.a man asked me: is it possible to load two or more files into the same single IDA Pro database. for example, we have NOTEPAD.EXE and want to load two additional files: KERNEL32.DLL and NTDLL.DLL to see how they interact with each other.
as an author of "thinking in IDA Pro", knowing her internals like my own pocket (IDA Pro is a female name and, yep, I don't know what I might find in my pocket next time), I said: yep, it's simple. no problem, man!
IDA Pro has linear address space emulates x86 CPU flat memory model (well, not only x86, it works with other CPUs too). the loader loads a file into virtual memory and does everything has to be done.
there is two solutions to load more files
first: we load the next file as an additional binary file (menu File, Load file, Additional binary file...). IDA Pro does nothing, just load the file, leaves us to parse all internal PE/ELF structures (I saw some IDC-scripts, written by Symantec team, but don't remember the link). this is tedious job, so, thanks, but no thanks!
second: we use IDA Pro function: bool ida_export load_nonbinary_file (const char *original_file_name, const char *real_file_name, const char *sysdlldir, ushort _neflags, load_info_t *loader), where "loader" - result returned by load_info_t *ida_export build_loaders_list( const char *filename), - see \IDA\SDK\include\ loader.hpp. of course, we have to free the pointer with qfree function (see file pro.h).
this is all. well... since we have linear address space, we must avoid file overlapping, that means all files are supposed to have different base addresses. if they are match - we must to re-base one of them before loading (if files have relocations it's very simple, otherwise, extremely tricky, however, it's possible).
so, we come to plug-in, looking like this one:
void idaapi run(int arg)
{
load_info_t *ld;
warning("plugin \"dual-load\" is called!");
/* NOTE: KERNEL32.DLL and NTDLL.DLL has to be in the current directory!!! */
ld = build_loaders_list("KERNEL32.DLL");
load_nonbinary_file("KERNEL32.DLL", "KERNEL32.DLL", ".", NEF_SEGS | NEF_RSCS | NEF_NAME | NEF_IMPS | NEF_CODE, ld);
/* qfree(ld);
ld = build_loaders_list("NTDLL.DLL"); */
load_nonbinary_file("NTDLL.DLL", "NTDLL.DLL", ".", NEF_SEGS | NEF_RSCS | NEF_NAME | NEF_IMPS | NEF_CODE, ld);
qfree(ld);
}
ok, we load notepad.exe into IDA Pro, call our plug-in and... have a fun!!! notepad.exe, kernel32.dll and ntdll.dll are loaded into the same idb-database! the only problem is: IDA Pro doesn't create cross-references between them. I mean, if you analyze notepad.exe, move the cursor to call ds:GetModuleHandleA, press "enter" and... nothing happens! you're into the import table of notepad.exe. and where is the export? somewhere... but, this is not a problem, really, since, we can find GetModuleHandleA in the "Names Windows" (called by Shift-F4) or write a simple IDC-script to create cross-reference between import and export, it's like to build a bridge :-]
I think, we all have to ask Ilfak for this feature, why just don't add it to user menu? it would be _very_ usefully.
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}