Igor’s Tip of the Week #170: Instantiating structures

Malware Analysis
1

Creating user-defined structures can be quite useful both in disassembly and pseudocode when dealing with code using custom types. However, they can be useful not only in code but also data areas.

MFC message maps

As an example, let’s consider an MFC program which uses message maps. These maps are present in the constant data area of the program and are initially represented by IDA as a mix of numbers and offsets:

To make sense of it, we can consult the AFX_MSGMAP_ENTRY structure defined in afxwin.h:

struct AFX_MSGMAP_ENTRY
{
	UINT nMessage; // windows message
	UINT nCode; // control code or WM_NOTIFY code
	UINT nID; // control ID (or 0 for windows messages)
	UINT nLastID; // used for entries specifying a range of control id's
	UINT_PTR nSig; // signature type (action) or pointer to message #
	AFX_PMSG pfn; // routine to call (or special value)
};

To quickly add the structure to the database, we can use the Local Types window after replacing the MFC-specific AFX_PMGS type with a void pointer:

Applying structure to data

Once the structure has been sycnchronized to IDB, it can be used in the disassembly listing. In cases where the candidate area is undefined and the list of available structures is small, you can use the context menu:

If there are too many candidates, or the data is already defined (e.g. converted to an array by autoanalysis), you can directly use the Edit > Struct var… menu item, or the shortcut Alt–Q.

In either case, IDA will use the structure layout to show the data as corresponding fields:

Note that the dummy name of the location changes to reflect the fact that it’s a structure instance.

Once a structure instance is defined, you can:

  1. create an array of structures (e.g. using the * shortcut):
  2. switch between the terse and full structure representation:

Applying structures by retyping

In addition to the “Struct var…” action or the context menu, you can also quickly apply structure to data by specifying its name in the “Set type…” command (Y shortcut). 

This approach also works for structures which have not yet been imported to IDB or are present only in the loaded type libraries.

See also:

IDA Help: Declare a structure variable

Igor’s tip of the week #11: Quickly creating structures

Igor’s tip of the week #12: Creating structures with known size

Igor’s tip of the week #94: Variable-sized structures

 

Article Link: Igor’s Tip of the Week #170: Instantiating structures – Hex Rays