Hex-Rays IDA Pro
Strengths: Comprehensive, complete and with a history in the industry second to none.
Weaknesses: None that we found.
Verdict: We have gushed about this tool enough in the review so we’ll simply offer a verdict of Best Buy for this month.
This, unequivocally, is the 800-pound gorilla of reversing tools. It has been around as freeware and as a commercial product since 2005. We know of no serious malware analyst who is not familiar with - or, in fact, uses - IDA Pro in one of its forms. The company also produces a C/C++ decompiler one of the first, if not the first, in the industry. That said, this is a tool for experienced software reverse engineers. It is, of course, not limited to malware.
IDA Pro actually is a collection of tools that give all the information about a binary file under examination. When reversing malware one of the most useful functions is "strings." This is where you may find URLs, IPs and other network information embedded in the sample without the need to dig into the assembly language code. But, make no mistake, a knowledge of assembly language is a prerequisite for getting the most useful results out of a reversing exercise.
In addition to the strings function, IDA Pro has its own display of the reversed binary, shown in assembler (the "IDA View"). This is accompanied by a function graph that shows connections and flows between functions in the sample. The tool also provides hex views so by placing the IDA views on the screen with the hex views it is possible to correlate data with functionality within the sample.
This ability to coordinate data is very useful in several contexts. For example, suppose that you want to locate a string - perhaps a URL - with its location in the code. IDA Pro allows that by showing in the IDA view and/or the hex view the string that you highlight in the strings view. Expanding that set of views to the function graph gives a complete context for the string.
We used IDA Pro to teach malware forensics at a university for several years. One of the more useful functions was the ability to set break points and circumvent encryption in a malware sample that uses a crypter for obfuscation. Since the code is encrypted until it fires, placing a break point strategically and then single-stepping through the execution reveals the decrypted code.
Text search adds to the functionality and a text search is reflected throughout the various displays. In addition, IDA Pro lists calls, names, libraries, structures, threads, registers and lots more. In short, this is a reversing tool kit in a single program. With the addition of a couple of malware-specific tools - such as a tool to identify a particular crypter or packer - IDA Pro is all you really need to do competent malware analysis.
There are books available that go into a lot of detail about the use of the tool. This attests both to IDA Pro's popularity and its breadth and depth of functionality. In short - and we don't say this often - IDA Pro is a "must-have" tool for any serious malware reverse engineer. If you are studying software reverse engineering at university it is quite probable that this is the tool your professors teach.
The web site is excellent and considers that not everyone who visits it has a complete knowledge of IDA Pro or other Hex-Rays tools. There is a support portal packed full of useful information, downloads and support options. Support is free and is available 8X5. Support is by email and, from customer comments, offers acceptably fast response. There is a community forum that contains lots of good, hands-on information and answers to questions. Documentation is profuse and comes from multiple sources beyond Hex-Rays. In short, this is the reversing tool that should be in every analyst's tool kit.