Creating user-defined structures can be quite useful both in disassembly and pseudocode when dealing with code using custom types. However, they can be useful not only in code but also data areas.
As an example, let’s consider an MFC program which uses message maps. These maps are present in the constant data area of the program and are initially represented by IDA as a mix of numbers and offsets:
To make sense of it, we can consult the AFX_MSGMAP_ENTRY
structure defined in afxwin.h
:
struct AFX_MSGMAP_ENTRY { UINT nMessage; // windows message UINT nCode; // control code or WM_NOTIFY code UINT nID; // control ID (or 0 for windows messages) UINT nLastID; // used for entries specifying a range of control id's UINT_PTR nSig; // signature type (action) or pointer to message # AFX_PMSG pfn; // routine to call (or special value) };
To quickly add the structure to the database, we can use the Local Types window after replacing the MFC-specific AFX_PMGS
type with a void pointer:
Once the structure has been sycnchronized to IDB, it can be used in the disassembly listing. In cases where the candidate area is undefined and the list of available structures is small, you can use the context menu:
If there are too many candidates, or the data is already defined (e.g. converted to an array by autoanalysis), you can directly use the Edit > Struct var… menu item, or the shortcut Alt–Q.
In either case, IDA will use the structure layout to show the data as corresponding fields:
Note that the dummy name of the location changes to reflect the fact that it’s a structure instance.
Once a structure instance is defined, you can:
In addition to the “Struct var…” action or the context menu, you can also quickly apply structure to data by specifying its name in the “Set type…” command (Y shortcut).
This approach also works for structures which have not yet been imported to IDB or are present only in the loaded type libraries.
See also:
IDA Help: Declare a structure variable
Igor’s tip of the week #11: Quickly creating structures
Igor’s tip of the week #12: Creating structures with known size
Igor’s tip of the week #94: Variable-sized structures