Tuesday, May 19, 2020

Tagging ARM Syscalls in IDA

While reversing ARM binaries you will come across multiple syscalls that in turn does specific things. These syscalls are identified by a number and each syscall has a unique number. For instance in ARM 32bit architecture the syscall for "FORK" function is '2'.

A typical syscall will first have a "MOV" or "LDR" function into the "R7" register followed by a "SVC" (supervisor call) or "SWI" (software interrupt in older cases) instruction.



In this case the "R7" register is loaded with value "0x121" and then a supervisor call is initiated. The value 0x121 in this case refers to the function "send".

Its suffice to say that it will be overwhelming to look back and forth referring the arm syscall table to find the respective functions names for the syscall number. The below IDA Python script can come in handy to automatically comment on the syscalls with the respective function names along with changing the function name where this syscall is invoked from.

Save and run the script in IDA and you should see the results.


No comments:

Post a Comment