State-of-the-art binary code analysis tools

You may have observed that IDA knows about standard APIs or library functions and adds automatic function comments for the arguments passed to them.

For example, here’s a fragment of disassembly with commented arguments to Win32 APIs CreateFileW and ReadFile:

This works well when functions are imported in a standard way and are known at load time. However, there may be cases when the actual function is only known after analysis (e.g. imported dynamically using  GetProcAddress or using a name hash). In that case, there may be only a call to some dummy name and no commented arguments:

You can of course add a comment that dword_4031A5 is CreateFileA, and comment arguments manually, but this can be quite tedious. Is there a way to do it automatically? 

In fact, it is sufficient to simply rename the pointer variable to the corresponding API name for IDA to pick up the prototype and comment the arguments:

A few notes about this feature:

  1. The function prototype must be present in one of the loaded type libraries;
  2. The comments are added only for  code inside a function, so you may need to create one around the call (e.g. in case of decrypted or decompressed code);
  3. if the function is called in many places, it may take a few seconds for IDA to analyze and comment all call sites.