funcap: quick capture of runtime debugger info to boost static analysis

Release date: 16/12/2012

This is about a small script I have created for IDAPython. I do a lot of malware analysis on a daily basis and this number still increases. For some time I've been thinking on how to improve the speed of the analaysis. Most of the time the quick behavioral analysis is fine. But sometimes I need to have a look at the code, for example if I can't make the sample connect to its C&C server or if I want to quickly figure out what it does. To make things even faster I usually help myself with the debugger (OllyDbg with some scripts in most cases, sometimes WinDbg). And this is the moment when things often go very slow - it is difficult to move all the discoveries made in Olly back to IDA. Oh, how I could speed up my quick analysis if I could run a new sample under IDA's own debugger and just paste some runtime values detected around function calls and some other places ... I imagined it more less like PaiMei Stalker tool in "export to IDA" functionality.

This little IDAPython script might help you with this task. It just dumps register states and function arguments (it determines its number based on IDA's function call stack analysis) and inserts it in the top of each function as comments (just like on attached screenshots). Only a dump from the first pass is inserted but next passes are logged in the file, just in case. The script can also draw a graph of calls based on stack content (in contrary to IDA's trace graph which does it based on static analysis). Something that was really usefull to me during an analysis where I had to deal with a lots of indirect fucntion calls (the likes of CALL DWORD PTR). There is no GUI interface but you can easily call each functionality from the Python shell, the most usefull are d.graph() to show the graph, d.on() to enable script, to disable script, d.addAllBreakpoints() to enable breakpoint on each function IDA knows about. All other options are described in the code (docstrings and comments). It is recommended to use d.addAllBreakpoints() when starting analysis of a new sample - it will boost your static analysis a lot! - and then you can use manually placed breakpoints on interesting parts of the code. Breakpoints can be placed anywhere - if the script stops on breakpoint that does not start the function in IDA, it will only capture registers but not arguments (understandable). What makes it better to PaiMei IDA export ? It can handle win32, amd64, and ARM kernel and user mode architectures thanks to IDA supporting these platforms, whereas Olly and PaiMei only work with win32 user mode.

The code makes use of PaiMei and also some MyNav sources and is released under the terms of GPLv2.

My best use case for this stuff ? For a lot of samples I can see a cleartext data (for example, a computer name or user name or file names etc.) that are then being encrypted/obfuscated and sent over the wire. Afterwards, I can trace and backtrace what is going on with this data. Static analysis alone would require a lot of time to find the encryption/decryption function and then even more to figure out what is being thrown into it. With the script - I can have this faster. The tool can be downloaded here. Below you can find some screenshots which might also give you a rough idea on how it works:

x86 win32

x86 win32 graph window


Android on ARM