The second method to create a database with several PE files.
B. Use the debugger and take the memory snapshot
The built-in debugger in IDA has many interesting features – even the standard stuff like breakpoints can be used creatively (will cover them in the future). Today we will use the ‘take memory snapshot’ command to create a big IDB file.
Suppose you have a database with the .exe file loaded into it.
The first thing to do is to launch the debugger and to suspend the application as soon as the DLLs interesting us are loaded into the memory. The application entry point is a good candidate to stop at: position the cursor on the entry point and press F4 (this is the hotkey for the Run to cursor command). The debugger will create a breakpoint at the cursor position, start the application and let it run until the breakpoint.
The second step is to use the “Debugger, Take memory snapshot” command and take the snapshot of all segments. Do not forget to save the database to the disk (Ctrl-W) since the “take memory snapshot” command does not save it.
The method B is better than the method A but it has the following drawbacks:
- the database contains too much information (segments like ntdll.dll, kernel32.dll are always the same) and its size is around several hundred megabytes.
- there are stealth techniques to bypass the application entry point (like thread local storage callbacks), therefore stopping at the entry point does not guarantee that the application will not run out of control.
We will address these issues the next time.