IDA Pro can load one PE file into a database and analyze it. Some users assume this is the maximum. Let’s take a closer look at the situation…
Strictly speaking, this is true. The user interface allows you to load and analyze one file. There is the ‘load additional binary file’ command but it does not help much, especially if you are interested in loading formatted files, like Windows PE executables. Also IDA has only one ‘exports’ window, only one ‘imports’ window and many file attributes are stored as simple scalars (like the file size, initial stack pointer, etc). Imagine a situation when several DLLs refer to the same imported function – the function pointers in their .idata segments would need to have the same name but global names must be unique in the program. What will happen when you will ask to jump to an imported function, say, CreateFile – should IDA use the first function pointer in an .idata segment of the first DLL or the second pointer from the second .idata segment? Even nagivating in the disassembly would be more difficult – you would end up having several .text and .data segments, several copies of standard functions like printf(), memcpy(). There will be other problems as well but I think the above is enough to demonstrate that loading several files into a database has some problems which can be quite annoying.
However, if you are ready to live with these limitations and inconveniences, then you can create a database with several files in it. There are even several different methods if we talk about PE files.
A. The easiest method: load all referenced dlls at once.
Download the PE utilities by Atli Mar Gudmundsson. Unzip them to IDA\IDC subdirectory. With these scripts (fine IDC programming sample, by the way!), creating a database with all DLLs is a child’s play:
You wil get a database with the executable and all DLLs referenced statically in the database. The analysis is up to you now… 🙂
BTW, these scripts can do many other things, just open them in a text editor and take some time to explore them.
Next time we will talk about the second method.