当一个结构被 malloc 时,很明显该结构有多大。然而,为 256 字节的结构声明 64 个虚拟 dword 字段是非常乏味的。将结构声明为具有固定大小的数组并没有多大帮助,因为您不能单独命名元素。目前我正在使用 AutoHotKey 脚本来添加字段,无论出于何种原因,该脚本今天都停止了工作。
那么:有没有办法一次在结构声明中添加多个字段?也许通过一些 idc api?
问问题
3070 次
2 回答
5
在 IDA 中有一个简洁但不直观的技巧,我一直在使用它:定义一个数组,但在数组对话框中取消选中“创建为数组”复选框。这样做是在结构中创建任意数量的元素,但不会用它们创建数组。
工作流程是这样的:
- 在您想要元素列表的偏移处创建您想要的类型的单个元素(例如 dword)。(当您只是创建一个您知道大小的空结构时,这通常为零,但对内部结构一无所知)。
- 将光标放在刚刚创建的元素上按 * 键。
- 在数组对话框中输入所需的元素数。
- 取消选中对话框左下方的“创建为数组”复选框。
- 点击确定。
IDA 将根据您的要求创建尽可能多的元素,但不会创建为数组。当您了解所有内容时,您可能需要稍后重新输入内容,但这为您提供了一个很好的框架。
于 2018-01-06T21:01:38.523 回答
4
I'll give you two solutions. The first may not be exactly what you want, depending on the situation. I can elaborate on either method if you would like.
The cheap method: Using filler arrays
If you have a large structure and there are only a few members whose purpose or size are known, it's often useful to fill in the gaps of the structure by creating temporary dummy arrays. This makes the structure definition more readable and maintainable in IDA, and it also allows you to shape the structure to a specific size without defining more members than you need to.
Let's say you have a structure which is known to be 0x400 bytes in size, and you know the definitions of the members at offsets +0x0 and +0x384. Let's also say you know that there are words at +0x4 and +0x6, but you don't know what they represent yet. Then you might define the structure to be something like this:
00000000 MY_STRUCT struc ; (sizeof=0x400)
00000000 ProcessID dd
00000004 field_4 dw
00000006 field_6 dw
00000008 __filler1 db 892 dup(?)
00000384 ProcessObject dd ?
00000388 __filler2 db 116 dup(?)
000003FC __filler3 dd ?
00000400 MY_STRUCT ends
This is much more readable than it would be if I didn't have the __fillerX elements there. It's also arguably more correct, because you have no way of knowing ahead of time if all the members of the structure are actually qwords.
The reason I have __filler3 at the bottom is because if I ever want to define an element in the region of __filler2, I can wipe __filler2 (and later add new filler members in that space) without shrinking the overall size of the structure. In fact, if the size is the only thing known at the time of structure definition, defining a final element should probably be the first thing you do. Then you'll never need to figure out the sizes of the filler arrays yourself; the default array size that IDA gives you will always be correct. To do that quickly, I usually just create an array of size N-4 and tack on a dword at the end.
But I actually want 32 qwords!
I can't think of any practical situations where this would be useful, but maybe you can!
In any case, you can, in fact, do this through the IDA API. The functions you want are AddStrucEx and AddStrucMember. You should be able to get most of the information you want from the IDA help docs.
If you want a working example of an IDC script to generate structures, you can generate one yourself. Create a few structures, then go to File > Produce File > Dump typeinfo to IDC file....
Or this should also work (uses IDAPython):
id = AddStrucEx(-1, "EXAMPLE_STRUCT", 0)
for i in xrange(0,256,8):
AddStrucMember(id, "field_%x"%i, i, FF_DATA|FF_QWRD, -1, 8)
于 2013-03-10T19:25:36.737 回答