Our flagship product IDA Pro is a popular yet sophisticated piece of software. We are often asked, what exactly is IDA used for? It's a fair question, and it's not so easy to answer. IDA has a very broad range of complex use cases that can't be summarized with a catchy one-liner.
So rather than come up with a sales pitch to describe IDA, we decided to let our users do the talking. Below are samples from various security experts, malware analysts, and software engineers who used IDA to solve a critical problem in their workflow, and decided to publish their results. We collected a variety of links to such publications and grouped them into various subdivisions of the software industry. Hopefully this makes it easy to see exactly how IDA is applied toward real-world solutions in the field.
Digital Forensics
Challenge
Digital forensic investigations occur when a system is compromised by malicious software. In the event of a software-based attack, companies usually dispatch specialized Computer Emergency Response Teams (CERTs) to eliminate the threat, assess the extent of the damage, and understand how the attack was implemented in order to prevent similar incidents in the future. Such teams must collect digital evidence from computers, mobile devices, network appliances, and even distributed systems. Thus, they must be able to work with a large variety of binary code formats. In many cases the code is obfuscated with the goal of making the investigation harder and more time consuming. Forensic investigators need precise and versatile tools to help them with these tasks.
Approach
IDA Pro can analyze binary code that was collected during forensic investigation. It can handle virtually any code that runs on modern processors, and its functionality can be extended with custom scripts and plugins. This makes it especially useful when analyzing heavily obfuscated code. IDA has been relentlessly battle-tested in the field against real-world malware, which has made it the tool of choice for many CERT organizations.
- U.S. government CERT agencies (including CISA, FBI, and DoD) used IDA Pro to analyze a
malware variant deployed by Chinese government cyber actors:
Malware Analysis Report (AR20-216A) Chinese Remote Access Trojan: TAIDOOR - IDA was used extensively in the fallout of the SolarWinds hacks that compromised many
U.S. organizations:
CISA's analysis of the TEARDROP loader (see screenshots)
Microsoft's analysis of NOBELIUM malware strains
Microsoft's discovery of the SolarWinds SERV-U SSH vulnerability
FireEye's report on the SUNSHUTTLE backdoor - Novetta relied on IDA's decompiler during its investigation into cyber attacks against
Sony Pictures:
Operation Blockbuster: Unraveling the Long Thread of the Sony Attack - QI-ANXIN used IDA in its response to a cluster of malware incidents in South Korea:
Operation OnionDog: Disclosing Targeted Attacks on Government and Industry Sectors in Korea - Check Point Research used IDA to uncover a malware campaign that arose during the Russia/Ukraine war:
Twisted Panda: Chinese APT espionage operation against Russian’s state-owned defense institutes - Sophos used IDA in its response to a coordinated attack that exploited an SQL injection
vulnerability:
"Asnarök" Trojan targets firewalls - ESET frequently uses IDA to reverse-engineer malware samples discovered in the wild:
Deobfuscating a Statinko cryptominer that targeted Russia and Ukraine
Analysis of DePriMon: a malicious downloader that infected networks in the Middle East
Discovery of Vyveva: a backdoor deployed against a freight logistics firm in South Africa - JPCERT/CC uses IDA in its ongoing analysis of Lazarus malware targeting Japanese
organizations:
Malware Used by Lazarus after Network Intrusion
Operation Dream Job by Lazarus
Lazarus Attack Activities Targeting Japan - CERT Polska is using IDA to deobfuscate some malware loaders that are especially
pervasive:
Analysis of Emotet: A widespread and havoc-wreaking malware family
Keeping an eye on CloudEyE (GuLoader)
Dissecting Smoke Loader - Kaspersky Lab's forensic analysis of Slingshot, a previously unknown cyber-espionage
platform:
The Slingshot APT - Security organizations often publish their custom IDA plugins so they can be used by
others in the industry:
ComIDA: Developed by Airbus-CERT to analyze malware that uses Windows COM
FLARE IDA Pro Script Series: MSDN Annotations Plugin for Malware Analysis
Pharos: Binary static analysis tools by Carnegie Mellon University
D810: An extensible deobfuscation plugin for IDA Pro by eShard
Stadeo: Malware deobfuscation tools by ESET
VT-IDA: The official VirusTotal plugin for IDA Pro
Penetration Testing
Challenge
There is a strong incentive for software developers to attack their own software for the purpose of hardening security. The general philosophy is that it is better to proactively find security flaws yourself - before someone else does and uses it maliciously against your clients. Security audits can be performed by specialized teams within a company or by third-party consultants, but they almost always require the precision of a tool like IDA.
Approach
It is possible to use IDA more offensively to detect exploitable vulnerabilities in mission-critical software. Usually this involves identifying the logic that is responsible for processing user input, then aggressively analyzing it for logical errors. Often times it can be easier to spot such errors when decompiling the software from the raw machine code, because it is free of any bias or assumptions made by a lazy programmer when writing the original source code. Security auditors know what kind of bugs to look for, and they can be extremely harmful.
- Lexfo used IDA to discover a bug in an IBM Banking Server. The bug could be exploited to
give the attacker remote access to a machine responsible for managing electronic bank
transactions:
Pentesting a banking FTP service - Chris Valasek and Charlie Miller used IDA to reverse engineer the firmware in a
self-driving Jeep and found vulnerabilities that allowed them to take control of the car
remotely:
Whitepaper discussing the firmware analysis in IDA
Their talk at DEF CON 23
WIRED did a story on it - DBAPPSecurity used IDA to discover a flaw in the Windows 10 kernel that is being used to
attack Windows users in China:
Windows Kernel Zero-Day Exploit Is Used By BITTER APT In Targeted Attack - White hat hackers at Google Project Zero publish their excellent work on vulnerability
research, and they rely on IDA for many critical tasks. Here are a few of their writeups
that feature IDA:
An iOS zero-click radio proximity exploit odyssey
MMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface
The Fully Remote Attack Surface of the iPhone
How to unc0ver a 0-day in 4 hours or less
Bypassing Mitigations by Attacking JIT Server in Microsoft Edge
- RET2 Systems develops very robust IDA plugins for their day-to-day vulnerability
hunting:
Tenet: A Trace Explorer for Reverse Engineers
Lighthouse: A Code Coverage Explorer for Reverse Engineers
Lucid: An Interactive Hex-Rays Microcode Explorer
Extending the Hex-Rays Decompiler to Support Intel AVX Instructions
- Modern web applications are incredibly complex pieces of software with a large set of
features and, consequently, a huge attack surface.
IDA is used by security professionals to scan for bugs and strengthen both client and
server components:
Browser Exploitation on Windows - Understanding Use-After-Free Vulnerabilities
Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities
Finding & fixing vulnerabilities in "web assembly" virtual machines implemented in various web browsers
Adding support for the "web assembly" binary format to IDA
Security audit of a web-based voting system in Estonia
A deep dive in Adobe's ActionScript3 virtual machine - Finding a security flaw is still only half of the story. Surprisingly often the fix
turns out to be insufficient or outright defective,
so it is necessary to audit security patches when they are released. Powerful binary
diffing tools like Bindiff
and Diaphora are built around IDA's core analysis engine, and can
greatly simplify this task:
CVE-2018-8653: IE Scripting Flaw Still a Threat to Unpatched Systems
CVE-2019-1458: Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium
CVE-2019-3568: The NSO WhatsApp Vulnerability - This is How It Happened
CVE-2019-7286: Analysis and Reproduction of iOS/OSX Vulnerability
CVE-2019-7287: Is CVE-2019-7287 hidden in ProvInfoIOKitUserClient?
CVE-2020-27950: iOS 1-day hunting: uncovering and exploiting CVE-2020-27950 kernel memory leak
CVE-2020-0796: A touch on CVE-2020-0796
MSMQ QueueJumper (RCE Vulnerability): An In-Depth Technical Analysis
Intellectual Property
Challenge
Intellectual property is an essential asset of many companies. While intangible, quite often it represents the most significant property of a company. Intellectual property may be in many forms, including copyrights, patents, trademarks, and trade secrets. Any infringement or violation of IP rights is a severe threat to the very existence of many companies. For software IP, the task of finding and proving such violations represents a challenge. Our society needs not only manual but also automatic tools for this task.
Approach
IDA Pro perfectly fits the task because it can be used as a foundation to develop an automatic system to find copyright infringements, IP theft, and patent violations. Manual inspection remains available too.
- An IDA plugin by Check Point Research can identify open-source software in closed source
binaries:
Karta - Matching Open Sources in Binaries - KAIST devised a way to implement Binary Code Similarity Analysis with IDA Pro:
Revisiting Binary Code Similarity Analysis using Interpretable Feature Engineering - Software Litigation Consulting explains how reverse engineering can help with patent
violation detection:
Hiding in Plain Sight: Using Reverse Engineering to Uncover Software Patent Infringement
Open to Inspection: Using Reverse Engineering to Uncover Software Prior Art, Part 2 - Researchers at University of Toronto use IDA to automatically match binaries with their
source code:
BinPro: A Tool for Binary Source Code Provenance - Reverse engineering can be used not only to protect IP but also to attack copy
protections schemes. Such attacks means that the existing methods are not
perfect and need improvements. This article talks about Sentinel dongles:
Removing Sentinel SuperPro Dongle From Applications - A similar situation with the HASP encryption scheme:
Defend against Reverse Engineering
Dynamic Analysis and Debugging
Challenge
Disassembling a computer program can reveal a great deal about its behavior, but there are many ways to limit the usefulness of the raw disassembly. Malware authors actively try to make their executable files appear harmless when being analyzed, then behave much differently when actually executing. Even well-engineered, non-malicious programs can malfunction at runtime due to unforeseen circumstances. Analysts and engineers depend on tools that allow them to observe the code while it is running. Often times this is the only way to understand and fix the problem.
Approach
IDA Pro can debug applications on all major desktop platforms (Windows, Linux, Mac), mobile platforms (iPhone, Android), and emulators (QEMU, Bochs). Even less known embedded systems based on MIPS or other processors, our debuggers can handle it. IDA Pro comes with ten different debuggers out of the box. Naturally they are all are configurable, programmable, and extensible.
- Google Project Zero used IDA's XNU Kernel Debugger to track down vulnerabilities in
iOS:
KTRW: The journey to build a debuggable iPhone
A short video showing the debugger in action
Ultimately this led to the detection of the oob_timestamp vulnerability in iOS (CVE-2020-3837) - IDA's debuggers are often needed to understand sophisticated malware samples found in
the wild:
FireEye using IDA's WindDbg Debugger to deobfuscate a live malware sample
FireEye using IDA's Bochs Debugger to unpack malware via emulation
OALabs using IDA's Remote Windows Debugger to defeat an anti-VM and anti-debug malware packer
Check Point Research describes how to properly sandbox malware debugging sessions in IDA
Sogeti identified a Babuk ransomare variant by detecting strings in IDA debugger memory - IDA's GDB debugger can interface with an array of third-party debug probes and
emulators, making it particularly useful for debugging embedded firmware. IDA can help
discover bugs
before the firmware is released into production, or debug issues in the field when
standard development tools, debug builds, and debug symbols are not available:
Using IDA with the SEGGER J-Link
Debugging Tricore code in IDA using Lauterbach TRACE32 simulator
Debugging ARM code snippets in IDA using QEMU emulator
Extending IDA processor modules for GDB debugging - Mobile platforms are notorious for being "walled gardens". IDA's remote iOS and Android
debuggers can help understand OS internals:
Using IDA's iOS Debugger to reverse-engineer the iOS Instruments server
Using IDA's Android Debugger to identify a vulnerability in WhatsApp
Dynamically Debugging Native Layer Android Programs
Using IDA Pro to dynamically debug Dalvik instructions - Like most other parts of IDA, the debuggers can be extended with custom functionality.
Here are some powerful IDA debugger plugins developed by the infosec community:
DIE: Uses the IDA Debugger API to enrich static anaylsis with dynamic data
funcap: Annotates function calls with arguments and return values collected at runtime
HeapViewer: IDA Pro plugin to examine the heap, focused on exploit development
deREferencing: Enriches IDA's register and stack views with deferenced pointers
IDA Stealth: Hides the IDA debugger from most common anti-debugging techniques
Labeless: Implements seamless integration between IDA and third-party debuggers
QilingIDA: Uses IDAPython to interface with a new third-party emulator - C++ code with virtual functions is a challenge to analyze statically. IDA's debugger can
make life easier:
Using IDA Pro debugger to analyze C++ vtables
Automotive Security
Challenge
Modern vehicles are rolling software ecosystems. They are now more reliant on firmware running on microcontrollers instead of pure hardware like in the past. Cars can now contain over 70 electronic control units (ECUs), each of them having their own dedicated firmware. ECUs can be responsible for the engine, driving control, infotainment, navigation, and tracking systems - some of which may be connected to a cellular network. All this code has potential bugs, vulnerabilities, or hidden/unwanted functionality. So the notion of a "Smart Car" is a nice idea, but to some individuals "Smart" just means "Hackable". The automotive industry must have visibility over the software that drives its vehicles (literally), despite its growing complexity. Overlooked flaws can have severe consequences.
Approach
IDA can serve as an entry point into a modern vehicle's logical infrastructure. In many cases the original ECU firmware can be reverse-engineered, for example to determine how sensors are being read or how the engine is controlled. IDA is the best tool for this task since it supports all the major processor families used in ECUs. IDA makes it possible to build a gradual understanding of the firmware behavior even without complete documentation, source code, or debug symbols.
- IDA is frequently used for auditing vehicle firmware. Such investigations can produce
very interesting results:
Researchers used IDA to confirm Volkswagen's cheating in emission control tests (a.k.a "Dieselgate")
Dieselgate - A year later
Security Audit of the Mercedes-Benz MBUX by Tencent Security
Reverse engineering the Tesla firmware update process
A Security Analysis of an In Vehicle Infotainment and App Platform - There is a big demand in the gray or black market for bypassing security measures
employed by car manufacturers to prevent non-authorized modifications to the vehicle
firmware.
IDA can be used to analyze the security mechanisms employed by the firmware and discover
ways to bypass them before it is done by malicious outside parties:
Criminals find the key to car immobilisers
Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer
Remote Exploitation of an Unaltered Passenger Vehicle
On Vehicular Security for RKE and Cryptographic Algorithms: A Survey - There is a non-negligible demand for after-market car modifications. For example,
customers may want to improve engine performance or add manual controls in certain
driving situations. This can be done either by modifying the standard manufacturer's ECU
firmware or by adding a completely custom ECU:
Reverse engineering a SuperH based ECU with IDA to find calibration tables
Disassembling a Bosch ME7.1 ECU with IDA Pro
ECU Hacking: See chapter 6 from The Car Hacker's Handbook
Interoperability
Challenge
Information is rarely produced and consumed strictly inside an application. Modern computers exchange information with other computers, store information on the disk, or in the cloud. Quite often, the used data format is undocumented, but there may be the need to interact with the application or extract its data. For example, to extract data from an obsolete software we need to know the used format. Or to take down a botnet, we may need to know its network protocol in order to send commands to the zombie computers it infected.
Approach
To deal with exotic file formats, IDA Pro can be easily extended with custom-crafted "loaders" and make the data available from within the UI. When it comes to reverse-engineering network protocols, one will typically pair up IDA Pro with a packet capture tool (e.g., Wireshark). The discovery of the protocol will be sped up thanks to analyzing both the traffic, and matching its usage in the client-side or server-side code.
- IDA can be used to reverse-engineer undocumented network protocols, which has many
practical benefits:
G Data Software's analysis of an IoT botnet
Reverse-engineering an Objective-C based RPC protocol to retrieve diagnostic data from iOS devices
Deciphering and Modifying networking packets for "Dragomon Hunter"
Reverse-engineering a "dead" protocol to bring an online game back to life - IDA is often used to reverse-engineer legacy software. When software outlasts its
creators, the source code might not be available and users are sometimes stuck with
older
infrastructure that can't be easily modified or updated. IDA can be used "surgically" to
patch legacy binaries and make them behave in the desired way:
Shipping unofficial patches for an unsupported version of InternetExplorer that is still in use
Using IDA to reverse engineer Palm OS and make it run on modern hardware
The ScummVM Project using IDA to port many old game engines to modern platforms.
Adding networking & multiplayer to a game that doesn't support it out of the box - Some examples of using IDA to explore exotic file formats:
Updating the KLN89B: Using IDA to extract GPS data from a proprietary file format
Reverse-engineering Leica camera firmware images with a custom IDA loader for Blackfin
Software Assessment
Challenge
The inner workings of non-malicious software are sometimes worth investigating. Analysts need to have a clear understanding of the software used daily (operating systems, drivers, third-party applications, etc). Normally the internal details of commercial software are not documented, but there are legitimate reasons to examine them.
Approach
IDA supports all major architectures used in desktop, mobile, and embedded devices. It can be used to disassemble binaries with or without debug info. Using built-in features like FLIRT and Lumina, well-known or library functions can be identified. Third-party addons like BinDiff or Diaphora allow finding differences between binary versions to identify changes, fixes, or even backdoors.
- IDA is frequently used to detect harmful backdoors in popular software:
Using a backdoor in a D-Link router to access the web interface without any authentication
Finding Backdoors in Applications: a talk at Black Hat Asia 2020
Backdoor In Sony IPELA Engine IP Cameras
THE FAKE CISCO: Hunting for backdoors in counterfeit Cisco devices - IDA can also be used for black-box reverse engineering of embedded firmware:
Analyzing the firmware of Withings Health Mate fitness tracker
Reverse engineering and debugging an HDD firmware using IDA - Google Project Zero often uses IDA for deep-dives into commonly used software to assess
its security, integrity, and design:
Examining Pointer Authentication on the iPhone XS
iOS Kernel PAC, One Year Later
The story of Adobe Reader symbols
The State of State Machines - Using IDA to understand a new security feature in Microsoft's compiler:
How the MSVC Compiler Generates XFG Function Prototype Hashes
Education
Challenge
Reverse-engineering requires a fair amount of experience, training, and even intuition. But without the right tool, even the most skilled reverse-engineer will spend a considerable amount of time performing the most tedious tasks or even fail to spot the crucial bits of information.
Approach
IDA Pro is the perfect tool to teach binary analysis: it is fast, powerful yet easy to use, supports most processors & file formats out-of-the-box, and is even available as educational free licenses for institutions. It's not surprising then to find IDA Pro being used all over the world by universities, online-or-offline classes, trainings, and seminars alike.