Dynamic Data Resolver (DDR) — IDA Plugin 1.0 beta

Dynamic Data Resolver (DDR) — IDA Plugin 1.0 beta

Executive summary

Static reverse-engineering in IDA can often be problematic. Certain values are calculated at run time, which makes it difficult to understand what a certain basic block is doing. If you try to perform dynamic analysis by debugging a piece of malware, the malware will often detect it and start behaving differently. Today, Cisco Talos is releasing the 1.0 beta version of Dynamic Data Resolver (DDR) — a plugin for IDA that makes reverse-engineering malware easier. DDR is using instrumentation techniques to resolve dynamic values at runtime from the sample. For the 1.0 release, we have fixed a couple of bugs, ported it to the latest IDA version, added multiple new features, plus a new installer script that automatically resolves all dependencies. 

Feature Overview

A full list of all new features can be found in the New Features 1.0 Release section.

Code Flow TraceShows which basic blocks were executed how many times by approximately 20 different colors

Figure 1

Searchable API call loggingThis includes all occurrences where certain instructions hit, such as call, jxx, etc. and touch an API address.

Figure 2
Searchable string logging
Figure 3

Resolving dynamic values and auto-commenting dynamic resolver plugin