In a reversing world it is a regular experience to come across samples that are linked to OS APIs that are imported from well-known libraries. However, on occasion we can come across files that use importing in a slightly different way – they import not via names but via ordinals. A good example are samples linking to MFC libraries.
When loaded into IDA, such samples contain lots of autogenerated function names f.ex. mfc_1234. This is pretty annoying. Of course (and luckily) there exists a lot descriptions and solutions to it – we need an IDT or an IDS file. An IDT (or its compressed version IDS) file is a ‘translator’ between ordinal numbers and actual API names – many of these exist in a default installation package of IDA, but not all… One can generate these by hand – using existing scripts – and in case the MS symbols exist for a given library – one can try to generate these automagically using a simple script I am attaching to this post.
This is the recipe:
- Ensure your IDA is set up to use symbols from Microsoft
- Open the MS library you analyze
- Load its symbols from the MS web site (you are either asked, or they are loaded automatically – depends on your config)
- When the database is fully loaded and autoanalysis is completed, launch the following script:
import idaapi import idc import types import os idt = GetIdbPath() print "Original IDB: %s" % idt idt = idt.replace('.idb','.idt') idt = idt.replace('.i64','.idt') dll = GetInputFile() print "Saving to %s" % idt f = open(idt, 'wb') f.write("0 Name=%s\n" % (dll)) for i in xrange(idaapi.get_entry_qty()): fn = idaapi.getn_func(i) a = fn.startEA if a != BADADDR: eo = GetEntryOrdinal(i) nm = GetFunctionName(GetEntryPoint(eo)) #cm = GetFunctionCmt(a,0) #print "%x: %0d, %s, %s" % (a,eo,nm,cm) if nm!='': f.write("%d Name=%s\n" % (eo,nm)) f.close() print "done!"
- Now you should have the IDT file autogenerated in the same directory where the library is f.ex.
- mfcXYZ.idt — this is the IDT file
- You can now
- Open sample linking to the MS library via ordinals
- Load newly created IDT file
- All mfc_1234 function names should be automatically converted to respective function/method names
- You can also use zipids.exe to convert IDT file to IDS, but it’s not necessary
Comments are closed.