Search code examples
windbgbinaryfilesdisassemblyida

Analyzing binary taken from memory dump in IDA Pro

I'm having problems with analyzing a simple binary in IDA Pro.

When running a program, i dumped part of its memory (for example, unpacked code section in the memory) into a file, using WinDbg.

I would like to analyze it using IDA, but when trying to just load the binary - it will only show its raw data.

Of course the binary is not a full PE file, so I'm not expecting a deep analysis, just a nicer way to read the disassembly.

So the question is - How can i make IDA disassemble the binary?

Thanks! :)

Solution

  • select an appropriate address and press c that is MakeCode(Ea); ida will convert the raw bytes to code and disassemble it

    pasted below is a simple automation with an idc script but idas automation is imho subpar so you should stick with manual pressing of C in user interface

    :dir /b
foo.dmp
foo.idc    
:xxd foo.dmp
0000000: 6a10 6830 b780 7ce8 d86d ffff 8365 fc00  j.h0..|..m...e..
0000010: 64a1 1800 0000 8945 e081 7810 001e 0000  d......E..x.....
0000020: 750f 803d 0850 887c 0075 06ff 15f8 1280  u..=.P.|.u......
0000030: 7cff 750c ff55 0850 e8c9 0900 00         |.u..U.P.....    
:type foo.idc
#include <idc.idc>
static main (void) {
        auto len,temp,fhand;
        len = -1; temp = 0;
        while (temp < 0x3d && len != 0 ) {
                len = MakeCode(temp);
                temp = temp+len;
        }
        fhand = fopen("foo.asm","wb");
        GenerateFile(OFILE_LST,fhand,0,0x3d,0x1F);
        fclose(fhand);
        Wait();
        Exit(0);
}
:f:\IDA_FRE_5\idag.exe -c -B -S.\foo.idc  foo.dmp

:head -n 30 foo.asm | tail
seg000:00000000 ; Segment type: Pure code
seg000:00000000 seg000          segment byte public 'CODE' use32
seg000:00000000                 assume cs:seg000
seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:no    thing, gs:nothing
seg000:00000000                 push    10h
seg000:00000002                 push    7C80B730h
seg000:00000007                 call    near ptr 0FFFF6DE4h
seg000:0000000C                 and     dword ptr [ebp-4], 0

    with windbg you can get the disassembly right from command line like this

    :cdb -c ".dvalloc /b 60000000 2000;.readmem foo.dmp 60001000 l?0n61;u 60001000 60001040;q" calc

    0:000> cdb: Reading initial command '.dvalloc /b 60000000 2000;.readmem foo.dmp 60001000 l?0n61;u 60001000 60001040;q'
Allocated 2000 bytes starting at 60000000
Reading 3d bytes.
60001000 6a10            push    10h
60001002 6830b7807c      push    offset kernel32!`string'+0x88 (7c80b730)
60001007 e8d86dffff      call    5fff7de4
6000100c 8365fc00        and     dword ptr [ebp-4],0
60001010 64a118000000    mov     eax,dword ptr fs:[00000018h]
60001016 8945e0          mov     dword ptr [ebp-20h],eax
60001019 817810001e0000  cmp     dword ptr [eax+10h],1E00h
60001020 750f            jne     60001031
60001022 803d0850887c00  cmp     byte ptr [kernel32!BaseRunningInServerProcess (7c885008)],0
60001029 7506            jne     60001031
6000102b ff15f812807c    call    dword ptr [kernel32!_imp__CsrNewThread (7c8012f8)]
60001031 ff750c          push    dword ptr [ebp+0Ch]
60001034 ff5508          call    dword ptr [ebp+8]
60001037 50              push    eax
60001038 e8c9090000      call    60001a06
6000103d 0000            add     byte ptr [eax],al
6000103f 0000            add     byte ptr [eax],al
quit:

    ollydbg 1.10 view-> file-> (mask any file) -> foo.dmp -> rightclick -> disassemble