &our
choice.
0irst we need the following files:
filename.#ochsrc: %his file contains the "ochs configuration, such as the disk image file name,
cdrom config, network card, #ios file, etc...
diskimage.#in: %his is the actual disk image file containing the operating s&stem
5ow let us test if our configuration works properl&, so we run:
, #ochs.exe 6f filename.#ochsrc .
If ever&thing is oka& then "ochs should start emulating the operating s&stem in /uestion.
5ow let us de#ug the image in IDA:
7reate an empt& data#ase: we could disassem#le an& file for that
-elect the "ochs $ Disk image loader
In the De#ugger $ 1rocess options: make sure that application and input file fields have the same
value, for example:
-ince we chose , m&os.#in . as input file, the plugin re/uires that the "ochs configuration and
"ochs disk image file #e renamed to , myos.bochsrc . and , myos.bochsimg . respectivel&.
Do not forget to edit &our bochsrc file and update the disk image file name, for example:
, ata86master: t&pe9disk, mode9flat,path9:myos.bochsimg:, ... .
%hat;s it. 5ow we can simpl& press 0< and start the de#ugger.
In this screenshot we can see IDA "ochs $ Disk image loader de#ugging 3- 4indows =1.
4e can send commands using the command line interface in IDA. 4e press , . . 'dot+ and then t&pe
the desired command. 0or example, we can send "ochs de#ugger the , info idt . command:
De#ugging code snippets:
4ith the ID" loader &ou can de#ug a code snippet directl& #& selecting it from the data#ase.
%he ID" loader does not care a#out the file format, #e it an o#>ect file, executa#le file, s&stem driver,
etc...
As long as the ID" contains x!$)(#its code then the ID" loader will #e a#le to de#ug the code.
?sing this loader is in fact too simple, we >ust have to tell it what code to de#ug:
7urrent cursor position: 1osition the cursor in the data#ase and press 0< to start de#ugging
-election: -elect start and 2nd ranges and press 0<
25%@A and 2=I% la#els: 7reate these two la#els and press 0<. IDA will start executing at
, 25%@A . and stop when it reaches , 2=I% .
In the screenshot #elow we see how we select code and a#out to press 0< to start de#ugging it.
It is #etter to turn the B-top on de#ugging startC option when using the ID" loader, so that de#ugger
suspends automaticall& for &ou.
De#ugging 4in)( programs:
It is possi#le to use the "ochs de#ugger plugin $ 12 loader to de#ug 3- 4in)( programs, which can #e
normal 12 programs, DDDs and even s&stem driver files.
%he 12 loader has man& features, which are detailed in the help file and on the #log page
http:$$hex#log.com$(88$EE$#ochsFpluginFgoesFalpha.html
%he 12 loader is #est used to de#ug packed malware.
0or example, we will load the 3&to# virus into IDA and then the "ochs de#ugger $ 12 loader to
unpack this malware.
0irst we put a #reakpoint at the start of the program:
5ow we press 0< to start the process and #reak at the #eginning:
%hen we will use a feature in the "ochs 12 Doader that will allow us to #reak >ust around the original
entr&point. %hat wa& we do not have to trace all the wa& through the unpacking code.
4hile the process is suspended, open the modules window and select B#ochs&s.dllC
5ow dou#le clicking on it will show all its exports. 4e are interested in
B"x?ndefinedApi7allC. -o we simpl& select it and dou#le click on it and put a #reakpoint
there.
5ow we press 0< again to let the malware run.
%he first time this #reakpoint is reached, we could step a #it and inspect the caller. 4e have a
high pro#a#ilit& that the call came from the unpacked code. An&wa&, we let us verif& that #&
stepping until we reach the caller
As we see, that tracing up to the caller led us to this code which looks familiar and is actuall& the
startup code for man& G7HH programs.
Det us go to that offset and see what we got:
It looks like we located the import functions @GAs. Det us use the Brenimp.idcC script to give relevant
names to these offsets:
And finall& let us go #ack to the I21 and see how it looks like now:
%hat is itJ
4e got it unpacked, now we can delete unused segments, take a memor& snapshot and get read& for
static anal&sis or even decompilation with Kex6@a&s decompiler.
Copyright 2009 Hex-Rays SA