WEBVTT

00:05.210 --> 00:13.010
The functions, window displays all the functions recognized by ID, and it also shows the virtual address

00:13.010 --> 00:19.040
where each function can be found as well, and the size of each function and various other properties

00:19.040 --> 00:20.060
of the function.

00:20.060 --> 00:24.140
And you can double click any of these functions to jump to a selected function.

00:24.140 --> 00:30.480
And each function is associated with various flags such as let's actually increase the size of play

00:30.500 --> 00:30.860
a bit.

00:30.890 --> 00:40.340
We have the RFL and so on and you can get more information about these flags and the help file by pressing

00:40.340 --> 00:42.830
the F1 here.

00:47.310 --> 00:47.730
Index.

00:47.730 --> 00:49.710
We can search the terms.

00:51.190 --> 00:51.360
Here.

00:51.400 --> 00:58.120
And as you can see, you have a lot of contents to read and exercise on the.

01:00.250 --> 01:01.270
Ida here.

01:01.300 --> 01:02.800
Ida and.

01:04.200 --> 01:04.980
Here.

01:05.520 --> 01:12.420
For example, if you are searching for the R here, you can just write the keyword for your term.

01:13.200 --> 01:13.920
And.

01:14.270 --> 01:14.740
And.

01:15.680 --> 01:17.000
List the topics here.

01:20.830 --> 01:27.800
And the library functions are compiled and compiler generated and are not written by a malware.

01:27.820 --> 01:34.660
Rather and from a code analysis perspective, we would be interested in analyzing the malware code,

01:34.660 --> 01:36.490
not the library code here.

01:36.490 --> 01:39.430
And we also have the output window.

01:39.430 --> 01:48.190
So this functions window will be useful for us and we will use that in next lectures here.

01:48.550 --> 01:54.600
As you can see here, you can almost see anything with these functions here, functions, window, you

01:54.640 --> 02:02.800
can see the diagrams of this and so on, but you can exercise by some malware.

02:04.740 --> 02:06.210
And we also have.

02:08.230 --> 02:09.760
Uh, the output window as well.

02:09.760 --> 02:17.470
So the output window, um, displays the message generated by IDE and IDE plugins.

02:17.470 --> 02:22.240
And these messages can give information about the analysis of the binary and various operations that

02:22.240 --> 02:23.380
you perform.

02:23.380 --> 02:30.490
And you can look at the contents of the output window to get an idea of various operations performed

02:30.490 --> 02:33.840
by Ida when an executable is loaded.

02:33.850 --> 02:38.680
And we also have the hex view window here as well.

02:38.680 --> 02:44.560
So you can click the click, the hex view one two tab to display the hex window.

02:44.560 --> 02:51.040
And the hex window displays a sequence of bytes in a hex dump and the Ascii format.

02:51.040 --> 02:57.580
And by default, the hex window is synchronized with the Disassembler window means when you select any

02:57.580 --> 03:03.130
item in the disassembly window, the corresponding bytes are highlighted in the hex window.

03:03.130 --> 03:09.140
So the hex window is useful to inspect the contents of the memory address.

03:09.140 --> 03:16.880
And we also have the structures window here and clicking on the structures tab will bring up the structures

03:16.880 --> 03:17.180
window.

03:17.180 --> 03:24.740
This structure window lists the layout of the standard data structures used in the program, and it

03:24.740 --> 03:28.520
also allows you to create your own data structures here.

03:28.520 --> 03:35.270
And we have the imports window here clicking on the structures tab.

03:35.960 --> 03:43.610
After the clicking on the structure set, we can also click on imports exports here and in imports here.

03:44.150 --> 03:50.000
Um, this imports window lists all of the functions imported by the binary.

03:50.000 --> 03:57.830
So this here, you can see that the imported functions and the shared libraries, which are also called

03:57.830 --> 04:02.840
the DLL from which these functions are imported and.

04:03.890 --> 04:06.880
We have the exports window as well.

04:06.890 --> 04:10.370
So this exports window lists all the exported functions.

04:10.370 --> 04:13.640
So the exported functions are normally found in the DLLs.

04:13.640 --> 04:18.070
So this window can be useful when you are analyzing malicious DLLs.

04:18.080 --> 04:24.110
In this case, we don't have we don't really have any exports because this is just an Hello world application

04:24.110 --> 04:26.810
and the executable file and not a DLL here.

04:26.810 --> 04:32.090
And we have the also we have we also have the strings windows.

04:32.090 --> 04:34.700
It does not shows the string window by default.

04:34.700 --> 04:40.610
So you can bring it up the strings window by clicking on the view.

04:41.000 --> 04:42.260
Um, here.

04:43.030 --> 04:48.850
View and in view, we will click on the open open, open sub views.

04:49.330 --> 04:49.870
Here.

04:51.150 --> 04:55.170
And there's also a shortcut for this, which I will show you right now.

04:55.170 --> 05:00.900
And as you can see here in view, we can click on the open sweeps here.

05:01.170 --> 05:04.830
And after that, we will select the springs.

05:05.780 --> 05:13.400
And as you can see, we also have the shortcut for it and shift and F 12 and that's it.

05:13.430 --> 05:15.530
We have the strings window here.

05:15.530 --> 05:21.800
So the string strings window displays the list of strings extracted from the binary and the address

05:21.800 --> 05:23.780
where these strings can be found.

05:23.780 --> 05:30.680
And by default, this string, the strings window displays only the null terminated Ascii strings of

05:30.680 --> 05:34.910
at least five characters in length and in next lecture.

05:34.940 --> 05:41.450
Actually, in previous lecture with Ghidra, we saw that a malicious binary can use Unicode strings

05:41.450 --> 05:45.980
and you can configure Ida to display different types of strings.

05:46.190 --> 05:53.400
And to do that while you are in the strings window, right click on the setup and you can select the.

05:54.650 --> 05:57.470
String that you can hear.

05:57.620 --> 06:07.280
We have the unique C-style 16 bits C-style 32 bits, Pascal style, Pascal style 64, 16 bits and so

06:07.280 --> 06:07.790
on.

06:07.790 --> 06:10.970
And we also have the segments window.

06:10.970 --> 06:19.280
So the segments window is available at the will open Subviews And after that we will use select segments

06:19.280 --> 06:26.990
or we can also use the shift F seven to bring it up and here.

06:29.030 --> 06:31.250
And here we have the.

06:33.710 --> 06:38.600
Open Savills and we will see the segments right now.

06:39.070 --> 06:44.910
Uh, open Savills and segments and, uh, the segments window.

06:44.930 --> 06:51.080
Uh, this section is like, uh, the text data and so on in this binary file.

06:51.080 --> 06:57.980
And the displayed information contains the start address and the end address and the memory permissions

06:57.980 --> 07:01.160
of each, uh, section.

07:01.980 --> 07:10.350
And the start and end address specify the virtual address of each section that is mapped into memory

07:10.380 --> 07:12.000
during runtime.