Suppose our goal is to dissect a new program. The ultimate method of analysis is single stepping the program of interest. Each executed instruction must be single stepped at least once so we won’t miss anything important.
How do you spell “I love you” in Greek?…
Today I’ll present you a pretty small yet useful plugin.
The last described method does not work if the application uses an “unsupported” antidebugging trick. For example, if the application directly checks the PEB field instead of calling the IsDebuggerPresent function, the method will fail. Or the application could use something else, something from the future…
Quite often IDA users ask for a plugin or feature to hide the debugger from the application. In fact there are many anti-debugging tricks and each of them requires an appropriate reaction from the debugger, let’s start with something simple: we will make the IsDebuggerPresent function call always return zero.
Final method of loading several files into a database
I promised to tell you about the TLS callbacks. Here is the discussion.
The third method to create a database with several PE files.
The second method to create a database with several PE files.
IDA Pro can load one PE file into a database and analyze it. Some users assume this is the maximum. Let’s take a closer look at the situation…