{"id":3617,"date":"2016-04-22T23:05:24","date_gmt":"2016-04-22T23:05:24","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3617"},"modified":"2019-07-04T23:08:19","modified_gmt":"2019-07-04T23:08:19","slug":"creating-idtids-files-for-ida-from-ms-libraries-with-symbols","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/04\/22\/creating-idtids-files-for-ida-from-ms-libraries-with-symbols\/","title":{"rendered":"Creating IDT\/IDS files for IDA from MS libraries with symbols"},"content":{"rendered":"<p>In a reversing world it is a regular experience to come across samples that are linked to OS APIs that are imported from well-known libraries. However, on occasion we can come across files that use importing in a slightly different way &#8211; they import not via names but via ordinals. A good example are samples linking to MFC libraries.<\/p>\n<p>When loaded into IDA, such samples contain lots of autogenerated function names f.ex. mfc_1234. This is pretty annoying. Of course (and luckily) there exists a lot <a href=\"http:\/\/www.openrce.org\/blog\/view\/769\/IDA's_.IDS_Files_Part_I\">descriptions<\/a> and solutions to it &#8211; we need <a href=\"http:\/\/redplait.blogspot.co.uk\/2012\/03\/script-for-idtids-files-making.html\">an IDT or an IDS file<\/a>. An IDT (or its compressed version IDS) file is a &#8216;translator&#8217; between ordinal numbers and actual API names &#8211; many of these exist in a default installation package of IDA, but not all&#8230; One can generate these by hand &#8211; using existing scripts &#8211; and in case the MS symbols exist for a given library &#8211; one can try to generate these automagically using a simple script I am attaching to this post.<\/p>\n<p>This is the recipe:<\/p>\n<ul>\n<li>Ensure your IDA is set up to use symbols from Microsoft<\/li>\n<li>Open the MS library you analyze<\/li>\n<li>Load its symbols from the MS web site (you are either asked, or they are loaded automatically &#8211; depends on your config)<\/li>\n<li>When the database is fully loaded and autoanalysis is completed, launch the following script:<\/li>\n<\/ul>\n<pre>import idaapi\r\nimport idc\r\nimport types\r\nimport os\r\n\r\nidt = GetIdbPath()\r\n\r\nprint \"Original IDB: %s\" % idt\r\n\r\nidt = idt.replace('.idb','.idt')\r\nidt = idt.replace('.i64','.idt')\r\n\r\ndll = GetInputFile()\r\n\r\nprint \"Saving to %s\" % idt\r\n\r\nf = open(idt, 'wb')\r\nf.write(\"0 Name=%s\\n\" % (dll))\r\nfor i in xrange(idaapi.get_entry_qty()):\r\n\u00a0\u00a0\u00a0 fn = idaapi.getn_func(i)\r\n\u00a0\u00a0\u00a0 a = fn.startEA\r\n\u00a0\u00a0\u00a0 if a != BADADDR:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 eo = GetEntryOrdinal(i)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nm = GetFunctionName(GetEntryPoint(eo))\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #cm = GetFunctionCmt(a,0)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 #print \"%x: %0d, %s, %s\" %\u00a0 (a,eo,nm,cm)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 if nm!='':\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 f.write(\"%d Name=%s\\n\" % (eo,nm))\r\nf.close()\r\nprint \"done!\"<\/pre>\n<ul>\n<li>Now you should have the IDT file autogenerated in the same directory where the library is f.ex.\n<ul>\n<li>mfcXYZ.idb<\/li>\n<li>mfcXYZ.idt\u00a0 &#8212; this is the IDT file<\/li>\n<\/ul>\n<\/li>\n<li>You can now\n<ul>\n<li>Open sample linking to the MS library via ordinals<\/li>\n<li>Load newly created IDT file<\/li>\n<li>All mfc_1234 function names should be automatically converted to respective function\/method names<\/li>\n<\/ul>\n<\/li>\n<li>You can also use zipids.exe to convert IDT file to IDS, but it&#8217;s not necessary<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In a reversing world it is a regular experience to come across samples that are linked to OS APIs that are imported from well-known libraries. However, on occasion we can come across files that use importing in a slightly different &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/04\/22\/creating-idtids-files-for-ida-from-ms-libraries-with-symbols\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[85,9,44,5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3617"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3617"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3617\/revisions"}],"predecessor-version":[{"id":3619,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3617\/revisions\/3619"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3617"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3617"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}