MindshaRE: IDAception

Posted by Aaron Portnoy

If you've ever tried collaborating with other people while reverse engineering a vulnerability your process probably includes some tedious steps, like transferring:

Your IDB
Your notes/readme files
Virtual machines
Proof of concept files
IDAPython scripts
PCAPs
...

After doing this several hundred times, we came up with a little solution we thought you might all find useful.

We leverage the structures within an executable and IDA's support for interacting with them in order to create a pseudo-filesystem within IDA. The idea is that there is a lot of address space within any given module in IDA. For example, in this screenshot from USP10.dll we can see there are 7 segments defined:

The lowest defined address within a segment is 0x7638000 and the highest is 0x76408000. That means there is free room from 0x0 through 0x7638000 (0x7638000 bytes) and from 0x76408000 to 0xFFFFFFFF (0x89bf7fff bytes) for a total of 0x9122ffff bytes. That's over 2GB, plenty of room to store some data of our own...

So, the idea is to make a new segment (or multiple) to contain arbitrary data of ours. To do this intelligently, we need some way of organizing it so that we can easily rename, resize, move, extract, and insert data. Sounds like we need a filesystem...but, we're lazy (efficient, I mean) and so we can leverage existing code to do this for us (and (continue reading...)