Ida tips: how to use a custom structure

Applying custom structures make the result of decompilation much more readable.

This is how the same fragment of the code looks before and after proper structures being applied:

Before:

After:

In this short post, I will demonstrate how to add such structures into IDA, on the example of a PE structure.

Creating the structure

My definition of PE file structure is available here.

Note, that some of the data types that we would normally use when we write a C/C++ code on Windows, are not available in IDA. And other types may be defined a bit differently. For example, the types such as WORD and DWORD from windows.h are defined in IDA, but with a “_” prefix. For example:

 _WORD e_res2[10];
 _DWORD e_lfanew;

Adding the structure into IDA

With the help of the following steps, we can add the custom structure into IDA.

1 – First we need to open the subview “local types” where all such definitions are stored:

2 – We click on “Insert…”

3 – The window for the new definition opens. We can paste there our custom structure.

4 – After we pasted and clicked OK, the new types should appear on the list.

Using the custom structures

Now our custom structures are ready to be used!

Whenever we find a variable that has the that type, we can convert it to our custom structure. For example:

1 – Select the variable that you want to convert:

2 – Select the structure from the list:

Sometimes you may need to manually refresh the decompiler view, by pressing F5.

And it’s ready!

About hasherezade

Programmer and researcher, interested in InfoSec.
This entry was posted in Tutorial and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s