As covered before, the action “Create struct from selection” can be used to quickly create structures from existing data items.
However, Disassembly view not the only place where it can be used. For example, let’s imagine you’ve created a structure to represent some context used by the binary being analyzed:
00000000 Context struc ; (sizeof=0x1C) 00000000 version dd ? 00000004 pid dd ? 00000008 tid dd ? 0000000C listhead dd ? ; offset 00000010 listtail dd ? ; offset 00000014 count dd ? 00000018 filename dd ? 0000001C Context ends
But as you analyze the code further, you realize that the list structure is generic and is used in other places independently. In this simple scenario you can, of course, create a separate List
structure and replace the fields inside Context
with it, but what if the substructure is big and contains hundreds of fields? Using “Create struct from selection” allows you to perform the task easily and quickly:
- select the subset of fields you want to extract;
- invoke the action
- rename the new structure and/or fields as necessary.
Extracting structures from the stack frame
One more place where this action can be used is the stack frame view, because internally it is a kind of a structure.
See also:
Igor’s tip of the week #11: Quickly creating structures
Igor’s tip of the week #03: Selection in IDA