Results 1 to 6 of 6

Thread: Extract Sequence of assembly codes during runtime ???

  1. #1

    Question Extract Sequence of assembly codes during runtime ???

    Dear Friends,

    Anybody know how I can run a malware and log its assembly instructions with IDA or any disassembler ??

    for example when i run an exe file, the log is : mov inc sub jnz .....

    Is there any way ??

    Thank you.

  2. #2
    ????????

    Olly Trace.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  3. #3

    As Above

    (NOTE: Run the Malware in a VM. Not in your production)

    1. Load malware in IDA.

    2. Get coffee while it disassembles

    3. Find out start (or select BREAK AT START from debugger options). Or place cursor where you think is start and press F4

    4. Run the Debugger. It will break at start.

    5. Select Debugger -> Trace. Make sure you are tracing to a file. Keep the number of instructions to trace as 0 . This will trace EVERYTHING (you can trace jumps, functions, stack, all code, etc... select your poison). Trace OVER API calls is a good idea.

    6. Run the app. It's a bit slow, so patience.

    7. Exit the app.

    8. Open the HUGE XXXX MB text file. There you have it... the trace of all instructions PLUS all changed registers AND values for each instruction.

    Have Phun
    Blame Microsoft, get l337 !!

  4. #4
    That's work nice, really thank you

    Is there any way to automate this process ???

    for example i give it a folder of malwares and IDA do this automatically and save the instruction of the trace in a file ???

    Really thank you

  5. #5

    As Above

    Heh!

    PM me, send me a zipped copy of your legal IDA PRO 6 and I'll tell you how to automate the process.

    Jokes apart, you can use command line parameters in IDA to do the same, or use IDC scripts (remember, since v5, IDC scripts work on debuggers ALSO) and finally, you can also build a plugin.

    Using IDC Script. Its nice.

    Have Phun
    Blame Microsoft, get l337 !!

  6. #6
    Thank you very much, I'll Check it

Similar Threads

  1. DLL code patching at runtime ...
    By kappasm in forum The Newbie Forum
    Replies: 11
    Last Post: February 6th, 2011, 06:13
  2. Extract hash for offline attack (Office 2007)
    By bboitano in forum RCE Cryptographics
    Replies: 1
    Last Post: February 3rd, 2011, 10:56
  3. extract runtime assembly code ?
    By mansourweb in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: May 13th, 2010, 04:48
  4. IDA plugin: Extract (UnRot13) and analyze
    By ZaiRoN in forum Blogs Forum
    Replies: 2
    Last Post: October 27th, 2007, 08:20
  5. Patching dll at runtime
    By SaNGa in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: April 7th, 2002, 01:09

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •