Igor’s Tip of the Week #122: Manual load

To save on analysis time and database size, by default IDA only tries to load relevant parts of the binary (e.g. those that are expected or known to contain code). However, there may be cases when you want to see more, or even everything the binary contains. You can always load the file as plain binary and mark it up manually, using IDA as a sort of a hybrid hex editor, but this way you lose the features handled by the built-in loaders such as names from the symbol table, automatic function boundaries from the file metadata and so on. So it may be interesting to have more granular control over the file loading process.

To support such scenarios, IDA offers the Manual load checkbox in the initial load dialog.

What happens when the option is checked depends on the loader. For example, the PE loader may allow you to pick another load base (image base), choose which sections to load, and whether to parse some optional metadata which could, for example, be corrupted and result in bad analysis.

The ELF loader behaves in a similar manner

If you want IDA to always load all PE sections, you can edit cfg/pe.cfg and set the option PE_LOAD_ALL_SECTIONS:

// Always load all sections of a PE file?
// If no, sections like .reloc and .rsrc are skipped

PE_LOAD_ALL_SECTIONS = YES

See also:

IDA Help: Load file dialog

 

Article Link: Igor’s Tip of the Week #122: Manual load – Hex Rays