Decorating Your Disassembly

When reviewing disassembly, some instructions are more important than others.  You can use a simple script to color instructions that you’re interested in and make them stick out.  You can use either IDAPython or IDC scripts to make color the interesting instructions.  Most professionals use IDAPython for their scripting, but I’ll talk about IDC because it’s available in the free version of IDAPro and I suspect some of our readers are just flirting with malware analysis and haven’t purchased the full version (also because I have an irrational bias against python).  The most important instruction that I like to highlight is the call instructions, but I also highlight instructions commonly used for data encoding (non-zeroing XORs), anti-VM (sidt, sgdt, str, etc), and anti-debugging (int 3, rdtsc, etc).  This makes it easier to locate more interesting code during disassembly.

The IDC scripting language is a lot like C and C programmers should find it very easy.  The FirstSeg() function is used to get the first address in the program and then the NextHead() function is called within a loop to get the Mnemonic for each instructions.  If the instruction is a call instruction then it is colored pink.

#include <idc.idc>
static main(void) {
   auto currentEA;
   auto currentMnem;
   auto prevMnem;
   auto currentOp;
   prevMnem = "";

   currentEA = FirstSeg();
   currentEA = NextHead(currentEA, 0xFFFFFFFF);
   while (currentEA != BADADDR) {
       currentMnem = GetMnem(currentEA);

       //Highlight call functions
       if (currentMnem == "call")
       SetColor(currentEA, CIC_ITEM, 0xc7c7ff);

For instructions that you want to color only if the operands meet certain criteria, such as non-zeroing XORs where the first operand and the second operand is not the same you use the GetOpnd() function.

      //Non-zeroing XORs are often signs of data encoding
      if (currentMnem == "xor") {
          if (GetOpnd(currentEA, 0) != GetOpnd(currentEA, 1)) {
              SetColor(currentEA, CIC_ITEM, 0xFFFF00);

The total script (full text available here) colors

  • Call functions
  • Non-zeroing XORs (data encoding)
  • sidt, sldt, sgdt, smsw, str, in, cpuid (Anti-VM instructions)
  • int 3, int 2D, icebp, rdtsc (Anti-Debugging instructions)
  • push/ret combinations (return address abuse)

As I said earlier in the post this can also be accomplished using IDAPython for those with the  full version of IDAPro.  Here is the IDAPython script that Siko uses to highlight instructions whenever he loads a program in IDAPro.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s