Igor’s tip of the week #73: Output window and logging

Malware Analysis
1

Output window is part of IDA’s default desktop layout and shows various messages from IDA and possibly third-party components (plugins, processor modules, scripts…). It also contains the Command-line interface (CLI) input box.

Opening the Output window

Although it is present by default, it is possible to close this window, or use a desktop layout without it. If this happens, one way to restore it is to use Windows  >  Reset desktop to bring the layout to the initial state. But you can also use:

  • Windows > Output window (shortcut Alt+0), to (re)open it and focus on the text box (for example, to select text for copying);
  • Windows > Focus command line (Shortcut Ctrl+.) to switch to the CLI input field, which also re-opens the Output window if it was closed.

Context menu

There are several actions available in the text box of the Output window, which can be consulted by opening the context menu:

For example, similarly to other IDA windows, you can search for text using Alt+T/Ctrl+T shortcuts, or clear the current text to easier see output of a script you’re planning to run.

Timestamps

Starting from IDA 7.7, you can turn on timestamps for every message printed to the Output window. They are stored independently from the text so can be turned on or off at any point and affect all (past and future) messages in the current IDA session.

Navigation

Double-clicking on an address or identifier in Output window will jump to the corresponding location (if it exists) in the last active disassembly, pseudocode, or Hex view. This can be useful when writing quick scripts: just print addresses or names of interest using msg() function and double-click to inspect them in the disassembly listing.

Logging to file

Logging of the messages in Output window to a file can be especially useful when using IDA in batch mode, but also in other situations (e.g. debugging scripts or plugins). The following options exist to enable it:

  1. set environment variable IDALOG to a filename. If the path is not absolute, the file will be created in the current directory. All IDA run afterwards will append output to the same file, so it can contain information from multiple runs.
  2. pass the -L<file> command line switch to IDA. Note that it has to precede the input filename.
  3. On-demand, one-time saving can be done via “Save to file” context menu command (shortcut Ctrl+S).

Note: if you have enabled timestamps in IDA, they will be added in the log file too (and in all future IDA sessions). There is currently no possibility to turn timestamps on or off via environment variable or command line switch.

 

 

Article Link: Igor’s tip of the week #73: Output window and logging – Hex Rays