1
00:00:05,210 --> 00:00:13,010
The functions, window displays all the functions recognized by ID, and it also shows the virtual address

2
00:00:13,010 --> 00:00:19,040
where each function can be found as well, and the size of each function and various other properties

3
00:00:19,040 --> 00:00:20,060
of the function.

4
00:00:20,060 --> 00:00:24,140
And you can double click any of these functions to jump to a selected function.

5
00:00:24,140 --> 00:00:30,480
And each function is associated with various flags such as let's actually increase the size of play

6
00:00:30,500 --> 00:00:30,870
a bit.

7
00:00:30,890 --> 00:00:40,340
We have the RFL and so on and you can get more information about these flags and the help file by pressing

8
00:00:40,340 --> 00:00:42,830
the F1 here.

9
00:00:47,310 --> 00:00:47,730
Index.

10
00:00:47,730 --> 00:00:49,710
We can search the terms.

11
00:00:51,190 --> 00:00:51,360
Here.

12
00:00:51,400 --> 00:00:58,120
And as you can see, you have a lot of contents to read and exercise on the.

13
00:01:00,250 --> 00:01:01,280
Ida here.

14
00:01:01,300 --> 00:01:02,800
Ida and.

15
00:01:04,200 --> 00:01:04,980
Here.

16
00:01:05,520 --> 00:01:12,420
For example, if you are searching for the R here, you can just write the keyword for your term.

17
00:01:13,200 --> 00:01:13,920
And.

18
00:01:14,270 --> 00:01:14,740
And.

19
00:01:15,680 --> 00:01:17,000
List the topics here.

20
00:01:20,830 --> 00:01:27,800
And the library functions are compiled and compiler generated and are not written by a malware.

21
00:01:27,830 --> 00:01:34,660
Rather and from a code analysis perspective, we will be interested in analyzing the malware code,

22
00:01:34,660 --> 00:01:36,490
not the library code here.

23
00:01:36,490 --> 00:01:39,430
And we also have the output window.

24
00:01:39,430 --> 00:01:48,190
So this functions window will be useful for us and we will use that in next lectures here.

25
00:01:48,550 --> 00:01:54,600
As you can see here, you can almost see anything with these functions here, functions, window, you

26
00:01:54,640 --> 00:02:02,800
can see the diagrams of this and so on, but you can exercise by some malware.

27
00:02:04,740 --> 00:02:06,210
And we also have.

28
00:02:08,230 --> 00:02:09,760
Uh, the output window as well.

29
00:02:09,760 --> 00:02:17,470
So the output window, um, displays the message generated by IDE and IDE plugins.

30
00:02:17,470 --> 00:02:22,240
And these messages can give information about the analysis of the binary and various operations that

31
00:02:22,240 --> 00:02:23,380
you perform.

32
00:02:23,380 --> 00:02:30,490
And you can look at the contents of the output window to get an idea of various operations performed

33
00:02:30,490 --> 00:02:33,840
by Ida when an executable is loaded.

34
00:02:33,850 --> 00:02:38,680
And we also have the hex view window here as well.

35
00:02:38,680 --> 00:02:44,560
So you can click the click, the hex view one two tab to display the hex window.

36
00:02:44,560 --> 00:02:51,040
And the hex window displays a sequence of bytes in a hex dump and the Ascii format.

37
00:02:51,040 --> 00:02:57,580
And by default, the hex window is synchronized with the Disassembler window means when you select any

38
00:02:57,580 --> 00:03:03,130
item in the disassembly window, the corresponding bytes are highlighted in the hex window.

39
00:03:03,130 --> 00:03:09,140
So the hex window is useful to inspect the contents of the memory address.

40
00:03:09,140 --> 00:03:16,880
And we also have the structures window here and clicking on the structures tab will bring up the structures

41
00:03:16,880 --> 00:03:17,180
window.

42
00:03:17,180 --> 00:03:24,740
This structure window lists the layout of the standard data structures used in the program, and it

43
00:03:24,740 --> 00:03:28,520
also allows you to create your own data structures here.

44
00:03:28,520 --> 00:03:35,270
And we have the imports window here clicking on the structures tab.

45
00:03:35,960 --> 00:03:43,610
After the clicking on the structure set, we can also click on imports exports here and in imports here.

46
00:03:44,150 --> 00:03:50,000
Um, this imports window lists all of the functions imported by the binary.

47
00:03:50,000 --> 00:03:57,830
So this here, you can see that the imported functions and the shared libraries, which are also called

48
00:03:57,830 --> 00:04:02,840
the DLL from which these functions are imported and.

49
00:04:03,890 --> 00:04:06,880
We have the exports window as well.

50
00:04:06,890 --> 00:04:10,370
So this exports window lists all the exported functions.

51
00:04:10,370 --> 00:04:13,640
So the exported functions are normally found in the DLLs.

52
00:04:13,640 --> 00:04:18,070
So this window can be useful when you are analyzing malicious DLLs.

53
00:04:18,080 --> 00:04:24,110
In this case, we don't have we don't really have any exports because this is just an Hello world application

54
00:04:24,110 --> 00:04:26,810
and the executable file and not a DLL here.

55
00:04:26,810 --> 00:04:32,090
And we have the also we have we also have the strings windows.

56
00:04:32,090 --> 00:04:34,700
It does not shows the string window by default.

57
00:04:34,700 --> 00:04:40,610
So you can bring it up the strings window by clicking on the view.

58
00:04:41,000 --> 00:04:42,260
Um, here.

59
00:04:43,030 --> 00:04:48,850
View and in view, we will click on the open open, open sub views.

60
00:04:49,330 --> 00:04:49,870
Here.

61
00:04:51,150 --> 00:04:55,170
And there's also a shortcut for this, which I will show you right now.

62
00:04:55,170 --> 00:05:00,900
And as you can see here in view, we can click on the open sweeps here.

63
00:05:01,170 --> 00:05:04,830
And after that, we will select the springs.

64
00:05:05,780 --> 00:05:13,400
And as you can see, we also have the shortcut for it and shift and F 12 and that's it.

65
00:05:13,430 --> 00:05:15,530
We have the strings window here.

66
00:05:15,530 --> 00:05:21,800
So the string strings window displays the list of strings extracted from the binary and the address

67
00:05:21,800 --> 00:05:23,780
where these strings can be found.

68
00:05:23,780 --> 00:05:30,680
And by default, this string, the strings window displays only the null terminated Ascii strings of

69
00:05:30,680 --> 00:05:34,910
at least five characters in length and in next lecture.

70
00:05:34,920 --> 00:05:41,450
Actually, in previous lecture with Ghidra, we saw that a malicious binary can use Unicode strings

71
00:05:41,450 --> 00:05:45,980
and you can configure Ida to display different types of strings.

72
00:05:46,190 --> 00:05:53,400
And to do that while you are in the strings window, right click on the setup and you can select the.

73
00:05:54,650 --> 00:05:57,470
String that you can hear.

74
00:05:57,620 --> 00:06:07,280
We have the unique C-style 16 bits C-style 32 bits, Pascal style, Pascal style 64, 16 bits and so

75
00:06:07,280 --> 00:06:07,790
on.

76
00:06:07,790 --> 00:06:10,970
And we also have the segments window.

77
00:06:10,970 --> 00:06:19,280
So the segments window is available at the will open Subviews And after that we will use select segments

78
00:06:19,280 --> 00:06:26,990
or we can also use the shift F seven to bring it up and here.

79
00:06:29,030 --> 00:06:31,250
And here we have the.

80
00:06:33,710 --> 00:06:38,600
Open Savills and we will see the segments right now.

81
00:06:39,080 --> 00:06:44,910
Uh, open Savills and segments and, uh, the segments window.

82
00:06:44,930 --> 00:06:51,080
Uh, this section is like, uh, the text data and so on in this binary file.

83
00:06:51,080 --> 00:06:57,980
And the displayed information contains the start address and the end address and the memory permissions

84
00:06:57,980 --> 00:07:01,160
of each, uh, section.

85
00:07:01,980 --> 00:07:10,350
And the start and end address specify the virtual address of each section that is mapped into memory

86
00:07:10,380 --> 00:07:12,000
during runtime.