Dumping packed executables using minidumps

I’m using this method regularly for about a year now and found it to be very reliable against most common packers that unpack the binary to memory while being very convenient at the same time. Minidumps can be created programmatically using MS’ DbgHelp API or simply using a right-click on a process in the task-manager. In case a packer would ever decide to detect the minidump creation using, for example, a ring3 rootkit, you could still run the target executable in a VM and cause a bluescreen to obtain a crash-dump (a few additional steps would be required here). The obtained minidump can then be processed for further analysis using WinDBG.

IDASkins – taking theming IDA outside the disassembly

A few months ago I wrote a tiny but fine plugin for IDA Pro allowing to theme everything that cannot be themed using IDA’s built-in color-settings. It comes with a dark theme intended to be combined with the idaConsonance IDA color theme by default, however custom themes can be created using Qt-stylesheets. You can find some information about creating themes on the GitHub project page.

Identifying library code in statically linked binaries

I recently saw someone asking for a way to apply the .pdb file of a static library to a binary that is using it. Even if that is probably possible with some extra effort, there is a better way to achieve the same advantages without the need to bother with .pdb files: IDA’s FLIRT signature feature (Fast Library Identification and Recognition Technology). While most IDA users are aware of the fact that IDA uses to apply some sort of compiler specific signatures to binaries, a lot of them don’t know that you can generate these signature files from any static library yourself without too much effort.