Debugging Windows Applications with IDA Bochs Plugin
Copyright 2009 Hex-Rays SA
Quick overview: In IDA 5.4, we implemented an interface, using the open source x! emulator "ochs, allowing IDA to de#ug malware and chunks of code in a safe$emulated environment. %o get started, &ou need to install supported "ochs version 'v(.).* at the time of writing+ from http:$$#ochs.sourceforge.net$ After installing it, make sure &ou , -witch De#ugger . and select the "ochs de#ugger. %here is not much to configure if &ou need a /uickstart. IDA can automaticall& detect where "ochs is installed, #ut if it fails &ou can alwa&s reconfigure it in the De#ugger -etup $ -pecific De#ugger options: In this screen, , De#ugger specific options ., we configure the "ochs plugin: BOCHSDBG This parameter specifies the path to the bochsdbg.exe executable. IDA tries to guess it by looi!g at the B"SHA#$ e!%iro!me!t %ariable a!d by checi!g the system registry for bochs eys BOCHS#C This is the path to the Bochs co!figuratio! file template. It co!tai!s special %ariables prefixed &ith '('. These %ariables should !ot be modified or cha!ged by the user) they are automatically filled by the plugi!. Other e!tries ca! be modified as !eeded. *oader type The user ca! choose bet&ee! Dis Image) IDB) +$ loader Delete image files upo! sessio! e!d If e!abled) IDA &ill automatically delete the Bochs dis images used for the debuggi!g sessio! ,this optio! o!ly applies to IDB a!d +$ loaders-. If the IDB loader fi!ds a pre%iously created image) it %erifies that it correspo!ds to the database a!d uses it as is. .!checi!g this optio! for the IDB loader &ill speed up lau!chi!g the debugger. 0inall& there are two #uttons that are used to configure ID" or 12 loaders specificall&. %here are ) t&pes of loaders each used for a specific goal: Disk image loader: 1oint to a prepared disk image and de#ug it ID" loader: De#ug the contents of the data#ase 12 loader: De#ug an 3- 4indows 12 files De#ugging a "ochs disk image: 4ith the disk image loader it is possi#le to de#ug an& "ochs disk image. In this example, we will show &ou how to setup IDA "ochs 1lugin to de#ug a disk image of &our choice. 0irst we need the following files: filename.#ochsrc: %his file contains the "ochs configuration, such as the disk image file name, cdrom config, network card, #ios file, etc... diskimage.#in: %his is the actual disk image file containing the operating s&stem 5ow let us test if our configuration works properl&, so we run: , #ochs.exe 6f filename.#ochsrc . If ever&thing is oka& then "ochs should start emulating the operating s&stem in /uestion. 5ow let us de#ug the image in IDA: 7reate an empt& data#ase: we could disassem#le an& file for that -elect the "ochs $ Disk image loader In the De#ugger $ 1rocess options: make sure that application and input file fields have the same value, for example: -ince we chose , m&os.#in . as input file, the plugin re/uires that the "ochs configuration and "ochs disk image file #e renamed to , myos.bochsrc . and , myos.bochsimg . respectivel&. Do not forget to edit &our bochsrc file and update the disk image file name, for example: , ata86master: t&pe9disk, mode9flat,path9:myos.bochsimg:, ... . %hat;s it. 5ow we can simpl& press 0< and start the de#ugger. In this screenshot we can see IDA "ochs $ Disk image loader de#ugging 3- 4indows =1. 4e can send commands using the command line interface in IDA. 4e press , . . 'dot+ and then t&pe the desired command. 0or example, we can send "ochs de#ugger the , info idt . command: De#ugging code snippets: 4ith the ID" loader &ou can de#ug a code snippet directl& #& selecting it from the data#ase. %he ID" loader does not care a#out the file format, #e it an o#>ect file, executa#le file, s&stem driver, etc... As long as the ID" contains x!$)(#its code then the ID" loader will #e a#le to de#ug the code. ?sing this loader is in fact too simple, we >ust have to tell it what code to de#ug: 7urrent cursor position: 1osition the cursor in the data#ase and press 0< to start de#ugging -election: -elect start and 2nd ranges and press 0< 25%@A and 2=I% la#els: 7reate these two la#els and press 0<. IDA will start executing at , 25%@A . and stop when it reaches , 2=I% . In the screenshot #elow we see how we select code and a#out to press 0< to start de#ugging it. It is #etter to turn the B-top on de#ugging startC option when using the ID" loader, so that de#ugger suspends automaticall& for &ou. De#ugging 4in)( programs: It is possi#le to use the "ochs de#ugger plugin $ 12 loader to de#ug 3- 4in)( programs, which can #e normal 12 programs, DDDs and even s&stem driver files. %he 12 loader has man& features, which are detailed in the help file and on the #log page http:$$hex#log.com$(88$EE$#ochsFpluginFgoesFalpha.html %he 12 loader is #est used to de#ug packed malware. 0or example, we will load the 3&to# virus into IDA and then the "ochs de#ugger $ 12 loader to unpack this malware. 0irst we put a #reakpoint at the start of the program: 5ow we press 0< to start the process and #reak at the #eginning: %hen we will use a feature in the "ochs 12 Doader that will allow us to #reak >ust around the original entr&point. %hat wa& we do not have to trace all the wa& through the unpacking code. 4hile the process is suspended, open the modules window and select B#ochs&s.dllC 5ow dou#le clicking on it will show all its exports. 4e are interested in B"x?ndefinedApi7allC. -o we simpl& select it and dou#le click on it and put a #reakpoint there. 5ow we press 0< again to let the malware run. %he first time this #reakpoint is reached, we could step a #it and inspect the caller. 4e have a high pro#a#ilit& that the call came from the unpacked code. An&wa&, we let us verif& that #& stepping until we reach the caller As we see, that tracing up to the caller led us to this code which looks familiar and is actuall& the startup code for man& G7HH programs. Det us go to that offset and see what we got: It looks like we located the import functions @GAs. Det us use the Brenimp.idcC script to give relevant names to these offsets: And finall& let us go #ack to the I21 and see how it looks like now: %hat is itJ 4e got it unpacked, now we can delete unused segments, take a memor& snapshot and get read& for static anal&sis or even decompilation with Kex6@a&s decompiler. Copyright 2009 Hex-Rays SA