cbj212005calliefida-100719092852-phpapp01

8/12/2019 cbj212005calliefida-100719092852-phpapp01

1/109

2005,2006 CodeBreakers-Journal http://www.CodeBreakers-Journal.com

Vol. 2, No. 3 2005http://www.codebreakers-journal.comOctober 14, 2005

IDA Plug-In Writing in C/C++

Steve Micallef

[email protected]

After spending a lot of time going through the header files in

the IDA SDK as well as looking at the source to other peoplesplug-ins, I figured there should be an easier way to get startedwith writing IDA plug-ins. Although the header filecommentary is amazingly thorough, I found it a little difficultnavigating and finding things when I needed them without alot of searching and trial-and-error. I thought that I'd writethis tutorial to try and help those getting started as well ashopefully provide a quick reference point for people developing

plug-ins. I've also dedicated a section to setting up adevelopment environment which should make thedevelopment process quicker to get into.

Journal
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htm


2/109


Legal Information

The information contained herein is not a license, either expressly or impliedly, to any

intellectual property owned or controlled by any of the authors or developers of

Dissection Labs. The information contained herein is provided on an "AS IS" basis and to

the maximum extent permitted by applicable law, this information is provided AS IS AND

WITH ALL FAULTS, and the authors and developers of Dissection Labs hereby disclaim all

other warranties and conditions, either express, implied or statutory, including, but not

limited to, any (if any) implied warranties, duties or conditions of merchantability, of

fitness for a particular purpose, of accuracy or completeness of responses, of results, of

workmanlike effort, of lack of viruses, and of lack of negligence, all with regard to the

contribution.

ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET

POSSESSION, CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT WITH

REGARD TO DISSECTION LABS PUBLISHED WORKS.

IN NO EVENT WILL ANY AUTHOR OR DEVELOPER OF DISSECTION LABS BE LIABLE TO

ANY OTHER PARTY FOR THE COST OF PROCURING SUBSTITUTE GOODS OR SERVICES,

LOST PROFITS, LOSS OF USE, LOSS OF DATA, OR ANY INCIDENTAL, CONSEQUENTIAL,

DIRECT, INDIRECT, OR PUNITIVE OR SPECIAL DAMAGES WHETHER UNDER CONTRACT,

TORT, WARRANTY, OR OTHERWISE, ARISING IN ANY WAY OUT OF THIS OR ANY OTHER

AGREEMENT RELATING TO THIS DOCUMENT, WHETHER OR NOT SUCH PARTY HAD

ADVANCE NOTICE OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright 2004/2005 and published by the CodeBreakers-Journal. Single print or

electronic copies for personal use only are permitted. Reproduction and distribution

without permission is prohibited.

This article can be found at http://www.CodeBreakers-Journal.com.


3/109


Table of Contents1. Introduction . ..................................................................................................................................... 4

1.1 Why This Tutorial? . .................................................................................................................. 41.2 What's Covered. ....................................................................................................................... 41.3 What's Not Covered .................................................................................................................. 41.4 Knowledge Required................................................................................................................. 41.5 Software Required. ................................................................................................................... 41.6 Alternatives to C/C++ ................................................................................................................ 51.7 About This Document................................................................................................................ 51.8 Credits . ..................................................................................................................................... 51.9 Further Reading . ...................................................................................................................... 5

2. The IDA SDK . ................................................................................................................................... 62.1 Installation . ............................................................................................................................... 62.2 Directory Layout . ...................................................................................................................... 72.3 Header Files . ............................................................................................................................ 72.4 Using the SDK. ......................................................................................................................... 8

3. Setting Up a Bui ld Environment ..................................................................................................... 93.1 Windows, Using Visual Studio .................................................................................................. 93.2 Windows, Using Dev-C++ With GCC and MinGW. .................................................................103.3 Linux, Using GCC. ..................................................................................................................103.4 A Plug-in Template..................................................................................................................113.5 Configuring and Running Plug-ins ..........................................................................................12

4. Fundamentals . ...............................................................................................................................134.1 Core Types. ............................................................................................................................134.2 Core Structures and Classes ..................................................................................................144.3 Byte Flags . .............................................................................................................................224.4 The Debugger . .......................................................................................................................244.5 Event Notifications. .................................................................................................................284.6 Strings . ...................................................................................................................................33

5. Funct ions. .......................................................................................................................................355.1 Common Function Replacements...........................................................................................355.2 Messaging . .............................................................................................................................355.3 UI Navigation. .........................................................................................................................375.4 Entry Points . ...........................................................................................................................405.5 Areas . .....................................................................................................................................415.6 Segments . ..............................................................................................................................445.7 Functions. ...............................................................................................................................465.8 Instructions . ............................................................................................................................495.9 Cross Referencing. .................................................................................................................525.10 Names . .................................................................................................................................545.11 Searching . ............................................................................................................................565.12 IDB. .......................................................................................................................................585.13 Flags. ....................................................................................................................................61

5.14 Data. .....................................................................................................................................645.15 I/O. ........................................................................................................................................665.16 Debugging . ...........................................................................................................................695.17 Breakpoints . .........................................................................................................................795.18 Tracing . ................................................................................................................................825.19 Strings . .................................................................................................................................895.20 Miscellaneous. ...................................................................................................................... 90

6 Examples . ........................................................................................................................................ 946.1 Looking for Calls to sprintf, strcpy, and sscanf ....................................................................... 946.2 Listing Functions Containing MOVS et al. .............................................................................. 966.3 Auto-loading DLLs Into the IDA Database .............................................................................. 986.4 Bulk Breakpoint Setter & Saver............................................................................................. 1006.5 Selective Tracing (Method 1) ................................................................................................ 103

6.6 Selective Tracing (Method 2) ................................................................................................ 1056.7 Binary Copy & Paste ............................................................................................................. 107
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htm


4/109


1. Introduction

1.1 Why This Tutorial?

After spending a lot of time going through the header files in the IDA SDK as well as looking at thesource to other peoples plug-ins, I figured there should be an easier way to get started with writingIDA plug-ins. Although the header file commentary is amazingly thorough, I found it a little difficultnavigating and finding things when I needed them without a lot of searching and trial-and-error. Ithought that I'd write this tutorial to try and help those getting started as well as hopefully provide aquick reference point for people developing plug-ins. I've also dedicated a section to setting up adevelopment environment which should make the development process quicker to get into.

1.2 What's Covered

This tutorial will get you started with writing IDA plug-ins, beginning with an introduction to the SDK,

followed by setting up a development/build environment on various platforms. You'll then gain a goodunderstanding of how various classes and structures are used, followed by usage of some of the morewidely used functions exported. Finally, I'll show some examples of using the IDA API for basic thingslike looping through functions, to hooking into the debugger and manipulating the IDA database (IDB).After reading this, you should be able to apply the knowledge gained to write your own plug-ins andhopefully share them with the community.

1.3 What's Not Covered

I'm focusing on x86 assembly because it's what I have most experience in, although most of thematerial presented should cover any architecture supported by IDA (which is practically all of them inthe Advanced version). Also, if you want a comprehensive reference to all IDA functions, I suggest

looking through the header files.

This tutorial is focused more on "read only" functionality within the SDK, rather than functions foradding comments, correcting errors, defining data structures, and so on. These sorts of things are abig part of the SDK, but aren't covered here in an attempt to keep this tutorial at a managable size.

I have intentionally left out netnodes from this tutorial, as well as many struct/class members becausethe IDA SDK is massive, and contains a lot of things for specialised purposes a tutorial cannot covereverything. If there is something you feel really should be in here, drop me a line and I'll probablyinclude it in the next version if it isn't too specialised.

1.4 Knowledge Required

First and foremost, you must know how to use IDA to the point where you can comfortably navigatedisassembled binaries and step through the debugger. You should be equipped with a thoroughknowledge of the C/C++ language as well as x86 assembly. C++ knowledge is quite importantbecause the SDK is pretty much all C++. If you don't know C++ but know C, you should at leastunderstand general OOP concepts like classes, objects, methodsand inheritance.

1.5 Software Required

To write and run IDA plug-ins, you will need the IDA Pro disassembler 4.8 or 4.9, the IDA SDK (which,as a licensed user of IDA, you get for free from http://www.datarescue.com) and a C/C++ compilerwith related tools (Visual Studio, GCC toolset, Borland, etc).
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.datarescue.com/http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.datarescue.com/


5/109


Notes have been added throughout the tutorial where things change in 4.9. Also, as of 4.9, the SDKfreezes, and so interfaces to 4.9 functions won't change, and plug-ins written for 4.9 (even in binaryform) will work with future versions.

1.6 Alternatives to C/C++

If C is not your thing, take a look at IDAPython, which has all the functionality the C++ API offers in thehigher-level language of Python. Check out http://d-dome.net/idapython/for details. There is a tutorialwritten on using IDAPython by Ero Carrera at http://dkbza.org/idapython_intro.html, which is obviouslymore applicable than this text.

There was also an article recently written about using VB6 and C# to write IDA plugins check it outhere: http://www.openrce.org/articles/full_view/13.

1.7 About This Document

If you have any comments, suggestions or if you notice any errors, please contact me, Steve Micallef,at [email protected]. If you really feel like you've learnt something from this, I'd also appreciatean email, just to make this process worth while :-)

As the SDK continues to grow, this document will be updated gradually over time. You will always beable to obtain the latest copy at http://www.binarypool.com/idapluginwriting/.

1.8 Credits

In no particular order, I'd like to thank the following people for proof reading as well as providingencouragement and feedback for this tutorial.

Ilfak Guilfanov, Pierre Vandevenne, Eric Landuyt, Vitaly Osipov, Scott Madison, Andrew Griffiths,Thorsten Schneider and Pedram Amini.

1.9 Further Reading

At the time of writing, the only other written material on IDA plug-ins is a tutorial on using the universalun-packer plug-in in IDA 4.9, which contains information on how it was written and how it works. It canbe found at http://www.datarescue.com/idabase/unpack_pe/unpacking.pdf. If you get stuck whilewriting a plug-in, you can always ask for help on the Datarescue Bulletin Board(http://www.datarescue.com/cgi-local/ultimatebb.cgi), where even though the SDK is officiallyunsupported, someone from Datarescue (or one of the many IDA users) is likely to help you out.

Another great resource is http://www.openrce.org/, where you'll find not only some great articles onreverse engineering, but tools, plug-ins and documentation too. There are also a lot of switched-onpeople on this board, who will most likely be able to help you with almost any IDA or general reverseengineering problem.
http://www.iceni.com/unlock-pro.htmhttp://d-dome.net/idapython/http://dkbza.org/idapython_intro.htmlhttp://www.openrce.org/articles/full_view/13mailto:[email protected]://www.binarypool.com/idapluginwriting/http://www.datarescue.com/idabase/unpack_pe/unpacking.pdfhttp://www.datarescue.com/cgi-local/ultimatebb.cgihttp://www.openrce.org/http://www.iceni.com/unlock-pro.htmhttp://www.openrce.org/http://www.datarescue.com/cgi-local/ultimatebb.cgihttp://www.datarescue.com/idabase/unpack_pe/unpacking.pdfhttp://www.binarypool.com/idapluginwriting/mailto:[email protected]://www.openrce.org/articles/full_view/13http://dkbza.org/idapython_intro.htmlhttp://d-dome.net/idapython/


6/109


2. The IDA SDK

IDA is a fantastic disassembler and more recently comes with a variety of debuggers too. While IDAalone has an amazing amount of functionality, there are always things you'll want to automate or do insome particular way that IDA doesn't support. Thankfully, the guys at Datarescue have released the

IDA SDK a way for you to hook your own desired functionality into IDA.

There are four types of modules you can write for IDA using the IDA SDK, plug-in modules being thesubject of this tutorial:

Module Type Purpose

Processor Adding support for different processor architectures. Also known asIDP (IDa Processor) modules.

Plug-in Extending functionality in IDA.

Loader Adding support for different executable file formats.

Debugger Adding support for debugging on different platforms and/or interacting

with other debuggers / remote debugging.

From here onwards, the term "plug-in" will be used in place of "plug-in module", unless otherwisestated.

The IDA SDK contains all the header and library files you need to write an IDA plug-in. It supports anumber of compilers on both Linux and Windows platforms, and also comes with an example plug-inthat illustrates a couple of basic features available.

Whether you're a reverse engineer, vulnerability researcher, malware analyst, or a combination ofthem, the SDK gives you a tremendous amount of power and flexibility. You could essentially writeyour own debugger/disassembler using it, and that's just scratching the surface. Here's a tiny sampleof some very straight-forward things you could do with the SDK:

Automate the analysis and unpacking of packed binaries.

Automate the process of finding the use of particular functions (for example,

LoadLi br ar y( ) , strcpy() , and whatever else you can think of.)

Analyse program and/or data flow, looking for things of interest to you.

Binary diff'ing.

Write a de-compiler.

The list goes on..

To see a sample of what some people have written using the IDA SDK, check out the IDA Palacewebsite, at http://home.arcor.de/idapalace/.

2.1 Installation

This is simple. Once you obtain the SDK (which should be in t he form of a . z i p file), unzip it to alocation of your choice. My preference is creating an sdk directory under the IDA installation andputting everything in there, but it doesn't really matter.
http://www.iceni.com/unlock-pro.htmhttp://home.arcor.de/idapalace/http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://home.arcor.de/idapalace/


7/109


2.2 Directory Layout

Rather than go through every directory and file in the SDK, I'm going to go over the directoriesrelevant to writing plug-ins, and what's in them.

Directory Contains

/ Some makefiles for different environments as well as the r eadme. t xt which you should read to get a quick overview of the SDK, in particularanything that might've changed in recent versions.

i ncl ude/ Header files, grouped into areas of functionality. I recommend goingthrough every one of these files and jotting down functions that lookapplicable to your needs once you have gone through this tutorial.

l i bbor . wXX/ IDA library to link against when compiling with the Borland C compiler

l i bgccXX. l nx/ IDA library to link against when compiling with GCC under Linux

l i bgcc. wXX/ IDA library to link against when compiling with GCC under Windows

l i bvc. wXX/ IDA library to link against when compiling with Visual C++ underWindows

pl ugi ns/ Sample plug-ins

XXis either 32(bit) or 64(bit), which will depend on the architecture youre running on.

2.3 Header Files

Of the fifty header files in the i ncl ude directory, I found the following to be most relevant whenwriting plug-ins. If you want information on all the headers, look at r eadme. t xt in the SDK rootdirectory, or in the header file itself. This listing is just here to provide a quick reference point when

looking for certain functionality more detail will be revealed in the following sections.

File(s) Contains

area. hpp ar ea_t and areacb_t classes, which represent areas of code,which will be covered in detail later on

byt es. hpp Functions and definitions for dealing with individual bytes within adisassembled file

dbg. hpp & i dd. hpp Debugger classes and functions

di ski o. hpp & f pr o. h IDA equivalents to f open( ) , open( ) , etc. as well as some misc.file operations (getting free disk space, current working directory,etc.)

ent r y. hpp Functions for getting and manipulating executable entry pointinformation

f r ame. hpp Functions for dealing with the stack, function frames, local variablesand labels

f uncs. hpp f unc_t class and pretty much everything function related

i da. hpp i dai nf ostruct, which holds mostly meta information about the filebeing disassembled

ker nwi n. hpp Functions and classes for interacting with the IDA user interface

l i nes. hpp Functions and definitions that deal with disassembled text, colourcoding, etc.

l oader . hpp Mostly functions for loading files into and manipulating the IDB

name. hpp Functions and definitions for getting and setting names of bytes
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htm


8/109


File(s) Contains

(variable names, function names, etc.)

pr o. h Contains a whole range of misc. definitions and functions

sear ch. hpp Various functions and definitions for searching the disassembledfile for text, data, code and more.

segment . hpp segment _t class and everything for dealing with binarysegments/sections

s t r l i st . hpp str i ng_i nf o_t structure and related functions for representingeach string in IDA's string list.

ua. hpp i nsn_t , op_t and opt ype_t classes representing instructions,operands and operand types respectively as well as functions forworking with the IDA analyser

xref . hpp Functions for dealing with cross referencing code and datareferences

2.4 Using the SDK

Generally speaking, any function within a header file that's prefixed with i da_export is available foryour use, as well as global variables prefixed with i da_expor t _dat a. The rule of thumb is to stayaway from lower level functions (these are indicated in the header files) and stick to using the higherlevel interfaces provided. Any defined class, struct and enum is available for your use.


9/109


3. Setting Up a Build Environment

Note for Borland users: The only compiler supported by the IDA SDK that isn't covered in this

section is Borland's. You should read the i ns tal l _cb. t xt and makeenv_br . makin the rootof the SDK directory to determine the compiler and linker flags necessary.

Before you start coding away it's best to have a proper environment set up to facilitate thedevelopment process. The more popular environments have been covered, so apologies if yours isn't.If you're already set up, feel free to skip to the next section.

3.1 Windows, Using Visual Studio

The version of Visual Studio used for this example is Visual Studio.NET 2003, but almost everythingshould be applicable to later and even some earlier versions.

Once you have Visual Studio running, close any other solutions and/or projects you might have open;

we want a totally clean slate.

1 Go to File->New->Project(Ctrl-Shift-N)

2 Expand theVisual C++ Projectsfolder, followed by theWin32sub-folder, and then

select theWin32 Project icon. Name the project whatever you like and click OK.

3 The Win32 Application Wizard should then appear, click theApplication Settings

tab and make sureWindows Applicationis selected, and then tick the Empty

Projectcheckbox. Click Finish.

4 In the Solutions Exploreron the right hand side, right click on the Source Files

folder and go toAdd->Add New Item...

5 Select the C++ File (.cpp)icon and name the file appropriately. Click Open. Repeatthis step for any other files you want to add to the project.

6 Go to Project->projectname Properties...

7 Change the following settings (some have been put there to reduce the size of theresulting plug-in, as VS seems to bloat the output file massively):

Configuration Properties->General: Change Configuration TypetoDynami c Li br ar y (. dl l )C/C++->General: Set Detect 64-bit Portability Issuechecks to NoC/C++->General: Set Debug Information Formatto Di sabl ed

C/C++->General: Add the SDK include path to theAdditional Include

Directories field. e.g. C: \ I DA\ SDK\ I ncl ude

C/C++->Preprocessor: Add__NT__; __I DP__to Preprocessor DefinitionsC/C++->Code Generation: Turn off Buffer Security Check, and Basic

Runtime Checks, set Runtime Libraryto Si ngl e Thr eaded

C/C++->Advanced: Cal l i ng Convent i onis__stdcallLinker->General: Change Output Filefrom a .exeto a .pl win the IDA pl ugi ns directoryLinker->General: Add the path to your l i bvc. wXX toAdditional LibraryDirectories. e.g. C: \ I DA\ SDK\ l i bvc. w32Linker->Input: Add i da. l i btoAditional DependenciesLinker->Debugging : Noto Generate Debug InfoLinker->Command Line: Add / EXPORT: PLUGI NBuild Events->Post-Build Event: Set Command-lineto your i dag. exeto start

IDA after each successful build (Optional)

Click OK
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htm


10/109


8 Go back to step 6, but before moving on to step 7, change the Configurationdrop-

down fromActive(Debug)to Releaseand repeat the settings changes in step 7. ClickOK

9 Move on to section 3.4

3.2 Windows, Using Dev-C++ With GCC and MinGW

You can obtain a copy of Dev-C++, GCC and MinGW as one package fromhttp://www.bloodshed.net/dev/devcpp.html. Installing and setting it up is beyond the scope of thistutorial, so from here on, it'll be assumed that it's all in working order.

As before, start up Dev-C++ and ensure no project or other files are open we want a clean slate.

1 Go to File->New Project, choose Empty Project, make sure C++ Projectis

selected and give it any name you wish, click OK

2 Choose a directory to save the project file, this can be anywhere you wish.

3 Go to Project->New File, this will hold the source code to your plug-in. Repeat this

step for any other files you want to add to the project.

4 Go to Project->Project Options, click on the Parameterstab.

5 Under C++ compiler, add:- DWI N32 - D__NT__ - D__ I DP__ - v - mr t d

6 Under Linker, add:. . / pat h/ t o/ your / sdk/ l i bgcc. wXX/ i da. a - Wl , - - dl l - shar edJust a note here - it's usually best to start with . . / , because msys seems to get confusedwith just / , and tries to reference it from the root of the msys directory.

7 Click on the Directoriestab, and Include Directoriessub-tab. Add the path toyour IDA SDK i ncl udedirectory to the list.

8 Click on the Build Optionstab, set the output directoryto your IDA pl ugi nsdirectory, and Override the output filenameto be a . pl wfile. Click OK.

9 Move on to section 3.4

3.3 Linux, Using GCC

Unlike Windows plug-ins, which end in . pl w, Linux plug-ins need to end in . pl x. Also, in thisexample, there is no GUI IDE, so rather than go through a step-by-step process, I'll just show theMakef i l eyou need to use. The below example probably isn't the cleanest Makef i l e, but it shouldwork.

In this example, the IDA installation is in / usr/ l ocal / i daadv, and the SDK is located under thesdksub-directory. Put the below Makef i l einto the same directory where the source to your plug-inwill be. You'll also need to copy the pl ugi n. scr i pt file from the sdk/ pl ugi ns directory into thedirectory with your source and Makef i l e.

Set SRCbelow to the source files that make up your plug-in, and OBJ Sto the object files they will becompiled to (same filename, just replace the extension with a . o).

SRC=f i l e1. cpp f i l e2. cpp

OBJ S=f i l e1. o f i l e2. oCC=g++LD=g++CFLAGS=- D__ I DP__ - D__PLUGI N__ - c - D__LI NUX__ \
http://www.iceni.com/unlock-pro.htmhttp://www.bloodshed.net/dev/devcpp.htmlhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.bloodshed.net/dev/devcpp.html


11/109


- I / usr/ l ocal / i daadv/ sdk/ i ncl ude $( SRC)LDFLAGS=- - shar ed $( OBJ S) - L/ usr / l ocal / i daadv - l i da \

- - no- undef i ned - Wl , - - ver si on- scr i pt =. / pl ugi n. scr i pt

al l :$( CC) $( CFLAGS)

$(LD) $(LDFLAGS) - o mypl ugi n. pl xcp mypl ugi n. pl x / usr / l ocal / i daadv/ pl ugi ns

To compile your plug-in, makewill do the job and copy it into the IDA pl ugi nsdirectory for you.

3.4 A Plug-in Template

The way IDA "hooks in" to your plug-in is via the PLUGI Nclass, and is typically the only thing exportedby your plug-in (so that IDA can use it). Also, the only files you need to #i ncl udethat are essentialfor the most basic plug-in are i da. hpp, i dp. hppand l oader . hpp.

The below template should serve as a starter for all your plug-in writing needs. If you paste it into a filein your respective development environment, it should compile, and when run in IDA (Edit-

>Plugins->pluginname, or the shortcut defined) , it will insert the text "Hello World" into the IDA

Logwindow.

#i ncl ude #i ncl ude #i ncl ude

i nt I DAP_i ni t ( voi d){

/ / Do checks her e to ensur e your pl ug- i n i s bei ng used wi t hi n/ / an envi r onment i t was wr i t t en f or . Ret ur n PLUGI N_SKI P i f t he / /

checks f ai l , ot her wi se ret ur n PLUGI N_KEEP.}

voi d I DAP_t er m( voi d){

/ / St uf f t o do when exi t i ng, gener al l y you' d put any sor t/ / of cl ean- up j obs her e.r et ur n;

}

/ / The pl ugi n can be passed an i nt eger argument f r om t he pl ugi ns. cf g/ / f i l e. Thi s can be usef ul when you want t he one pl ug- i n t o do/ / somethi ng di f f erent dependi ng on t he hot - key pr essed or menu/ / i t em sel ected.voi d I DAP_r un( i nt ar g){

/ / The "meat " of your pl ug- i nmsg( "Hel l o wor l d! ") ;r et ur n;

}

/ / Ther e i sn' t much use f or t hese yet , but I set t hem anyway.char I DAP_comment [ ] = "Thi s i s my t est pl ug- i n" ;char I DAP_hel p[ ] = "My pl ugi n" ;

/ / The name of t he pl ug- i n di spl ayed i n t he Edit->Plugins menu. I t can / /be over r i dden i n t he user ' s pl ugi ns. cf g f i l e.char I DAP_name[ ] = "My pl ugi n";

/ / The hot - key t he user can use t o run your pl ug- i n.
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htm


12/109


char I DAP_hot key[ ] = "Al t - X";

/ / The al l - i mport ant expor t ed PLUGI N obj ectpl ugi n_t PLUGI N ={

I DP_I NTERFACE_VERSI ON, / / I DA ver si on pl ug- i n i s wr i t t en f or

0, / / Fl ags ( see bel ow)I DAP_ i ni t , / / I ni t i al i sat i on f unct i onI DAP_t er m, / / Cl ean- up f unct i onI DAP_r un, / / Mai n pl ug- i n bodyI DAP_comment , / / Comment unusedI DAP_hel p, / / As above unusedI DAP_name, / / Pl ug- i n name shown i n

/ / Edit->Plugins menuI DAP_hot key / / Hot key t o r un t he pl ug- i n

};

You can usually get away without setting the flags attribute (second from the top) in the PLUGI Nstructure unless it's a debugger module, or you want to do something like hide it from the Edit-

>Pluginsmenu. See l oader . hppfor more information on the possible flags you can set.

The above template is also available at http://www.binarypool.com/idapluginwriting/template.cpp.

3.5 Configuring and Running Plug-ins

This is the easiest of all copy the compiled plug-in file (make sure it ends in . pl w for Windows or. pl xfor Linux) into the IDA pl ugi nsdirectory and IDA will load it automatically at start-up.

Make sure your plug-in can load up all of its DLLs and shared libraries at start-up by ensuring your

environment is set up correctly (LD_LI BRARY_PATHunder Linux, for example). You can start IDA with

the - z20flag, which will enable plug-in debugging. This will usually indicate if there are errors duringthe loading process.

If you put code into the I DAP_i ni t ( ) function, it will get executed when IDA is loading the first file fordisassembly, otherwise, if you put code in the I DAP_r un( ) function, it will execute when the userpresses the hot-key combination or goes through the Edit->Pluginsmenu.

The user can override a few of the PLUGI Nsettings in the pl ugi ns. cf gfile (like the name and hot-key), but that's nothing for you to really concern yourself with. The pl ugi ns. cf g file can also beused to pass arguments to your plug-in at start-up.
http://www.iceni.com/unlock-pro.htmhttp://www.binarypool.com/idapluginwriting/template.cpphttp://www.iceni.com/unlock-pro.htmhttp://www.binarypool.com/idapluginwriting/template.cpp


13/109


4. Fundamentals

There are quite a few different classes, data structures and types within the IDA SDK, some morewidely used than others. The aim of this section is to introduce you to them, as they provide greatinsight into what IDA knows about a disassembled file, and should get you thinking about the

possibilities of what can be done with the SDK.

Some of these classes and structures are quite large, with many member variables andmethods/functions. In this section, it's mostly the variables that are covered, whereas the methods arecovered in Chapter 5 - Functions. Some of the below code commentary is taken straight from the

SDK, some is my commentary, and some is a combination of the two. #def i nes have, in somecases, been included beneath various members, the same way as it's been done in the SDK. I leftthese in because it's a good illustration of the valid values a member variable can have.

Important note about the examples: Code from any of the examples in this section should beput into the I DAP_r un( ) function from the template in section 3.4, unless otherwise stated.

4.1 Core Types

The following types are used all throughout the SDK and this tutorial, so it's important that you areable to recognise what they represent.

All the below types are unsigned long integers, and unsigned long long integers on 64-bit systems.

They are defined in pr o. h.

Type Description

ea_t Stands for 'Effective Address', and represents pretty much any address within IDA(memory, file, limits, etc.)

sel _ t Segment selectors, as in code, stack and data segment selectors

uval _t Used for representing unsigned values

asi ze_t Typically used for representing the size of something, usually a chunk of memory

The following are signed long integers, and signed long long integers on 64-bit systems. They are also

defined in pr o. h.

Type Description

sval _t Used for representing signed values

adi f f _ t Represents the difference between two addresses

Finally, there are a couple of definitions worth noting; one of these is BADADDR, which represents aninvalid or non-existent address which you will see used a lot in loops for detecting the end of a

readable address range or structure. You will also see MAXSTRused in character buffer definitions,which is 1024.


14/109


4.2 Core Structures and Classes

4.2.1 Meta Information

The i dai nf o struct, which is physically stored in the IDA database (IDB), holds what I refer to as'meta' information about the initial file loaded for disassembly in IDA. It does not change if more files

are loaded, however. Here are some of the more interesting parts of it, as defined in i da. hpp:

str uct i dai nf o{

. . .char procName[8] ; / / Name of processor I DA i s r unni ng on

/ / ( "metapc" = x86 f or exampl e)ushor t f i l et ype; / / The i nput f i l e t ype. See t he

/ / f i l et ype_t enum coul d be f _ELF,/ / f _PE, etc .

ea_t start SP; / / [ E] SP r egi ster val ue at t he start of/ / pr ogr am execut i on

ea_t start I P; / / [ E] I P r egi ster val ue at t he star t of/ / pr ogr am execut i on

ea_t begi nEA; / / Li near addr ess of pr ogr am ent r y poi nt ,/ / usual l y the same as st ar t I P

ea_t mi nEA; / / Fi r st l i near addr ess wi t hi n pr ogr am ea_t maxEA; / / Last l i near addr ess wi t hi n t he

/ / progr am, excl udi ng maxEA. . .};

i nf is a globally accessible instance of this structure. You will often see checks done againsti nf . procName within the initialisation function of a plug-in, checking that the machine architecture iswhat the plug-in was written to handle.

For example, if you wrote a plug-in to only handle PE and ELF binary formats for the x86 architecture,

you could add the following statement to your plug-in's init function ( I DAP_i ni t from our plug-intemplate in section 3.4).

/ / "met apc" r epr esent s x86 ar chi t ect ur ei f ( st r ncmp( i nf . pr ocName, "met apc", 8) ! = 0

| | i nf . f i l et ype ! = f _ELF && i nf . f i l et ype ! = f _PE) ){

er r or( "Onl y PE and ELF bi nary t ype compi l ed f or t he x86 ""pl at f or m i s suppor t ed, sor ry. ") ;

r etur n PLUGI N_SKI P; / / Ret ur ni ng PLUGI N_SKI P means t hi s pl ug- i n/ / won' t be l oaded

}r et ur n PLUGI N_KEEP; / / Keep t hi s pl ug- i n l oaded

4.2.2 Areas

Before going into detail on the higher level classes for working with segments, functions andinstructions, let's have a look at two key concepts; namely areas and area control blocks.
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htm


15/109


4.2.2.1 The area_t Structure

An area is represented by the area_t struct, as defined in ar ea. hpp. Based on commentary in thisfile, strictly speaking:

"Areas" consists of separate area_t instances. An area is a non-empty contiguous range of addresses(specified by it start and end addresses, end address is excluded) with characteritics. For example,

segments are set of areas.

As you can see from the below excerpt from the area_t definition, it is defined by a start address(startEA) and end address (endEA). There are also a couple of functions to see if an area containsan address, if an area is empty, and to return the size of the area. A segment is an area, but functionsare too, which means areas can also encompass other areas.

struct area_t{

. . .ea_t st ar t EA;ea_t endEA; / / endEA addr ess i s excl uded f r om

/ / t he ar ea

bool cont ai ns( ea_t ea) const { ret urn st ar t EA ea; }bool empt y( voi d) const { retur n st art EA >= endEA; }asi ze_t si ze( voi d) const { r et ur n endEA - st ar t EA; }. . .

};

Technically speaking, saying that functions and segments are areas, is to say that the f unc_t andsegment _t classes inherit from the area_t struct. This means that all the variables and functions inthe area_t structure are applicable to f unc_t and segment _t (so for example,segment _t . st ar t EA and f unc_t. cont ai ns( ) are valid). f unc_t and segment _t also extendthe area_t struct with their own specialized variables and functions. These will be covered laterhowever.

A few other classes that inherit from and extend area_t are as follows:

Type (file) Descript ion

hi dden_area_t ( bytes. hpp) Hidden areas where code/data is replaced andsummarised by a description that can be expanded to viewthe hidden information

r egvar _t ( f r ame. hpp) Register name replacement with user-defined names(register variables)

memory_i nf o_t ( i dd. hpp) A chunk of memory (when using the debugger)

segr eg_t ( sr ar ea. hpp) Segment register (CS, SS, etc. on x86) information

4.2.2.2 The areacb_t Class

An area control block is represented by the areacb_t class, also defined in ar ea. hpp. Thecommentary for it, shown below, is slightly less descriptive, but doesn't really need to be anyway:

"areacb_t" is a base class used by many parts of IDA

The area control block class is simply a collection of functions that are used to operate on areas.

Functions include get _area_qty( ) , get _next_area( ) and so on. You probably won't findyourself using any of these methods directly, as when dealing with functions for example, you're more

likely to use f unc_t 's methods, and the same rule applies to other classes that inherit from area_t .

There are two global instances of the areacb_t class, namely segs (defined in segment . hpp) andf uncs (defined in f uncs. hpp), which represent all segments and functions, respectively, within the
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htm


16/109


currently disassembled file(s). You can run the following to get the number of segments and functionswithin the currently disassembled file(s) in IDA:

#i ncl ude #i ncl ude

msg( "Segment s: %d, Funct i ons: %d\ n",segs. get _ar ea_qt y( ) ,f uncs. get _ar ea_qt y( ) ) ;

4.2.3 Segments and Functions

As mentioned previously, the segment _t and f unc_t classes both inherit from and extend thearea_t struct, which means all the area_t variables and functions are applicable to these classesand they also bring some of their own functionality into the mix.

4.2.3.1 Segments

The segment _t class is defined in segment . hpp. Here are the more interesting parts of it.

cl ass segment _t : publ i c ar ea_t{publ i c:

uchar per m; / / Segment per mi ssi ons ( 0- no i nf ormat i on) . Wi l l/ / be one or a combi nat i on of t he bel ow.

#def i ne SEGPERM_EXEC 1 / / Execut e#def i ne SEGPERM_WRI TE 2 / / Wr i t e#def i ne SEGPERM_READ 4 / / Read

uchar t ype; / / Type of t he segment . Thi s wi l l be one of t he bel ow.#def i ne SEG_NORM 0 / / Unknown t ype, no assumpt i ons

#def i ne SEG_XTRN 1 / / Segment wi t h ' ext ern' def i ni t i ons,/ / wher e no i nst r uct i ons ar e al l owed#def i ne SEG_CODE 2 / / Code segment#def i ne SEG_DATA 3 / / Dat a segment#def i ne SEG_NULL 7 / / Zero- l ength segment#def i ne SEG_BSS 9 / / Uni ni t i al i zed segment. . .};

SEG_XTRNis a special (i.e. not physically existent) segment type, created by IDA upon disassembly ofa file, whereas others represent physical parts of the loaded file. For a typical executable file loaded inIDA for example, the value of t ype for the . t ext segment would be SEG_CODE and the value ofper mwould be SEGPERM_EXEC | SEGPERM_READ.

To iterate through all the segments within a binary, printing the name and address of each one intoIDA's Logwindow, you could do the following:

#i ncl ude

/ / Thi s wi l l onl y wor k i n I DA 4. 8, because get _segm_name( ) changed/ / i n 4. 9. See t he Chapt er 5 f or mor e i nf ormat i on.

/ / get _segm_qty( ) r et ur ns t he number of t otal segment s/ / f or f i l e( s ) l oaded.f or ( i nt s = 0; s < get _segm_qt y( ) ; s++){

/ / get nseg( ) r et ur ns a segment _t st r uct f or t he segment/ / number suppl i edsegment _t *cur Seg = getnseg( s) ;/ / get _segm_name( ) r et urns t he name of a segment


17/109


/ / msg( ) pr i nts a message to I DA' s Log wi ndowmsg( "%s @%a\ n", get _segm_name( curSeg) , curSeg- >st ar t EA) ;

}

Understanding what the functions above do isn't important at this stage they'll be explained in moredetail under Chapter 5 - Functions.

4.2.3.2 Funct ions

A function is represented by the f unc_t class, which is defined in f uncs. hpp, but before going intodetail on the f unc_t class, it's probably worth shedding some light on function chunks, parents andtails.

Functions are typically contiguous blocks of code within the binary being analysed, and are usuallyrepresented as a single chunk. However, there are times when optimizing compilers move codearound, and so functions are broken up into multiple chunks with code from other functions separating

them. These loose chunks are known as "tails", and the chunks that reference code (by a J MP orsomething similar) within the tails are known as "parents". What makes things a little confusing is that

all are still of the f unc_t type, and so you need to check the f l ags member of f unc_t to determineif a f unc_t instance is a tail or parent.

Below is highly stripped-down version of the f unc_t class, along with some slightly editedcommentary taken from f uncs. hpp.

cl ass f unc_t : publ i c ar ea_t{publ i c:. . .

ushor t f l ags; / / f l ags i ndi cat i ng t he t ype of f uncti on/ / Some of t he f l ags bel ow:

#def i ne FUNC_NORET 0x00000001L / / f unct i on doesn' t r eturn

#def i ne FUNC_LI B 0x00000004L / / l i br ar y f unct i on#def i ne FUNC_HI DDEN 0x00000040L / / a hi dden f unct i on chunk#def i ne FUNC_THUNK 0x00000080L / / t hunk ( j ump) f unct i on#def i ne FUNC_TAI L 0x00008000L / / Thi s i s a f unct i on t ai l .

/ / Ot her bi t s shoul d be cl ear/ / ( except FUNC_HI DDEN)

uni on / / f unc_t ei t her r epr esent s an ent r y chunk or a t ai l chunk{

st r uct / / at t r i but es of a f uncti on ent r y chunk{

asi ze_t ar gsi ze; / / number of byt es pur ged f r omt he st ack/ / upon r et ur ni ng

ushor t pnt qt y; / / number of t i mes t he ESP r egi st er changes/ / t hr oughout t he f unct i on ( due t o PUSH, et c. )

i nt t ai l qt y; / / number of f uncti on t ai l s t hi s f uncti on ownsarea_t *tai l s ; / / arr ay of tai l s , sort ed by ea

}str uct / / at t r i but es of a f uncti on t ai l chunk{

ea_t owner ; / / t he addr ess of t he mai n f unct i on/ / possessi ng t hi s tai l

}. . .};

Because functions are also areas just like segments, iterating through each function is a processalmost identical to dealing with segments. The following example lists all functions and their addresswithin a disassembled file, displaying output in IDA's Logwindow.
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htm


18/109


#i ncl ude

/ / get _f unc_qt y( ) r et ur ns t he number of f uncti ons i n f i l e( s)/ / l oaded.f or ( i nt f = 0; f < get _f unc_qt y() ; f ++){

/ / get n_f unc() r et ur ns a f unc_t st r uct f or t he f uncti on/ / number suppl i edf unc_t *cur Func = get n_f unc( f ) ;char f uncName[ MAXSTR] ;

/ / get_f unc_name get s t he name of a f unct i on,/ / st ored i n f uncNameget _f unc_name(curFunc- >st art EA,

f uncName,si zeof ( f uncName) - 1) ;

msg( "%s: \ t %a\ n" , f uncName, curFunc- >st art EA) ;}

4.2.4 Code Representation

Assembly language instructions consist of, in most cases, mnemonics (PUSH, SHR, CALL, etc.) andoperands (EAX, [ EBP+0xAh] , 0x0Fh, etc.) Some operands can take various forms, and someinstructions don't even take operands. All of this is represented very cleanly in the IDA SDK.

You have the i nsn_t type to begin with, which represents a whole instruction, for example MOVEAX, 0x0A. i nsn_t is made up of, amongst other member variables, up to 6 op_t 's (one for eachoperand supplied to the instruction), and each operand can be a particular opt ype_t (generalregister, immediate value, etc.)

Let's look at each component from the bottom-up. They are all defined in ua. hpp.

4.2.4.1 Operand Types

opt ype_t represents the typeof operand that is being supplied to an instruction. Here are the more

common operand type values. The descriptions have been taken from the opt ype_t definition inua. hpp.

Operand Description Example disassembly(respective operand inbold)

o_voi d No Operand pusha

o_r eg General Register dec eax

o_mem Direct Memory Reference mov eax, ds:1001h

o_phr ase Memory Ref [Base Reg + Index Reg] push dword pt r [eax]

o_di spl Memory Ref [Base Reg + Index Reg +Displacement]

push [esp+8]

o_i mm Immediate Value add ebx, 10h

o_near Immediate Near Address cal l _initterm
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htm


19/109


4.2.4.2 Operands

op_t represents a single operand passed to an instruction. Below is a highly cut-down version of theclass.

cl ass op_t{

publ i c:char n; / / number / posi t i on of t he oper and ( 0, 1, 2)opt ype_t t ype; / / t ype of oper and ( see pr evi ous sect i on)ushor t r eg; / / r egi st er number ( i f t ype i s o_r eg)uval _t val ue; / / oper and val ue ( i f t ype i s o_i mm)ea_t addr ; / / vi r t ual addr ess poi nt ed t o or used by t he

/ / oper and ( i f t ype i s o_mem). . .};

So, for example, the operand of [ esp+8] will result in type being o_di spl , r egbeing 4(which isthe number for the ESPregister) and addr being 8, because you are accessing 8 bytes from the stackpointer, thereby being a memory reference. You can use the following snippet of code for getting the

op_t value of the first operand of the instruction your cursor is currently positioned at in IDA:


/ / Di sassembl e t he i nst r ucti on at t he cur sor posi t i on, st or e i t i n/ / t he gl obal l y accessi bl e ' cmd' st r ucture.ua_ana0( get _scr een_ea( ) ) ;/ / Di spl ay i nf or mat i on about t he f i r st oper andmsg( "n = %d t ype = %d r eg = %d val ue = %a addr = %a\ n" ,

cmd. Oper ands[ 0] . n,cmd. Oper ands[ 0] . t ype,cmd. Oper ands[ 0] . r eg,

cmd. Oper ands[ 0] . val ue,cmd. Oper ands[ 0] . addr ) ;

4.2.4.3 Mnemonics

The mnemonic (PUSH, MOV, etc.) within the instruction is represented by the i t ypemember of thei nsn_t class (see the next section). This is, however, an integer, and there is currently no textualrepresentation of the instruction available to the user in any data structure instead, it is obtained

through use of the ua_mnem( ) function, which will be covered in Chapter 5 - Functions.

There is an enum, named i nstr uc_t (al l i ns . hpp) that holds all mnemonic identifiers (prefixedwith NN_). If you know what instructions you are after or want to test for, you can utilise it rather than

work off a text representation. For example, to test if the first instruction in a binary is a PUSH, youcould do the following:


/ / Popul at e ' cmd' wi t h the code at t he ent r y poi nt of t he bi nar yua_ana0( i nf . star t I P) ;/ / Test i f t hat i nstr ucti on i s a PUSHi f ( cmd. i t ype == NN_push)

msg( "Fi r st i nst r ucti on i s a PUSH") ;el se

msg( "Fi r st i nst r ucti on i sn' t a PUSH") ;

r et ur n;
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htm


20/109


4.2.4.4 Instructions

i nsn_t represents a whole instruction. It contains an op_t array, named Oper ands, whichrepresents all operands passed to the instruction. Obviously there are instructions that take no

operands (like PUSHA, CDQ, etc.), in which case the Oper ands[ 0] variable will have an opt ype_t ofo_voi d(no operand).

cl ass i nsn_t{publ i c:

ea_t cs; / / code segment base ( i n paragr aphs)ea_t i p; / / of f set wi t hi n t he segmentea_t ea; / / i nst r ucti on st ar t addr essesushor t i t ype; / / mnemoni c i dent i f i erushor t s i ze; / / i nstr ucti on si ze i n byt es

#def i ne UA_MAXOP 6op_t Operands[ UA_MAXOP] ;

#def i ne Op1 Operands[ 0] / / f i r st operand#def i ne Op2 Oper ands[ 1] / / second operand#def i ne Op3 Oper ands[ 2] / / . . .

#def i ne Op4 Oper ands[ 3]#def i ne Op5 Oper ands[ 4]#def i ne Op6 Oper ands[ 5]};

There is a globally accessible instance of i nsn_t named cmd, which gets populated by theua_ana0( ) and ua_code( ) functions. More on this later, but in the mean time, here's an example toget the instruction at a file's entry point and display its instruction number, address and size in IDA'sLogwindow.

#i ncl ude

/ / ua_ana0( ) popul at es t he cmd st r uct ur e wi t h a di sassembl y of t he

/ / addr ess suppl i ed.ua_ana0( i nf . begi nEA) ; / / or i nf . start I Pmsg(" i nst r uct i on number: %d, at %a i s %d byt es i n si ze. \ n" ,

cmd. i t ype, cmd. ea, cmd. si ze) ;

4.2.5 Cross Referencing

One of the handy features in IDA is the cross-referencing functionality, which will tell you about allparts of the currently disassembled file that reference another part of that file. For instance, in IDA, youcan highlight a function in the disassembly window, press 'x' and all addresses where that function isreferenced (e.g. calls made to the function) will appear in a window. The same can be done for data

and local variables too.

The SDK provides a simple interface for accessing this information, which is stored internally in a B-

tree data structure, accessed via the xr ef bl k_t structure. There are other, more manual, ways toretrieve this sort of information, but they are much slower than the methods outlined below.

One important thing to remember is that even when an instruction naturally flows onto the next, IDAcan potentially treat the first as referencing the second, but this can be turned off using flags supplied

to some xr ef bl k_t methods, covered in Chapter 5 -Functions.

4.2.5.1 The xrefblk_t Structure

Central to cross referencing functionality is the xr ef bl k_t structure, which is defined in xr ef . hpp.

This structure first needs to be populated using its f i r s t_f r om( ) or f i r st _ t o( ) methods(depending on whether you want to find references to or from an address), and subsequently

populated using next _f r om( ) or next _t o( ) as you traverse through the references.
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htm


21/109


The variables within this structure are shown below and commentary is mostly from xr ef . hpp. Themethods (f i r st _ f r om, f i r s t _ t o, next _f r om and next _t o) have been left out, but will becovered in Chapter 5 -Functions.

str uct xrefbl k_t

{ea_t f r om; / / t he r ef er enci ng addr essea_t t o; / / t he r ef er enced addr essuchar i scode; / / 1- i s code r ef er ence; 0- i s dat a r ef er enceuchar t ype; / / one of t he cref _t or dr ef _t t ypes ( see

/ / secti on 4. 2. 5. 2 and 4. 2. 5. 3). . .};

As indicated by the i scodevariable, xr ef bl k_t can contain information about a code reference or adata reference, each of which could be one of a few possible reference types, as indicated by thet ypevariable. These code and data reference types are explained in the following two sections.

The below code snippet will give you cross reference information about the address your cursor iscurrently positioned at:


xr ef bl k_t xb;/ / Get t he addr ess of t he cur sor posi t i onea_t addr = get_scr een_ea( ) ;/ / Loop t hr ough al l cross r ef er encesf or ( bool r es = xb. f i r st _t o( addr , XREF_FAR) ; r es; r es = xb. next_ t o( ) ) {

msg( "From: %a, To: %a\ n" , xb. f r om, xb. t o) ;msg( "Type: %d, I sCode: %d\ n" , xb. t ype, xb. i scode) ;

}

4.2.5.2 Code

Here is the cref _t enum, with some irrelevant items taken out. Depending on the type of reference,the t ypevariable in xr ef bl k_t will be one of the below if i scodeis set to 1. The commentary forthe below is taken from xr ef . hpp.

enum cref _t{. . .

f l _CF = 16, / / Cal l Far/ / Thi s xr ef creat es a f uncti on at t he/ / r ef er enced l ocat i on

f l _CN, / / Cal l Near/ / Thi s xr ef creat es a f uncti on at t he/ / r ef er enced l ocat i on

f l _ J F, / / J ump Farf l _J N, / / J ump Nearf l _F, / / Or di nar y f l ow: used t o speci f y execut i on

/ / f l ow t o t he next i ns t ruct i on.. . .};

Below is a code cross reference taken from a sample binary file. In this case, 712D9BFEis referencedby 712D9BF6, which is a near jump (f l _ J N) code reference type.


22/109


. t ext : 712D9BF6 j z shor t l oc_712D9BFE

. . .

. t ext : 712D9BFE l oc_712D9BFE:

. t ext : 712D9BFE l ea ecx, [ ebp+var _14]

4.2.5.3 DataIf i scodein xr ef bl k_t is set to 0, it is a data cross reference. Here are the possible t ypemembervalues when you're dealing with a data cross reference. The commentary for this enum is also taken

from xr ef . hpp.

enum dr ef _t{. . .

dr _O, / / Of f set/ / The r ef er ence uses ' of f set ' of dat a/ / r at her t han i t s val ue/ / OR/ / The r ef erence appear ed because

/ / t he "OFFSET" f l ag of i nstr ucti on i s set ./ / The meani ng of t hi s t ype i s I DP dependent .

dr _W, / / Wr i t e accessdr _R, / / Read access

. . .};

Keep in mind that when you see the following in a disassembly, you are actually looking at a data

cross reference, whereby 712D9BD9 is referencing 712C119C:

. i dat a: 712C119C ext r n wspr i nt f A: dword

. . .

. t ext : 712D9BD9 cal l ds: wspr i nt f A

In this case, the t ypemember of xr ef bl k_t would be the typical dr_R, because it's simply doing aread of the address represented by ds: wspr i nt f A. Another data cross reference is below, where thePUSHinstruction at 712EABE2is referencing a string at 712C255C:

. t ext : 712C255C aVers i on:

. t ext : 712C255C uni code 0, , 0

. . .

. t ext : 712EABE2 push of f set aVers i on

The t ypemember of xr ef bl k_t would be dr_Oin this case, because it's accessing the data as anoffset.

4.3 Byte Flags

For each byte in a disassembled file, IDA records a corresponding four byte (32-bits) value, stored in

the i d1 file. Of these four bytes, each half-byte (four bits or nibble) is a flag, which represents anitem of information about the byte in the disassembled file. Thelast byte of the four flag bytes is theactual byte at that address within the disassembled file.

For example, the instruction below takes up a single byte (0x55) in the file being disassembled:

. t ext : 010060FA push ebp

The IDA flags for the above address in the file being disassembled are 0x00010755; 0001007being the flag component and 55being the byte value at that address in the file. Keep in mind that the


23/109


address has no bearing on the flags at all, nor is it possible to derive flags from the address or bytes

themselves - you need to use get Fl ags( ) to get the flags for an address (more on this below).

Obviously, not all instructions are one byte in size; take the below instruction for example, which is

three bytes (0x83 0xEC 0x14). The instruction is therefore spread across three addresses;0x010011DE, 0x010011DFand 0x010011E0:

. t ext : 010011DE sub esp, 14h

. t ext : 010011E1 . . .

Here are the corresponding flags for each byte in this instruction:

010011DE: 41010783010011DF: 001003EC010011E0: 00100314

Because these three bytes belong to the one instruction, the first byte of the instruction is referred toas the head, and the other two are tail bytes. Once again, notice that the last byte of each flag-set is

the corresponding byte of the instruction (0x83, 0xEC, 0x14).

All flags are defined in byt es. hpp, and you can check whether a flag is set by using the flagsetreturned from get Fl ags( ea_t ea) as the argument to the appropriate flag-checking wrapperfunction. Here are some common flags along with their wrapper functions which check for theirexistence. Some functions are covered in Chapter 5 - Functions, for others you should look inbyt es. hpp:

Flag Name Flag Indication Wrapper function

FF_CODE 0x00000600L Is the byte code? i sCode( )

FF_DATA 0x00000400L Is the byte data? i sDat a( )

FF_TAI L 0x00000200L Is this byte a part (non-head) of an

instruction data chunk?

i sTai l ( )

FF_UNK 0x00000000L Was IDA unable to classify thisbyte?

i sUnknown()

FF_COMM 0x00000800L Is the byte commented? has_cmt ( )

FF_REF 0x00001000L Is the byte referenced elsewhere? hasRef ( )

FF_NAME 0x00004000L Is the byte named? has_name( )

FF_FLOW 0x00010000L Does the previous instruction flowhere?

i sFl ow( )

Going back to the first push ebp example above, if we were to manually check the flags returned

from get Fl ags( 0x010060FA) against a couple of the above flags, wed get the following results:

0x00010755 & 0x00000600 ( FF_CODE) = 0x00000600. We know this is code.0x00010755 & 0x00000800 ( FF_COMM) = 0x00000000. We know this isn't commented.

The above example is purely for illustrative purposes - don't do it this way in your plug-in. Asmentioned above, you should always use the helper functions to check whether a flag is set or not.The following will return the flags for the given head address yourcursor is positioned at in IDA.


msg( "%08x\ n", get Fl ags( get _scr een_ea( ) ) ) ;


24/109


4.4 The Debugger

One of the most powerful features of the IDA SDK is the ability to interact with the IDA debugger, andunless you've installed your own custom debugger plug-in, it will be one of the debugger plug-ins thatcame with IDA. The following debugger plug-ins come with IDA by default, and can be found in yourIDA pl ugi nsdirectory:

Plugin Filename Descript ion

wi n32_user . pl w Windows local debugger

wi n32_st ub. pl w Windows remote debugger

l i nux_user . pl w Linux local debugger

l i nux_st ub. pl w Linux remote debugger

These are automatically loaded by IDA and made available at start-up under the Debugger->Run

menu. From here on, the term "debugger" will represent which ever of the above you are using (IDAwill choose the most appropriate one for you by default).

As mentioned earlier, it is possible to write debugger modules for IDA, but this isn't to be confused withwriting plug-in modules that interact with the debugger. The second type of plug-in is what's describedbelow.

Aside from all the functions provided for interacting with the debugger, which will be explored later inChapter 5 - Functions, there are some key data structures and classes that are essential tounderstand before moving ahead.

4.4.1 The debugger_t Struct

The debugger _t struct, defined in i dd. hppand exported as *dbg, represents the currently activedebugger plug-in, and is available when the debugger is loaded (i.e. at start-up, not just when you runthe debugger).

st r uct debugger _t{. . .

char *name; / / Shor t debugger name l i ke ' wi n32' or ' l i nux'#def i ne DEBUGGER_I D_X86_I A32_WI N32_USER 0 / / User l and wi n32 processes#def i ne DEBUGGER_I D_X86_I A32_LI NUX_USER 1 / / User l and l i nux pr ocesses

r egi ster_ i nf o_t *regi sters; / / Ar ray of r egi stersi nt r egi st er s_si ze; / / Number of r egi st er s

. . .}

As a plug-in module, it's likely that you'll need to access the *name variable, possibly to test whatdebugger your plug-in is running with. The *regi ster s and r egi sters_s i ze variables are alsouseful for obtaining a list of registers available (see the following section).

4.4.2 Registers

A common task while using the debugger is accessing and manipulating register values. In the IDA

SDK, a register is described by the regi ster_ i nf o_t struct, and the value held by a register isrepresented by the r egval _t struct. Below is a slightly cut-down r egi ster _ i nf o_t struct, which isdefined in i dd. hpp.
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htm


25/109


str uct regi ster _ i nf o_t{

const char *name; / / Regi st er f ul l name ( EBX, et c. )ul ong f l ags; / / Regi ster speci al f eat ur es,

/ / whi ch can be any combi nat i on/ / of t he bel ow.

#def i ne REGI STER_READONLY 0x0001 / / t he user can' t modi f y/ / t he cur r ent val ue of t hi s/ / regi s ter

#def i ne REGI STER_I P 0x0002 / / i nst r uct i on poi nt er#def i ne REGI STER_SP 0x0004 / / st ack poi nter#def i ne REGI STER_FP 0x0008 / / f r ame poi nter#def i ne REGI STER_ADDRESS 0x0010 / / Regi st er can contai n an address. . .};

The only instance of this structure is accessible as the array member *r egi sters of *dbg (aninstance of debugger _t ), therefore it is up to the debugger you're using to populate it with the list ofregisters available on your system.

To obtain the value for any register, it's obviously essential that the debugger be running. Thefunctions for reading and manipulating register values will be covered in more detail in Chapter 5 -

Functions, but for now, all you need to know is to retrieve the value using the i val member ofr egval _t , or use f val if you're dealing with floating point numbers.

Below is r egval _t , which is defined in i dd. hpp.

str uct r egval _t{

ul ongl ong i val ; / / I nt eger val ueushor t f val [ 6] ; / / Fl oat i ng poi nt val ue i n t he i nt er nal

/ / r epr esent at i on ( see i eee. h)

};

i val / f val will correspond directly to what is stored in a register, so if EBXcontains 0xDEADBEEF,i val (once populated using get _r eg_val ( ) ), will also contain 0xDEADBEEF.

The following example will loop through all available registers, displaying the value in each. If you run

this outside of debug mode, the value will be 0xFFFFFFFF:

#i ncl ude

/ / Loop t hr ough al l r egi st er sf or ( i nt i = 0; i < dbg- >r egi st er s_si ze; i ++) {

r egval _t val ;

/ / Get t he val ue st or ed i n t he r egi st erget _r eg_val ( ( dbg- >r egi st er s+i ) - >name, &val ) ;msg( "%s: %08a\ n" , ( dbg- >r egi st er s+i ) - >name, val . i val ) ;

}

4.4.3 Breakpoints

A fundamental component of debugging is breakpoints, and IDA represents hardware and software

breakpoints differently using the bpt _t struct, shown below and defined in dbg. hpp. Hardwarebreakpoints are created using debug-specific registers on the running CPU (DR0- DR3 on x86),whereas software breakpoints are created by inserting an I NT3 instruction at the desired breakpoint

address - although this is handled for you by IDA, it's sometimes helpful to know the difference. Onx86, the maximum number of hardware breakpoints you can set is four.
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htm


26/109


struct bpt_t{

/ / r ead onl y char acter i st i cs:ea_t ea; / / st ar t i ng addr ess of t he br eakpoi ntasi ze_t s i ze; / / s i ze of t he br eakpoi nt

/ / ( undef i ned i f sof t war e br eakpoi nt )

bpt t ype_t t ype; / / t ype of t he br eakpoi nt :/ / Taken f r om t he bpt t ype_t const def i ni t i on i n i dd. hpp:/ / BPT_EXEC = 0, / / Execut e i nst r uct i on/ / BPT_WRI TE = 1, / / Wr i t e access/ / BPT_RDWR = 3, / / Read/ wr i t e access/ / BPT_SOFT = 4; / / Sof t war e br eakpoi nt

/ / modi f i abl e char acteri st i cs ( use updat e_bpt ( ) t o modi f y) :i nt pass_ count ; / / how many t i mes does t he execut i on r each

/ / t hi s br eakpoi nt ? ( - 1 i f undef i ned)i nt f l ags ;

#def i ne BPT_BRK 0x01 / / does t he debugger st op on t hi s breakpoi nt ?#def i ne BPT_TRACE 0x02 / / does t he debugger add t r ace i nf ormat i on

/ / when t hi s br eakpoi nt i s r eached?char condi t i on[ MAXSTR] ; / / an I DC expr essi on whi ch wi l l be used as

/ / a br eakpoi nt condi t i on or r un when the/ / br eakpoi nt i s hi t

};

Therefore, if the t ypemember of bpt _t is set to 0, 1or 3, it is a hardware breakpoint, whereas 4would indicate a software breakpoint.

There are a lot of functions that create, manipulate and read this struct, but for now, I'll provide asimple example that goes through all defined breakpoints and display whether they are a software orhardware breakpoint in IDA's Logwindow. The functions used will be explained in more detail furtheron.

#i ncl ude

/ / get _bpt _qty( ) get s t he number of br eakpoi nt s def i nedf or ( i nt i = 0; i < get _bpt _qt y( ) ; i ++) {

bpt _t br kpnt ;/ / get n_bpt f i l l s bpt _t st r uct wi t h br eakpoi nt i nf or mat i on based/ / on t he br eakpoi nt number suppl i ed.get n_bpt ( i , &br kpnt ) ;/ / BPT_SOFT i s a sof t war e br eakpoi nti f ( brkpnt . t ype == BPT_SOFT)

msg("Sof t ware br eakpoi nt f ound at %a\ n" , br kpnt . ea) ;el se

msg( "Hardware br eakpoi nt f ound at %a\ n" , br kpnt . ea) ;}

4.4.4 Tracing

In IDA, there are three types of tracing you can enable; Function tracing, Instruction tracing andBreakpoint (otherwise known as read/write/execute) tracing. When writing plug-ins, an additional formof tracing is available; Step tracing. Step tracing is a low level form of tracing that allows you to buildyour own tracing mechanism on top of it, utilising event notifications (see section 4.5) to inform yourplug-in of each instruction that is executed. This is based on CPU tracing functionality, notbreakpoints.

A "trace event" is generated and stored in a buffer when a trace occurs, and what triggers the

generation of a trace event depends on the type of tracing you have enabled, however it's worth notingthat step tracing will not generate trace events, but event notifications instead. The below table lists all

the different trace event types along with the corresponding t ev_t ype_t enum value, which isdefined in dbg. hpp.
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htm


27/109


Trace Type Event Type(tev_type_t)

Description

Function call and return t ev_cal l and tev_ret A function has been called or returnedfrom

Instruction t ev_i nsn An instruction has been executed (this isbuilt on top of step tracing in the IDAkernel)

Breakpoint t ev_bpt A breakpoint with tracing enabled hasbeen hit. Also known as aRead/Write/Execute trace

All trace events are stored in a circular buffer, so it never fills up, but old trace events will be

overwritten if the buffer is too small. Each trace event is represented by the t ev_i nf o_t struct, whichis defined in dbg. hpp:

str uct t ev_i nf o_t

{t ev_t ype_t t ype; / / Trace event t ype ( one of t he above or t ev_none)t hr ead_i d_t t i d; / / Thr ead wher e t he event was recordedea_t ea; / / Addr ess where t he event occur r ed

};

Based on the bpt _t struct described in section 4.4.3, a breakpoint trace is the same as a normalbreakpoint but has the BPT_TRACEflag set on the f l ags member. Optionally, the condi t i onbuffermember could have an IDC command to run at each breakpoint.

Trace information is populated during the execution of a process, but can be accessed even once theprocess has exited and you are returned to static disassembly mode (unless a plug-in you are usingexplicitly cleared the buffer on exit). You can use the following code to enumerate all trace events

(provided you enabled it during exeucution):

#i ncl ude

/ / Loop t hr ough al l t r ace event sf or ( i nt i = 0; i < get _t ev_qt y( ) ; i ++) {

r egval _t esp;t ev_i nf o_t t ev;

/ / Get t he t r ace event i nf or mat i onget _t ev_i nf o( i , &t ev) ;

swi t ch ( t ev. t ype) {

case t ev_r et :msg( "Funct i on r et ur n at %a\ n" , t ev. ea) ;br eak;

case t ev_cal l :msg( "Funct i on cal l ed at %a\ n" , t ev. ea) ;br eak;

case t ev_i nsn:msg( " I nst r uct i on execut ed at %a\ n", t ev. ea) ;br eak;

case t ev_bpt :msg( "Br eakpoi nt wi t h t r aci ng hi t at %a\ n", t ev. ea) ;br eak;

def aul t :

msg( "Unknown t r ace t ype. . \ n" ) ;}

}


28/109


It's worth noting at this point that it's not possible for a plug-in to add entries to, or even modify thetrace event log.

All of the functions used above will be covered in Chapter 5 -Functions.

4.4.5 Processes and Threads

IDA maintains information about the processes and threads currently running under the debugger.

Process and Thread IDs are represented by the pr ocess_i d_t and t hr ead_i d_t types,respectively and both are signed integers. All of these types are defined in i dd. hpp. The only othertype, related to processes, is the pr ocess_i nf o_t type, which is as follows:

st r uct pr ocess_i nf o_t{

pr ocess_i d_t pi d; / / Pr ocess I Dchar name[ MAXSTR] ; / / Pr ocess Name ( execut abl e f i l e name)

};

These are only of use when a binary is being executed under IDA (i.e. you can't use them when instatic disassembly mode). The following example illustrates a basic example usage of the

pr ocess_i nf o_t structure.

#i ncl ude

/ / Get t he number of pr ocesses avai l abl e f or debuggi ng./ / get _pr ocess_qt y( ) al so i ni t i al i ses I DA' s "pr ocess snapshot "i f ( get _pr ocess_qt y() > 0) {

process_i nf o_t pi f ;get _pr ocess_i nf o( 0, &pi f ) ;msg( " I D: %d, Name: %s\ n" , pi f . pi d, pi f . name) ;

} el se {msg("No pr ocess r unni ng! \ n") ;

}

The functions that utilise these structures will be discussed under Chapter 5 -Functions.

4.5 Event Notifications

Typically, plug-ins are run synchronously, in that they are executed by the user, either via pressing thehot-key or going through the Edit->Plugins menu. A plug-in can, however, run asynchronously,

where it responds to event notifications generated by IDA or the user.

During the course of working in IDA, you'd typically click buttons, conduct searches, and so on. All ofthese actions are "events", and so what IDA does is generate "event notifications" each time thesethings take place. If your plug-in is setup to receive these notifications (explained below), it can react inany way you program it to. An application for this sort of thing could be recording macros for instance.A plug-in can also generate events, causing IDA to perform various functions.

4.5.1 Receiving Notification

To receive event notifications from IDA, all a plug-in has to do is register a call-back function using

hook_t o_not i f i cat i on_poi nt ( ) . For generating event notifications, cal l ui ( ) is used, which iscovered in more detail in Chapter 5 - Functions.

When registering a call-back function with hook_t o_not i f i cat i on_poi nt ( ) , you can specify oneof three event types, depending on what notifications you want to receive. These are defined in thehook_t ype_t enum within l oader . hpp:
http://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htmhttp://www.iceni.com/unlock-pro.htm


29/109


Type Receive Event Notifications From Enum of All Event Notification Types

HT_I DP Processor module i dp_not i f y(not covered here)

HT_UI IDA user interface ui _not i f i cat i on_t

HT_DBG Currently running IDA debugger dbg_not i f i cat i on_t

Therefore, to receive all event notifications pertaining to the debugger and direct them to your

dbg_cal l back(for example) call-back function, you could put the following inside I DAP_i ni t ( ) :

hook_t o_not i f i cat i on_poi nt ( HT_DBG, dbg_cal l back, NULL) ;

The third argument is typically NULL, unless you want to pass data along to the call-back functionwhen it receives an event (any data structure of your choosing).

The call-back function supplied to hook_t o_not i f i cat i on_poi nt ( ) must look something like this:

i nt i daapi mycal l back ( voi d *user _dat a, i nt not i f _code, va_l i st va)

{. . .r et ur n 0;

}

When mycal l back( ) is eventually called by IDA to handle an event notification, user_dat a willpoint to any data you specified to have passed along to the call-back function (defined in the call to

hook_t o_not i f i cat i on_poi nt ( ) ). not i f _code will be the actual event identifier (listed in thefollowing two sections) and va is any data supplied by IDA along with the event, possibly to providefurther information.

The call-back function should return 0if it permits the event notification to be handled by subsequenthandlers (the typical scenario), or any other value if it is to be the only/last handler.

Something worth remembering is if you use hook_t o_not i f i cat i on_poi nt ( ) in your plug-in, youmust also use unhook_f r om_not i f i cat i on_poi nt ( ) , either once you no longer need to receivenotifications, or inside your I DAP_t erm( ) function. This will avoid unexpected segmentation faultswhen exiting IDA. Going by the example above, to unhook the hooked notification point, it would bedone like this:

unhook_f r om_not i f i cat i on_poi nt ( HT_DBG, dbg_cal l back, NULL) ;

4.5.2 UI Event Notifications

ui _not i f i cat i on_t is an enum defined in ker nwi n. hpp, and contains all user interface eventnotifications that can be generated by IDA or a plug-in. To register for these event notifications, you

must use HT_UI as the first argument to hook_t o_not i f i cat i on_poi nt ( ) .

The following two lists show some of the event notifications that can be received and/or generated bya plug-in. These are only a sub-set of possible event notifications; what's listed are the more generalpurpose ones.

Although the below can be generated by a plug-in using cal l ui ( ) , most have helper functions,which means you don't need to use cal l ui ( ) and can just call the helper function instead.

Event Notification Descript ion Helper Function

ui _j umpt o Moves the cursor to an address j umpt o

ui _scr eenea Return the address where thecursor is currently positioned

get _scr een_ea


30/109


ui _r ef r esh Refresh all disassembly views r ef r esh_i davi ew_anyway

ui _mbox Display a message box to theuser

vwar ni ng, vi nf o andmore.

ui _msg Print some text in IDA's Logwindow

deb,

Documents

cbj212005calliefida-100719092852-phpapp01