When dealing with structure instances in disassembly, sometimes you may want to change how IDA displays them, but how to do it is not always obvious. Let’s have a look at some examples.
Win32 section headers
Let’s say you have loaded the PE file header using manual load, or found an embedded PE file in your binary, and want to format its PE header nicely. Thanks to the standard type libraries, you can import standard Win32 structures such as IMAGE_NT_HEADERS or IMAGE_SECTION_HEADER and apply them to the header area:
However, because the Name field is declared simply as a BYTE array in the original structure, IDA shows them as bytes instead of nice readable string. Without the struct, we could use the Create string (A) command, but it is also possible to show the string as part of the structure instance.
Changing structure field representation
To change how a specific fiield should be formatted in the disassembly, go to it in the structure definition in the Structures window and use Edit or the context menu. For example, use the String (A) action to have IDA format the Name byte array as a string.
When you edit an imported structure for the first time, you may get this warning:
Because the field type representation cannot be specified in Local Types, we have to edit the structure, so answer Yes to continue. A dialog to specify the string length will be displayed, just confirm it:
The field will gain a comment indicating that the array is now a string:
And the struct instances in the binary will now show the first field as a string:
In addition to strings, you can ofcourse change representation of other structure fields similarly to operand representation for instructions. For example, you can change the SizeOfRawData field to be printed in decimal instead of the default hex.
See also:
IDA Help: Assembler level and C level types
Igor’s tip of the week #46: Disassembly operand representation