Friday, March 27, 2009

Responder is better than IDA Pro for analyzing malware.

Greg's Note: This blog post was made by Martin Pillion, the most senior reverse engineer at HBGary and one of the most skilled RE's I've met. I have crossposted it to Fast Horizon so it would be picked up on the RSS feeds. Martin's assessment of IDA vs Responder is timely and highlights the amount of experience required to look at assembly vs. graphs. Features like proximity browsing lower the bar significantly so that more practioners can help solve hard RE problems.

Responder is better than IDA Pro for analyzing malware. I do not make this statement lightly. I have been reverse engineering code (on and off) since the late 1980s, I am a long time user of IDA Pro (since ~2000), and I have written a fair number of IDA Pro scripts. IDA Pro has been the definitive disassembly tool for nearly 10 years.

Let me also point out that I am an HBGary employee and I certainly have a bias toward the Responder product. I have helped design, architect, and develop the Responder product for many years. During that same time, I often worked with the HBGary Services division to assist customers with reverse engineering malware. I used Responder as much as possible, but often found myself loading up IDA Pro and running both products at the same time. However, in the past several months, Responder has improved to the point that I no longer use IDA Pro at all.

Responder utilizes a different approach to reverse engineering than IDA Pro. Where IDA Pro relies on inspecting large amounts of assembly, Responder relies on a more visual, graph based approach.

Responder is graph based, allowing you to manipulate and organize graphs.

Responder displays information visually and is navigated based on relationships. Responder has a feature called 'Proximity Browsing' that allows you to expand a graph based on the cross references to or from the currently selected node. This makes it easy to quickly locate related code and visually examine those relationships. IDA has a popup dialog to list xrefs, but you must click each xref individually to examine it (time consuming).

Responder lets you browse code by cross references.

Responder uses the color of xref lines to indicate what kind of xref it is. Grey for data xrefs, black for block xrefs, and red for call xrefs. Node shapes can indicate function starts, ends, regular blocks, data, comments, or bookmarks. Node color is used to organize graphs and is determined by layer. Layers are similar to the layer concept in Adobe Photoshop.

IDA Pro WinGraph32

IDA Pro relies on WinGraph32 to perform graphing and it is clearly a secondary feature in the tool. There is support for a limited set of graph based analysis features, mainly built around flow chart and call flow graphing. The UI also leaves a lot to be desired... it is not possible to modify an existing graph, instead you must go back the text based UI and regenerate an entirely new graph.

Changing layout algorithms can reveal structure and/or relationships within the code that may not be immediately obvious in other layouts.

Responder lets you "Collapse" a graph node. A Collapsed node is an entire function, instead of a single block of disassembly. You can Proximity Browse from a collapsed node and you will expand only call xrefs, with additional nodes also being collapsed functions. Using this feature you can quickly identify the purpose of main functions and label them appropriately.

Data Flow tracing allows responder to track the movement of data, even variables used with Frame Pointer Omission.

Responder can also perform "Data Flow" tracing. Data Flow tracing allows Responder to follow the movement of data through a function, even if it is moved to a memory address (like the stack) and later moved into a register. This means that Responder can follow stack variables on functions with frame pointer omission.

Data Flow tracing is powerful and Responder utilizes it every time you rename an instruction operand. This means that your custom labels may show up later in the function and be used in a way that you did not realize. Data Flow tracing will track multiple levels of dereferences and indirections, memory addresses, registers, and even logical manipulations.

These are just a few of the features make Responder better than IDA Pro for malware analysis. I discuss others and also expand on the technologies behind each feature in future blogs. Ultimately, the primary work flow of a reverse engineering is one of organizing and understanding data. Responder enables me to do this with malware faster than I would be able to using IDA Pro.

- Martin