Applying custom structures make the result of decompilation much more readable.
This is how the same fragment of the code looks before and after proper structures being applied:
In this short post, I will demonstrate how to add custom structure definitions into IDA, on the example of a PE structure.
Creating the structure
My definition of PE file structure is available here.
Note, that some of the data types that we would normally use when we write a C/C++ code on Windows, are not available in IDA. And other types may be defined a bit differently. For example, the types such as
windows.h are defined in IDA, but with a “
_” prefix. For example:
_WORD e_res2; _DWORD e_lfanew;
Adding the structure into IDA
With the help of the following steps, we can add the custom structure into IDA.
1 – First we need to open the subview “local types” where all such definitions are stored:
2 – We click on “Insert…”
3 – The window for the new definition opens. We can paste there our custom structure.
4 – After we pasted and clicked OK, the new types should appear on the list.
Using the custom structures
Now our custom structures are ready to be used!
Whenever we find a variable that has the that type, we can convert it to our custom structure. For example:
1 – Select the variable that you want to convert:
2 – Select the structure from the list:
Sometimes you may need to manually refresh the decompiler view, by pressing F5.
And it’s ready!
Note, that although PE header was used here as an example, some of the common structures (including this one) are already predefined in IDA, and can be referenced by their names.