March 27, 2010

Security Book Review: The IDA PRO Book

The IDA PRO Book
Author: Chris Eagle
Editorial: No Starch Press
Publication date: August 12, 2008
ISBN-10: 1593271786
ISBN-13: 978-1593271787


Summary: Do you really want to master the art of disassembly? Start here!

Score: 5/5

Review:
Honestly, when picking up a book that is focused on a single tool, as in this case, my main concerns are: how linked (and limited) the content is
to the tool and its capabilities, if the book can become obsolete soon with new versions of the tool, and what else the material offers to the specific field out of the tool.

In this case, it is fair to say that IDA Pro (http://www.hex-rays.com/idapro/) is the most popular disassembly tool (and debugger now) in the market during the last decade, so covering it is like going deeper into the field of malware analysis, software reverse engineer and
vulnerability research. Beginners can start playing with the evaluation version, while professionals have been using the Pro version for a long time.

Apart from that, the moment I realize Chris Eagle was the book author, it added some excitement to the mix. I know Chris when we released the Scan of the Month 32 challenge on the Honeynet Project (http://old.honeynet.org/scans/scan32/), back in 2004. The challenge was focused on analyzing a home-made malware binary, called RaDa, and Chris was the winner (http://old.honeynet.org/scans/scan32/sols/1-Chris_Eagle/); he even developed an IDA Pro script to unpack the binary and solve it.

Therefore, the book title does not make any justice to its contents :), as this is not only The IDA PRO Book or the unofficial guide, but the modern software disassembly
(static binary analysis) masterpiece and The IDA Pro Bible.

The first two chapters are a must for anyone starting in the world of reversing and disassembly. Something I really liked about the introductory chapters is how the author establishes the relationships between the different functionality available in IDA, and other (more traditional) single tools offering similar capabilities.

Then, the book goes in depth into IDA, getting started, covering the interactive interface and navigation capabilities, including the well-known and the most hidden features, explaining how to manage data types, structures and projects, the beauty of cross-references and graphs, and how to extend and customize IDA for extra advanced analysis (libraries, IDC scripts, plugins, modules, etc). It offers the advance readers the required skills and tools to move their analysis activities to the next level.

Every chapter is preceded by a great introduction explaining what is it about, and when and why this chapter is important for the analyst. Chapters do not simply move over the different menus and capabilities of IDA Pro, but describe them within a context based on the author experience after years of binary analysis, going in depth into the essence and goal of a given feature, the way to use it and the common drawbacks. Chris also uses his experience to highlight what is the most typical finding and tool output in various scenarios and why.

The book ends up with a few chapters that challenge the reader to put in action the skills learned throughout the book into real-world applications. Finally, it covers the new debugging capabilities (dynamic binary analysis) available since IDA version 4.5. For those starting in the field, appendix A points out the differences between the free and the commercial IDA version, and how these may influence your interest on specific book chapters.

The book is highly recommended to both beginners and intermediate/advanced users and professionals, and definitely it is a dense (like the tool it covers) but very easy to read book that becomes a reference in your bookshelves the minute it reaches your hands. Besides that, its contents won't easily become obsolete with new IDA Pro version. It is not a book to read in a couple of nights; this is the kind of "practical" book that I strongly recommend to read with a computer and a running copy of IDA handy, so that you can test all the tips and tricks and practice the topics being discussed.

UPDATE: Amazon review.

Labels: , ,

4 Comments:

Blogger Jose Selvi said...

Hi Raul, do you think this book is also useful for people using IDA Pro Free? Is it mainly focused on IDA Pro 5.x and their new features?

I think there are a lot of people that is using IDA Pro Free because they're using it at home, not daily at work, so they can't pay any license. Do you also recommend this book for them?

Great post! Thanks!

11:36 AM  
Blogger Alvaro Muñoz said...

Hi!

Nice review! Im considering seriously buying it as I was looking for something like that to enter the reverse engineering world :D. Does it come with examples and challenges to get into the full capabilities of the tool or is more a theorical approach?

Thanks

Alvaro

7:59 PM  
Blogger Raul Siles said...

Jose,
I think the book is useful for people using IDA Freeware too, although it clearly targets the commercial version of IDA Pro. In particular, the book was written for IDA version 5.2 (current version is 5.6 [2]).

Users of IDA Freeware [1] (which BTW is version 4.9 and only supports x86 code) won't be able to use all the new features introduced in IDA Pro 5.x (scripting, SDK, graph view for the disassembly navigator, extra number of plug-ins, IDC scripts and libraries, FLAIR tools, remote debugging, etc), therefore, can't make use of the chapters covering these more advanced features, such as FLIRT signatures (chapter 12), the IDA SDK (chapter 16) or IDA plug-ins (chapter 17).

[1] http://www.hex-rays.com/idapro/idadownfreeware.htm
[2] http://www.hex-rays.com/idapro/idadowndemo.htm

However, it is true that getting access to all the details about these advanced capabilities from the book really helps to make a more thorough evaluation regarding the acquisition of the commercial version (or not).

12:50 AM  
Blogger Raul Siles said...

Alvaro,
The book has a practical approach, however it does not come with an enclosed set of binaries used throughout the book; it is not a training class :(

In order to get the most out of it, I recommend you to play with any binary you have around when reading the book, or more specifically, use the binaries published by reverse engineering challenges, such as those from the Honeynet Project, the Internet Storm Center or many others, such as [1].

[1] http://www.malwarechallenge.info

1:07 AM  

Post a Comment

<< Home