MyNav is an Open Source IDAPython plugin for the commercial disassembler IDA Pro to be released on July 2010. The plugin adds a lot of new features only available in other products like in the well known Zynamics BinNavi or HB Gary's Inspector. In this blog post I will show you some of the features available in the current version with some examples.
The navigator is good to get an idea about what a function does as we can see and browse in a user-friendly GUI all the functions executed from one specific point. For example, open the typical windows binary calc.exe in IDA Pro, wait until the initial analysis ends, run the script mynav.py in IDA and jump to the function "?CalcWndProc@@YGJPAUHWND__@@IIJ@Z" (at address 0x01006118 in Windows XP SP 3). Now, select Edit->Plugins->MyNav - Browse Function. A new dialog box will appear asking for the maximum recursion level, enter the number 1 and click OK. The following (browseable) graph will appear:
Depending on the selected maximum recursion level, some child nodes will be hidden like, for example, the childs nodes of the function "?SetRadix@@YGXK@Z". To see the hidden nodes simply double clik in the node with text "(8 more nodes)". The following graph will appear:
In this graph we can see what functions are executed from the "SetRadix" one. We can continue browsing the graph entering and leaving in some other functions but, what if I want to see what API calls are executed from an specific function? To open a browseable graph showing API calls select in the IDA's disassembly view the desired function (for example, the function at address 0x010022F9 in Windows XP SP3 -?CIO_vConvertToString@@YGXPAPAGPAUCALCINPUTOBJ@@H@Z-) and select Edit->Plugins->MyNav - Browse functions (show APIs), leave the default maximum recursion level and click OK. The browseable graph bellow will appear:
Taking a look to this graph we can "abstractly" see what the function ConvertToString does.
Code path searching
One of the most typical tasks when looking for vulnerabilities is to find a code path between data entry points (functions where you can insert data) and some target functions (vulnerable ones). With MyNav we can search automatically for code paths between 2 functions with just a few clicks. For example, continuing with the Windows calculator, we will search code paths from "WinMain" and "EverythingResettingNumberSetup" so, select Edit->Plugins->MyNav - Show code paths between 2 functions. A dialog box showing all the binary's functions will be shown:
In this dialog box select the starting point (WinMain) and click OK, the same dialog will appear again asking for the target function, select "EverythingResettingNumberSetup" and click OK. The following graph will appear:
Differential debugging usage example: notepad
In this example we will discover and analyze the code responsible for opening a file in notepad. Run IDA Pro and open the notepad.exe binary. Wait until the initial analysis finishes and, after it, run the script mynav.py in IDA. A lot of new menus will be added under Edit->Plugins as shown bellow:
Now, select a debugger from the debugger dropdown list and select from Edit->Plugins menu the option called "MyNav - New session". A dialog box asking for a session's name will appear. Enter a meaningfull name like "GuiNoise" or something like this as we will be recording the code responsible of GUI painting, uninteresting for our goal (discover the code executed when we open a file inside notepad).
Press OK and a message box saying that there is no breakpoint set will appear. Answer "Yes" and MyNav will set a breakpoint in every function and start the debuggger. While the application is running move the window, minimize, maximize, restore it, popup the contextual menus and close the application when done. When debugging stops, a graph showing all the executed functions will appear:
This callgraph shows all the functions executed and the relationships between them. All the breakpoints sets in a function that was executed in this session were removed after the first hit so we will not stop again in the GUI related code. Now, record another session, select Edit->Plugin->MyNav - New session and enter the name "FileOpenDialog". When the debugger starts select in notepad "File->Open" and cancel the dialog box. Select again in notepad "File->Open" but this time select a file to open. When done, close the application and the following callgraph will appear:
This time only 7 functions appeared, those responsible of showing the file open dialog box and opening the file. The notepad.exe binary contains 88 functions and we discovered in a few seconds the interesting functions. Now, it's time to discover the exact code executed when I cancel the dialog box and when I select a file to open so, select Edit->Plugins->MyNav - Trace in session and a dialog box will appear showing all the recorded session. Select the session named "FileOpen" in the dialog shown bellow:
After it, the typical dialog box asking for a sessions name will appear. Enter the name "TraceFileOpenCancel", click OK and the debugger starts. When notepad is opened, select File->Open, cancel the dialog box and close the application.
The colored basic blocks are those executed when we cancelled the dialog box. Now, we will trace again the same session but this time opening a file so, select Edit->Plugins->MyNav - Trace in session, select the session named "FileOpen" and enter the name "TraceFileOpen". When debugger starts the application select File->Open and open a file. When done, close notepad and the following code will be shown:
The new color shows the basic blocks executed this time. If we want, we can see the differences between the 2 sessions. Select Edit->Plugins->MyNav - Show step trace session and a dialog box showing a list of all the recorded trace sessions will appear. Select the trace session called "TraceFileOpenCancel" and click OK. Notice the change in the graph:
In about 5 minutes we discovered the functions and the instructions executed when we cancel the file open dialog box and when we open a file. It was easy, wasn't it?