Applying custom structures make the result of decompilation much more readable.
This is how the same fragment of the code looks before and after proper structures being applied:
In this short post, I will demonstrate how to add such structures into IDA, on the example of a PE structure.
Creating the structure
My definition of PE file structure is available here.
Note, that some of the data types that we would normally use when we write a C/C++ code on Windows, are not available in IDA. And other types may be defined a bit differently. For example, the types such as
windows.h are defined in IDA, but with a “
_” prefix. For example:
_WORD e_res2; _DWORD e_lfanew;
Adding the structure into IDA
With the help of the following steps, we can add the custom structure into IDA.
1 – First we need to open the subview “local types” where all such definitions are stored:
2 – We click on “Insert…”
3 – The window for the new definition opens. We can paste there our custom structure.
4 – After we pasted and clicked OK, the new types should appear on the list.
Using the custom structures
Now our custom structures are ready to be used!
Whenever we find a variable that has the that type, we can convert it to our custom structure. For example:
1 – Select the variable that you want to convert:
2 – Select the structure from the list:
Sometimes you may need to manually refresh the decompiler view, by pressing F5.
And it’s ready!