Previous Chapter

B. IDC/SDK Cross-Reference

About the Author

Index

A note on the digital index

A link in an index entry is displayed as the section title in which that entry appears. Because some sections have multiple index markers, it is not unusual for an entry to have several links to the same section. Clicking on any link will take you directly to the place in the text in which the marker appears.

Symbols

#define statements, IDC Objects
#hint text# element, Creating Customized Forms with the SDK
#ifdef block, IDC Programs
#ifdef/#else block, IDC Programs
$ idc_array, Data Storage in Netnodes, Extending IDC
$ prefix, Creating Netnodes
$HOME/.idapro/ida.key, Linux Console Specifics
$HOME/.idapro/ida.reg file, Launching IDA, The Console Configuration File: idatui.cfg
-A option, Using IDA’s Batch Mode
-a option, Identifying and Acquiring Static Libraries
-a switch, The Strings Window
-B option, Using IDA’s Batch Mode
-c option, Using IDA’s Batch Mode
-e command-line argument, strings
-fomit-frame-pointer compiler option, Stack Frame Examples
-L option, ldd
-n option (loadint), Augmenting Predefined Comments with loadint
-n option (sigmake), Creating Signature Files
-P<password> command-line option, Using a Hex-Rays Debugging Server
-p<port number> command-line option, Using a Hex-Rays Debugging Server
-S option (IDA), Using IDA’s Batch Mode
-t command-line argument (strings), strings
-v command-line option (debugging server), Using a Hex-Rays Debugging Server
.class file, x86emu and Anti-debugging
.def files, Other processor_t Members
.h suffix, The IDA Application Programming Interface
.headers program segment, x86emu Initialization
.headers section, Manually Loading a Windows PE File
.heap database segment, x86emu Initialization
.hpp suffix, The IDA Application Programming Interface
.id0 file, IDA Database Files
.id1 file, IDA Database Files
.idata section, Using the Assemble Dialog
.idb extension, IDA Database Creation
.idb files, Augmenting Function Information, collabREate
.idt file, Enumerating Exported Functions
.idt generator script, Enumerating Instructions
.memcpy, Enumerating Cross-References
.nam file, IDA Database Files
.plt section, Discovering New Vulnerabilities with IDA
.pyc files, IDA Processor Modules, The Emulator
.rdata section, Manually Loading a Windows PE File, Jump Tables and Switch Statements
.sig file, Applying FLIRT Signatures
.stack database segment, x86emu Initialization
.tar file, IDA Support Resources
.text section, Using the Assemble Dialog, Manually Loading a Windows PE File, Manually Loading a Windows PE File, Locating main
.xinitrc file, OS X Console Specifics
.Xmodmap file, OS X Console Specifics
1 byte of storage (db), IDA Stack Views
2 bytes of storage (dw), IDA Stack Views
32-bit version, vs. 64-bit version, IDA and SELinux
4 bytes of storage (dd), IDA Stack Views
64-bit version, vs. 32-bit version, IDA and SELinux
8-byte doubles, Structure Member Access
<IDADIR> install location, IDA Support Resources
_cdecl modifier, Stack Frames
_exit function, Locating main
_stdcall modifier, The C Calling Convention
__p__environ library function, Locating main
__usercall calling convention, Alternative Calling Conventions
“Windows Anti-Debug Reference” article, Import Table Reconstruction

A

A hotkey, Specifying Data Sizes

A suffix, ASCII strings, Imported Function Obfuscation

Abort command, The GUI Configuration File: idagui.cfg

absolute jumps, Disassembly Desynchronization

accept_file function, Writing an IDA Loader Using the SDK, The Simpleton Loader, The Simpleton Loader, A pcap Loader for IDA

ACCEPT_FIRST flag, Writing an IDA Loader Using the SDK

accept_simpleton_file function, The Simpleton Loader, A pcap Loader for IDA

accept_simpleton_loader function, The Simpleton Loader

access specifiers, IDC, IDC Functions

Actions box, Breakpoint Settings dialog, Breakpoints

activation records, IDA Text View, Navigation History

ActiveSync, Launching the Debugger

Add Breakpoint option, Basic x86emu Operation, Breakpoints

Add standard structure button, Create Structure/Union dialog, Creating a New Structure (or Union), Using Standard Structures

Add Watch option, Stack Traces

AddBpt function, Scripting Debugger Actions, Import Table Reconstruction

AddBptEx function, Scripting Debugger Actions

AddEntryPoint function, Manually Loading a Windows PE File

AddHotkey function, Associating IDC Scripts with Hotkeys

Address box, Breakpoint Settings dialog, Breakpoints

Address field, Assemble Instruction dialog, Using the Assemble Dialog

AddressOfEntryPoint field, Manually Loading a Windows PE File

ADDSEG_XXX values, Segment Manipulation

add_auto_stkpnt2 function, The Emulator, The Emulator

add_entry function, The Simpleton Loader

add_segm functions, Segment Manipulation

add_segm_ex function, Segment Manipulation

add_struc function, Structure Manipulation

add_struc_member function, Structure Manipulation

add_til functions, A pcap Loader for IDA

add_til2 function, A pcap Loader for IDA

advanced mode toolbar, Introduction to the IDA Desktop, IDA Colors

aiSee, GDL viewer, Linux Console Specifics

AL register, Script-Oriented De-obfuscation

algorithmic analysis, Jump Tables and Switch Statements

alias = register syntax, Named Locations

alignment, Manually Loading a Windows PE File

All segments button, Memory snapshot confirmation dialog, IDA Databases and the IDA Debugger

allins.hpp file, Augmenting Predefined Comments with loadint, Useful SDK Datatypes

allmake.mak file, SDK Layout

allmake.unx file, SDK Layout

Allocate Heap Block option, Functions menu, x86emu and Anti-debugging

Allocate Stack Block option, Functions menu, x86emu and Anti-debugging

alphabetically sorting, in Functions window, Jump to Address

alt-B hotkey, Text Searches

alt-F8 hotkey, Emulation-Oriented De-obfuscation

alt-H hotkey, The Console Configuration File: idatui.cfg

alt-K hotkey, Function Attributes

alt-L (Anchor) command, IDA-Generated ASM Files

alt-P hotkey, Augmenting Function Information, Locating main

alt-Q hotkey, Using Structure Templates

alt-x method, Common Features of Console Mode

alternate display format, selecting, IDA Stack Views

altset function, Data Storage in Netnodes

altvals, Data Storage in Netnodes

Amini, Pedram, The GUI Configuration File: idagui.cfg

ana function, The Emulator

ana.cpp file, Basic Initialization of the LPH Structure

analysis.idc script, Using IDA’s Batch Mode

analyzer, for processor modules, Basic Initialization of the LPH Structure

analyzing, Jump Tables and Switch Statements, Jump Tables and Switch Statements, Static De-obfuscation of Binaries Using IDA

algorithms, Jump Tables and Switch Statements
binary, for different platform, Static De-obfuscation of Binaries Using IDA

Anchor (alt-L) command, IDA-Generated ASM Files

android_server server component, Remote Debugging with IDA

anterior and posterior lines, Anterior and Posterior Lines

anti-debugging, Detecting Debuggers, x86emu and Anti-debugging, Import Table Reconstruction, Import Table Reconstruction

and x86emu emulation-oriented de-obfuscation of binaries, x86emu and Anti-debugging
hiding debugger, Import Table Reconstruction
technique, Detecting Debuggers

antipiracy techniques, Hex-Rays’ Stance on Piracy

anti–dynamic analysis techniques, Targeted Attacks on Analysis Tools, Anti–Dynamic Analysis Techniques, Detecting Virtualization, Detecting Instrumentation, Detecting Debuggers

detecting debuggers, Detecting Instrumentation
detecting instrumentation, Detecting Virtualization
detecting virtualization, Targeted Attacks on Analysis Tools
preventing debugging, Detecting Debuggers

anti–reverse engineering techniques, Obfuscated Code Analysis

anti–static analysis techniques, Obfuscated Code Analysis, Anti–Static Analysis Techniques, Disassembly Desynchronization, Opcode Obfuscation, Imported Function Obfuscation

disassembly desynchronization, Obfuscated Code Analysis
dynamically computed target addresses, Disassembly Desynchronization
imported function obfuscation, Opcode Obfuscation
targeted attacks on analysis tools, Imported Function Obfuscation

Apache web server, ldd

API (Application Programming Interface), SDK Layout, The IDA Application Programming Interface, Netnodes, Netnodes, Creating Netnodes, Deleting Netnodes and Netnode Data, Useful SDK Datatypes, Commonly Used SDK Functions, Iteration Techniques Using the IDA API

header files, The IDA Application Programming Interface

iteration techniques using, Iteration Techniques Using the IDA API

netnodes, Netnodes, Netnodes, Creating Netnodes, Deleting Netnodes and Netnode Data

creating, Netnodes
data storage in, Creating Netnodes
deleting, Deleting Netnodes and Netnode Data

SDK datatypes, Useful SDK Datatypes

SDK functions, Commonly Used SDK Functions

App TRK, Launching the Debugger

Appcall feature, for Bochs, Appcall

Appcall variable, Appcall

Append Function Tail option, Function Chunks

Application option, debugger process options dialog, Using a Hex-Rays Debugging Server

Application Programming Interface. See API, The Signatures Window

Apply new signature option, Signatures window, The Signatures Window

ar2idt.exe parser, IDS Files

architectures, The Analyzer, Customizing Existing Processors, Customizing Existing Processors

of processor modules, Customizing Existing Processors
RISC-style, The Analyzer

archive files, Loading New TIL Files

area control block, Enumerating Functions

area.hpp, Header Files Overview, Enumerating Functions

areacb_t class, Iteration Techniques Using the IDA API

areacb_t variables, Iteration Techniques Using the IDA API

area_t (area.hpp), datatypes for SDK, Header Files Overview, Header Files Overview, Useful SDK Datatypes

argc, Locating main, Locating main

argv, Locating main, Locating main

arg_ prefix, IDA Stack Views

arithmetic instructions, simple, Recursive Descent Disassembly

ARM code, Processor Module Architecture

armlinux_server server component, Remote Debugging with IDA

array access operations, Heap-Allocated Arrays, Data Cross-References

array elements, Specifying Arrays, Array Member Access, Array Member Access

accessing, Array Member Access
selecting size for, Specifying Arrays

Array option, Specifying Arrays

array tag parameter, Data Storage in Netnodes

Array-creation dialog, Working with Strings

array-manipulation functions, Persistent Data Storage in IDC

arrays, Working with Strings, Recognizing Data Structure Use, Array Member Access, Stack-Allocated Arrays, Heap-Allocated Arrays, Heap-Allocated Arrays, Globally Allocated Structures, Stack-Allocated Structures, Stack-Allocated Structures, Heap-Allocated Structures

attributes for, Working with Strings
globally allocated arrays, Array Member Access
globally allocated structures, Globally Allocated Structures
heap-allocated arrays, Heap-Allocated Arrays
heap-allocated structures, Stack-Allocated Structures
of structures, Heap-Allocated Structures
stack-allocated arrays, Stack-Allocated Arrays
stack-allocated structures, Stack-Allocated Structures
structure member access, Heap-Allocated Arrays

arrows window, IDA text view, IDA Text View

AR_LONG constant, Persistent Data Storage in IDC

AR_STR constant, Persistent Data Storage in IDC

ASCII characters, Basic Data Transformations, Imported Function Obfuscation

Ascii column, PDF Objects window, IdaPdf

ASCII dump, searching, Text Searches

ASCII printable characters, strings

ASCII String Style option, Option menu, Specifying Data Sizes

ASCII strings, Imported Function Obfuscation

asc_ prefix, Working with Strings

ash variable, Header Files Overview, The Outputter

asize_t get_struc_size function, Structure Manipulation

AskFile function, Functions for Reading and Modifying Data, File Input/Output Functions

askfile_c function, Basic Database Access

AskStr function, Functions for Reading and Modifying Data

askstr function, Basic Database Access

AskUsingForm_c dialogs, Creating Customized Forms with the SDK

AskUsingForm_c function, Basic Database Access, Using the SDK’s Chooser Dialogs, Creating Customized Forms with the SDK

AskXXX functions, Functions for Reading and Modifying Data, Header Files Overview

askXXX interface functions, Plug-in User Interface Options

AskYN function, Functions for Reading and Modifying Data

askyn_c function, Basic Database Access

ASM files, generating, IDA-Generated MAP Files

asms, Other processor_t Members, Other processor_t Members, Other processor_t Members

data member, Other processor_t Members
field, Other processor_t Members

asm_t struct, Writing a Processor Module Using the SDK, The Outputter, Other processor_t Members

ASPack program, Opcode Obfuscation

ASProtect program, Opcode Obfuscation

Assemble dialog, Changing Individual Database Bytes

Assemble Instruction dialog, Using the Assemble Dialog

Assemble option, Patch Program menu, Changing Individual Database Bytes

assembler tool, Introduction to Disassembly

assembly language call statement, Inheritance Relationships

assembly languages, Disassembly Theory

Assume GCC v3.x names checkbox, Name Mangling

* (asterisk key), Editing Structure Members

asterisk key (*), Editing Structure Members

asynchronous communications, collabREate

asynchronous interaction, Automating Debugger Actions with IDA Plug-ins

Asynchronous Sockets techniques, Windows, collabREate

AT&T assembly syntax, A Basic Disassembly Algorithm

atoll function, User Interaction Functions

Attach option, Debugger menu, The IDA Debugger, Launching the Debugger, Using a Hex-Rays Debugging Server

Attach to Process option, Debugger menu, Launching the Debugger, Attaching to a Remote Process

attributes, Function Chunks, Working with Strings, Working with Strings

for arrays, Working with Strings
for functions, Function Chunks

auto comments, Augmenting Predefined Comments with loadint

Auto comments option, Code Display Options

auto keyword, IDC, The IDC Language

auto.hpp, for API, Header Files Overview

Autogenerated name option, for named locations, Named Locations

autogenerated names, The Names Window, Named Locations, Named Locations

in Names window, Named Locations
prefixes for, The Names Window

B

B (button) field, Creating Customized Forms with the SDK

b parameter, IDA Stack Views, Virtual Functions and Vtables

B-tree–style database, IDA Database Files

Bachaalany, Elias, Attaching to a Remote Process

backdoor-style communications channels, Detecting Virtualization

backward navigation button, Navigation History

Bad instruction <BAD> marks option, Code Display Options

bar function, Commenting in IDA

base address, of array, Array Member Access

BaseClass, Virtual Functions and Vtables

basic blocks, IDA Graph View, IDA Graphing

basic mode toolbar, Introduction to the IDA Desktop, IDA Colors

batch mode, The Many Faces of IDA, OS X Console Specifics

BDS (Binary Diffing Suite), After-the-Fact Vulnerability Discovery with IDA

beginner mode, The Console Configuration File: idatui.cfg

big-endian, CUP, Linear Sweep Disassembly

bin directory, Creating FLIRT Signature Files, Creating FLIRT Signature Files, SDK Introduction

FLAIR tools, Creating FLIRT Signature Files
for SDK, SDK Introduction

binaries, Introduction to Disassembly, otool, otool, External Call Graphs, Locating Instruction Sequences

OS X Mach-O, otool
searches, Locating Instruction Sequences
statically linked, External Call Graphs
used in first-generation languages, Introduction to Disassembly

Binary Diffing Suite (BDS), After-the-Fact Vulnerability Discovery with IDA

binary executable files, file, Obfuscated Code Analysis

Binary File Descriptor library (libbfd), objdump

Binary File entry, Launching IDA

binary file obfuscation, PE Tools

binary files, IDA File Loading, Binary Files and IDA Loader Modules, Binary Files and IDA Loader Modules, Unknown File Analysis, IDA Loader Modules, IDA Loader Modules, IDA Loader Modules, The Simpleton Loader, The Simpleton Loader, A pcap Loader for IDA, Writing a Scripted Loader

alternative loaders, A pcap Loader for IDA

analysis of unknown files, Binary Files and IDA Loader Modules

loader for, IDA File Loading

loader modules for, IDA Loader Modules, IDA Loader Modules, IDA Loader Modules, The Simpleton Loader, The Simpleton Loader

overview, IDA Loader Modules
pcap loader, The Simpleton Loader
simpleton loader, The Simpleton Loader
writing using SDK, IDA Loader Modules

manually loading Windows PE file, Unknown File Analysis

scripted loaders, Writing a Scripted Loader

binary form, plug-ins, Real-World IDA Plug-ins

Binary Search dialog, Binary Searches

binary searches, of database, Text Searches

BINARY_ADD byte code instruction, Python Byte Code

BinDiff, After-the-Fact Vulnerability Discovery with IDA

BinNavi, IDAPython

binutils tool suite, GNU, objdump

block statement, The Object Life Cycle

blocking operation, The IDA Software Development Kit

blocks, in disassembly window, IDA Graph View

Bochs, Attaching to a Remote Process, Debugging with Bochs, Bochs IDB Mode, Bochs PE Mode, Appcall

Appcall feature for, Appcall
disk image mode for, Bochs PE Mode
IDB mode for, Debugging with Bochs
PE mode for, Bochs IDB Mode

Bochs configuration dialog, Debugging with Bochs

Bochs control module, Bochs PE Mode

bochsrc file, Bochs PE Mode

Borland, Building Processor Modules, Jump Tables and Switch Statements, Jump Tables and Switch Statements

code, Jump Tables and Switch Statements
tools, Building Processor Modules

Borland-style make files, Configuring a Build Environment

Borland’s Turbo Assembler (TASM), A Basic Disassembly Algorithm

BOUNDS problem, Problems Window, The Problems Window

BP based frame attribute, Function Attributes, Locating main

BP equals to SP attribute, Function Attributes

bpt_NtContinue function, Dealing with Exceptions

{ } (bracing) syntax, IDC Statements

bracing ({ }) syntax, IDC Statements

branches, Code Cross-References

Break checkbox, Breakpoint Settings dialog, Breakpoints

break statement, Emulating Assembly Language Behavior

Breakpoint List option, Debugger menu, Breakpoints

breakpoint manipulation tools, Basic Debugger Displays

Breakpoint Settings dialog, Breakpoints

breakpoints, in debugger, Process Control

bss section, The Hex View Window, Manually Loading a Windows PE File

buffer array, IDA Stack Views

Bug Reports forum, Hex-Rays bulletin board, Reporting Bugs

bugs, reporting, Reporting Bugs

BugScam scripts, Discovering New Vulnerabilities with IDA

build scripts, Emulation-Oriented De-obfuscation

BUILDING.txt file, IDAPython

bulletin boards, Hex-Rays, Reporting Bugs

bundled graphing applications, Function Calls

Burneye ELF encryption tool, Opcode Obfuscation, Script-Oriented De-obfuscation, Basic x86emu Operation, Emulator-Assisted De-obfuscation

button (B) field, Creating Customized Forms with the SDK

bximage tool, Bochs PE Mode

byte code, Disassembly Theory, Python Byte Code

Byte function, Useful IDC Functions

bytes.hpp file, Header Files Overview, The Outputter

byte_patched notification message, Event Notification

C

C enum, Enums window, The Enums Window

C hotkey, Using the Binary File Loader, Converting Data to Code (and Vice Versa)

C notation, Array Member Access

c parameter, IDA Stack Views

C++, Other Calling Conventions, Sharing TIL Files, C++ Reversing Primer, The this Pointer, Virtual Functions and Vtables, Name Mangling, Runtime Type Identification, Inheritance Relationships, Inheritance Relationships

calling conventions, Other Calling Conventions
inheritance relationships, Inheritance Relationships
name mangling in, Name Mangling
object life cycle in, Virtual Functions and Vtables
reverse engineering references, Inheritance Relationships
RTTI, Runtime Type Identification
this pointer in, Sharing TIL Files
virtual functions and vtables, The this Pointer

c++filt utility, dumpbin

C-like pseudocode, Hex-Rays

C-style strings, The Strings Window, Specifying Data Sizes

C-style union, Creating a New Structure (or Union)

calculator program, Windows, dumpbin

call esi instruction, Stack Frame Breakdown

call flow type, IDA Graph View, Code Cross-References

call graphs, External Call Graphs

call instructions, Formatting Instruction Operands, Enumerating Instructions, Script-Oriented De-obfuscation, Emulator-Assisted De-obfuscation, Discovering New Vulnerabilities with IDA

Call Stack dialog, Stack Traces

call statement, Disassembly Desynchronization

call-by-reference, IDC Functions

call-by-value, IDC Functions

call-style cross-references, Code Cross-References

callflow function, Code Cross-References

calling conventions, Stack Frames, Debug vs. Release Binaries, Alternative Calling Conventions

compiler differences for, Debug vs. Release Binaries
for stack frames, Stack Frames

callui function, Basic Database Access

call_vfunc function, Virtual Functions and Vtables

canned search features, Searching the Database

canonical feature (CF), The processor_t Struct

Capture the Flag, Emulating Assembly Language Behavior, Emulating Assembly Language Behavior, Analyzing Shellcode

binary, DEFCON, Emulating Assembly Language Behavior
network, DEFCON, Analyzing Shellcode

Case-sensitive option, Binary Searches

case-sensitive searches, Binary Searches, Locating Instruction Sequences

catalog, of named constants, Formatting Instruction Operands

cdecl calling convention, Stack Frames, Datatypes and Data Structures

cdecl functions, Function Attributes

CF (canonical feature), The processor_t Struct

cfg directory, The IDA Directory Layout

CF_CALL flag, The processor_t Struct

CF_CHGn flag, The processor_t Struct

CF_STOP flag, The processor_t Struct

CF_USEn flag, The processor_t Struct

Change Byte menu option, Patch Program, The Infamous Patch Program Menu

Change Color button, color selection dialog, IDA Colors

Change exception definition, Exception Handling dialog, Dealing with Exceptions

Change segment attributes dialog, IDA Databases and the IDA Debugger

Change Stack Pointer option, Function Attributes

Character terminated strings, Specifying Data Sizes

Characteristics field, Manually Loading a Windows PE File

charset function, Data Storage in Netnodes

charval function, Creating Netnodes, Data Storage in Netnodes

charval interface, Data Storage in Netnodes

CheckBptfunction, Scripting Debugger Actions

choose function, Basic Database Access, Plug-in User Interface Options

Choose project to attach to dialog, Launching the Debugger

choose2 dialog, Using the SDK’s Chooser Dialogs

choose2 function, Basic Database Access, Plug-in User Interface Options, Using the SDK’s Chooser Dialogs, Dealing with Exceptions

chooser dialog, Using the SDK’s Chooser Dialogs

chunked functions, Creating New Functions, Enumerating Instructions

CL register, Alternative Calling Conventions

Clampi trojan, Opcode Obfuscation

class constructor, The Object Life Cycle

Class Informer plug-in, RTTI Implementations, collabREate

class relationships, deducing between, Inheritance Relationships

click-and-drag operation, Converting Data to Code (and Vice Versa)

closing, IDA database files, IDA Database Creation

cmd variable, Basic Initialization of the LPH Structure, The Emulator

cmd.Operands array, The Analyzer, The Analyzer

cnbits field, Basic Initialization of the LPH Structure

code, Basic Code Transformations, Stack Pointer Adjustments, Converting Data to Code (and Vice Versa)

converting to data, Stack Pointer Adjustments
display options for, Basic Code Transformations

code argument, Creating Customized Forms with the SDK

code bytes, distinguishing from data bytes, Using the Binary File Loader

CODE class, Segment Manipulation

code cross-references, IDA Text View, Cross-References

Code option, Disassembly Desynchronization

CODE XREF, Cross-References

coding scheme, used in Names window, The Names Window

COFF libraries, Creating Pattern Files

collabREate plug-in, collabREate

Collapse Group button, IDA’s Integrated Graph View

collapsed node demo, IDA’s Integrated Graph View

collapsed structures, Editing Structure Members, Using Standard Structures

collapsing blocks, in disassembly window, IDA Graph View

Collect garbage option, Closing IDA Databases

collisions, Creating Pattern Files, Creating Signature Files

: (colon) hotkey, Commenting in IDA

colon (:) hotkey, Regular Comments

color key, Introduction to the IDA Desktop

color palettes, Linux Console Specifics

color selection dialog, IDA Colors

coloring nodes, IDA’s Integrated Graph View

colorized disassembly listings, IDA-Generated HTML Files

Colors command, Introduction to the IDA Desktop

colors, customizing, The Console Configuration File: idatui.cfg

Columns menu option, Hex window, The Hex View Window

comma operator, IDC Expressions

COMMAND function, Automating Debugger Actions with IDA Plug-ins

command history list, Thoughts on IDA’s User Interface

command-line, ldd, ldd, The Exports Window, The Segments Window, Basic Script Execution, Jump Tables and Switch Statements, Jump Tables and Switch Statements, Locating main, Locating main

arguments, ldd

tools, The Exports Window, The Segments Window, Basic Script Execution, Jump Tables and Switch Statements, Jump Tables and Switch Statements, Locating main, Locating main

Borland, Jump Tables and Switch Statements, Locating main
Exports window, The Exports Window
IDA, Basic Script Execution
Segments window, The Segments Window

Comment directive, Creating IDS Files

comment member, for plug-ins, Writing a Plug-in

comment.cmt file, Augmenting Predefined Comments with loadint

CommentEx function, Database Search Functions

commenting, Commenting in IDA, Regular Comments, Repeatable Comments, Repeatable Comments, Repeatable Comments, Anterior and Posterior Lines, Function Comments, Creating IDS Files, Creating IDS Files

anterior and posterior lines, Anterior and Posterior Lines
augmenting information for, with loadint, Creating IDS Files
auto, Creating IDS Files
function comments, Function Comments
overview, Commenting in IDA
regular comments, Regular Comments
repeatable comments, Repeatable Comments
virtual repeatable, Repeatable Comments

comments option, Code Display Options

common operations bar, console user interface, Console Mode IDA

compact_til function, A pcap Loader for IDA

Compilation successful message, parsing header files, Parsing C Structure Declarations

Compiler configuration dialog, Option menu, Parsing C Header Files

compiler differences, Compiler Personalities, Compiler Personalities, Compiler Personalities, Jump Tables and Switch Statements, Locating main, Locating main, Debug vs. Release Binaries

alternative calling conventions, Debug vs. Release Binaries
debug vs. release binaries, Locating main
jump tables, Compiler Personalities
locating main, Locating main
RTTI implementations, Jump Tables and Switch Statements
switch statements, Compiler Personalities

compiler validation, reasons for disassembly, Vulnerability Analysis

compilers, Navigation History, The C Calling Convention, The C Calling Convention, Structure Member Access, Structure Member Access

GNU, The C Calling Convention, Structure Member Access
utilizing stack frames, Navigation History

compiling functions, Other Calling Conventions

computer licenses, IDA Licenses

concrete_class object, Runtime Type Identification

Condition field, Breakpoint Settings dialog, Breakpoints

conditional branching, Conditional Branching Instructions, Code Cross-References

conditional breakpoints, Breakpoints

conditional jumps, Disassembly Desynchronization

configuration dialog, Bochs, Debugging with Bochs

configuration files, The IDA Directory Layout

configuring plug-ins, Installing Plug-ins

connect function, The Imports Window, Datatypes and Data Structures

console mode, Console Mode IDA, Common Features of Console Mode, Windows Console Specifics, Linux Console Specifics, Linux Console Specifics, OS X Console Specifics

common features of, Console Mode IDA

specific features of, Windows Console Specifics, Linux Console Specifics, Linux Console Specifics, OS X Console Specifics

for Linux, Linux Console Specifics
for OS X, OS X Console Specifics
for Windows, Windows Console Specifics

consoles, Console Mode IDA, Console Mode IDA, Console Mode IDA, Common Features of Console Mode, Linux Console Specifics

I/O library, Console Mode IDA
limitations of, Console Mode IDA
mouse server, Linux, Linux Console Specifics
user interface, Console Mode IDA

constant index values, Globally Allocated Structures

constants, formatting options for, Formatting Instruction Operands

CONTEXT record, Dealing with Exceptions

CONTEXT structure, Dynamically Computed Target Addresses, x86emu and Anti-debugging, Dealing with Exceptions

context-sensitive menus, IDA Data Displays, Names and Naming, Formatting Instruction Operands, Hex-Rays

Continue button, toolbar buttons, Basic Debugger Displays

Continue command, Basic Debugger Displays

Continue with Unpacked Base option, Reopening a Database

control flow graphs, Cross-References, External Flowcharts, IDA’s Integrated Graph View

control module, Bochs, Bochs IDB Mode

converting data, to code (and vice versa), Stack Pointer Adjustments

Cooper, Jeremy, Linux Console Specifics, OS X Console Specifics

copyright notices, Identifying and Acquiring Static Libraries

CPU flag, Disassembly Desynchronization, Basic Debugger Displays

CPU instructions, Code Display Options, The IDA Software Development Kit, The IDA Software Development Kit

sets, The IDA Software Development Kit
undocumented, Code Display Options

CPU registers, Dynamically Computed Target Addresses

cpu_data function, The Emulator

crashes, restarting after, Closing IDA Databases

CRC16 value, Creating Pattern Files

crc16.cpp file, Creating Pattern Files

Create as array option, Specifying Arrays

Create C File option, File menu, Real-World IDA Plug-ins

Create EXE File command, Writing an IDA Loader Using the SDK, The Simpleton Loader

Create EXE File option, File menu, IDA Databases and the IDA Debugger

create function, Creating Netnodes

Create function tails loader option, Kernel Options, Function Chunks

Create name anyway option, for named locations, Named Locations

Create Segment command, Manually Loading a Windows PE File

Create Structure/Union dialog, Creating a New Structure (or Union), Using Standard Structures

Create union checkbox, Create Structure/Union dialog, Creating a New Structure (or Union)

CreateArray function, Persistent Data Storage in IDC, Data Storage in Netnodes

createImportLabel function, Import Table Reconstruction

CreateNetnode function, Extending IDC

CreateThread function, x86emu and Anti-debugging

CREATE_BACKUPS option, Configuration Files

create_filename_cmt function, The Simpleton Loader

create_func_frame function, Processor Notifications

CRITICAL_SECTION object, Basic Data Transformations

Cross References option, View menu, Discovering New Vulnerabilities with IDA

cross-references (xrefs), Double-Click Navigation, Cross-References and Graphing, Cross-References, Code Cross-References, Data Cross-References, Data Cross-References, Cross-Reference Lists, Cross-Reference Lists, Cross-Reference Lists, External Call Graphs, Enumerating Structure Members

code cross-references, Cross-References
data cross-references, Code Cross-References
display window, Cross-Reference Lists
enumerating, using API, Enumerating Structure Members
for function calls, Cross-Reference Lists
graphs for, External Call Graphs
lists of, Data Cross-References
navigational purposes, Double-Click Navigation
subview, opening, Cross-Reference Lists
text, mousing over, Data Cross-References

Cross-References tab, Data Cross-References, IDA’s Integrated Graph View

cryptographic library, OpenSSL, Applying FLIRT Signatures, Augmenting Function Information

ctrl-B hotkey, Binary Searches

ctrl-enter hotkey, Navigation History

ctrl-F1 hotkey, The Main Configuration File: ida.cfg

ctrl-F4 hotkey, Common Features of Console Mode

ctrl-Q hotkey, The GUI Configuration File: idagui.cfg

ctrl-T hotkey, Text Searches

ctrl-X hotkey, Cross-Reference Lists

current instruction location, The Analyzer

current position indicator, Introduction to the IDA Desktop

custom cross-reference graphs, Custom Cross-Reference Graphs

custom data, Virtual Machine-Based Obfuscation, Virtual Machine-Based Obfuscation, Virtual Machine-Based Obfuscation

data types, Virtual Machine-Based Obfuscation
formats, Virtual Machine-Based Obfuscation

customizing, Customizing IDA, Customizing IDA, The Console Configuration File: idatui.cfg, Customizing IDA Toolbars

colors, The Console Configuration File: idatui.cfg
configuration files, Customizing IDA
toolbars, Customizing IDA Toolbars

custom_ana code, Customizing Existing Processors

custom_emu code, Customizing Existing Processors

custom_mnem code, Customizing Existing Processors

custom_out code, Customizing Existing Processors

custom_outop code, Customizing Existing Processors

cya instruction, Customizing Existing Processors

Cygwin environment, file

C_HEADER_PATH option, The Main Configuration File: ida.cfg

C_PREDEFINED_MACROS option, The Main Configuration File: ida.cfg

D

D command, Editing Structure Members

D hotkey, Converting Data to Code (and Vice Versa), Specifying Data Sizes

dashed line break, Code Cross-References

data, Stack Pointer Adjustments, Stack Pointer Adjustments, Basic Data Transformations

converting to code, Stack Pointer Adjustments
specifying sizes for, Basic Data Transformations

data bytes, distinguishing from code bytes, Using the Binary File Loader

data carousel, Specifying Data Sizes

DATA class, Segment Manipulation

data cross-references, Cross-References

data displays, Introduction to the IDA Desktop

Data Format menu, Hex window, The Hex View Window

data storage, in netnodes, Creating Netnodes

data structures. See also datatypes, Datatypes and Data Structures, Recognizing Data Structure Use, Creating IDA Structures, Editing Structure Members, Using Structure Templates, Parsing C Header Files, Using Standard Structures

and TIL files, Using Standard Structures
arrays, Recognizing Data Structure Use
IDA structures, Creating IDA Structures
importing new, Using Structure Templates
using standard structures, Parsing C Header Files
using structure templates, Editing Structure Members

DATA XREF, Cross-References

data-flow analysis, Discovering New Vulnerabilities with IDA

database events, Event Notification

Database Restore dialog, Closing IDA Databases

DataRescue, Hex-Rays’ Stance on Piracy

datatype setup dialog, Basic Data Transformations

datatypes. See also data structures, Specifying Data Sizes, Useful SDK Datatypes, Virtual Machine-Based Obfuscation, Virtual Machine-Based Obfuscation, Hex-Rays

custom, Virtual Machine-Based Obfuscation
for SDK, Useful SDK Datatypes
Hex-Rays, Hex-Rays
toggling through, Specifying Data Sizes

db (1 byte of storage), IDA Stack Views

dbg.hpp, for API, Header Files Overview

dbg_notification_t enum, Automating Debugger Actions with IDA Plug-ins

dbg_step_until_ret notification, Automating Debugger Actions with IDA Plug-ins

dbg_trace notification, Automating Debugger Actions with IDA Plug-ins

dd (4 bytes of storage), IDA Stack Views

de-obfuscation of binaries, static, Preventing Debugging, Static De-obfuscation of Binaries Using IDA, Script-Oriented De-obfuscation, x86emu Initialization, Basic x86emu Operation, Basic x86emu Operation, Emulator-Assisted De-obfuscation, x86emu and Anti-debugging

script-oriented, Static De-obfuscation of Binaries Using IDA

x86emu emulation-oriented, Script-Oriented De-obfuscation, x86emu Initialization, Basic x86emu Operation, Basic x86emu Operation, Emulator-Assisted De-obfuscation, x86emu and Anti-debugging

and anti-debugging, x86emu and Anti-debugging
de-obfuscation using, Basic x86emu Operation
features of, Emulator-Assisted De-obfuscation
initialization of, x86emu Initialization
operation of, Basic x86emu Operation

de-obfuscation stub, Opcode Obfuscation, Imported Function Obfuscation

dead listings, Disassembly Navigation

debug binaries, vs. release binaries, Locating main

DEBUG flag, Installing Plug-ins

debug registers, Dynamically Computed Target Addresses

debugger, Vulnerability Analysis, Detecting Instrumentation, Detecting Debuggers, Class Informer, The IDA Debugger, The IDA Debugger, Launching the Debugger, Launching the Debugger, Launching the Debugger, Basic Debugger Displays, Process Control, Tracing, Tracing, Watches, Watches, Automating Debugger Actions with IDA Plug-ins, Disassembler/Debugger Integration, Background, IDA Databases and the IDA Debugger, Launching the Process, Launching the Process, Simple Decryption and Decompression Loops, Simple Decryption and Decompression Loops, Import Table Reconstruction, Import Table Reconstruction, Hiding the Debugger, IdaStealth, Dealing with Exceptions, Additional Debugger Features, Remote Debugging with IDA, Using a Hex-Rays Debugging Server, Using a Hex-Rays Debugging Server, Attaching to a Remote Process, Attaching to a Remote Process, Attaching to a Remote Process, Exception Handling During Remote Debugging, Debugging with Bochs, Bochs IDB Mode, Bochs PE Mode, Appcall

and IDA databases, Background

automating with plug-ins, Automating Debugger Actions with IDA Plug-ins

detecting, Detecting Instrumentation

displays in, Launching the Debugger

displays, reasons for disassembly, Vulnerability Analysis

handling exceptions with, IdaStealth

IdaStealth plug-in for, Hiding the Debugger

instruction pointer warning, Simple Decryption and Decompression Loops

launching, The IDA Debugger

preventing, Detecting Debuggers

process control with, Basic Debugger Displays, Process Control, Tracing, Tracing, Watches

breakpoints, Process Control
stack traces, Tracing
tracing, Tracing
watches, Watches

process options dialog, Using a Hex-Rays Debugging Server

remote debugging with, Additional Debugger Features, Remote Debugging with IDA, Using a Hex-Rays Debugging Server, Attaching to a Remote Process, Attaching to a Remote Process

attaching to remote process, Using a Hex-Rays Debugging Server
exception handling during, Attaching to a Remote Process
using Hex-Rays debugging server, Remote Debugging with IDA
using scripts and plug-ins during, Attaching to a Remote Process

scripting for, Watches

selection dialog, Launching the Debugger

sessions, MyNav, Class Informer

setup dialog, Launching the Process, Dealing with Exceptions, Exception Handling During Remote Debugging

using Bochs, Attaching to a Remote Process, Debugging with Bochs, Bochs IDB Mode, Bochs PE Mode, Appcall

Appcall feature for, Appcall
disk image mode for, Bochs PE Mode
IDB mode for, Debugging with Bochs
PE mode for, Bochs IDB Mode

using with obfuscated code, Disassembler/Debugger Integration, IDA Databases and the IDA Debugger, Launching the Process, Simple Decryption and Decompression Loops, Import Table Reconstruction, Import Table Reconstruction

decryption and decompression loops, Simple Decryption and Decompression Loops
hiding debugger, Import Table Reconstruction
import table reconstruction, Import Table Reconstruction
launching process, Launching the Process
overview, Disassembler/Debugger Integration

warning message, Launching the Debugger

Debugger menu, The IDA Debugger, The IDA Debugger, Launching the Debugger, Launching the Debugger, Launching the Debugger, Launching the Debugger, Launching the Debugger, Launching the Debugger, Launching the Debugger, Launching the Debugger, Launching the Debugger, Launching the Debugger, Breakpoints, Breakpoints, Breakpoints, Stack Traces, Watches, IDA Databases and the IDA Debugger, Simple Decryption and Decompression Loops, Dealing with Exceptions, Using a Hex-Rays Debugging Server, Using a Hex-Rays Debugging Server, Using a Hex-Rays Debugging Server, Attaching to a Remote Process, Appcall

Attach option, The IDA Debugger, Launching the Debugger, Using a Hex-Rays Debugging Server
Attach to Process option, Launching the Debugger, Attaching to a Remote Process
Breakpoint List option, Breakpoints
Debugger Options command, Dealing with Exceptions
Function Tracing option, Breakpoints
Instruction Tracing option, Breakpoints
Pause Process option, Launching the Debugger
Process Options command, Using a Hex-Rays Debugging Server
Refresh memory command, Appcall
Run option, Launching the Debugger
Run to Cursor option, Launching the Debugger
Select debugger option, Simple Decryption and Decompression Loops
Stack Trace command, Stack Traces
Start Process option, Launching the Debugger, Launching the Debugger
Switch Debugger menu, Launching the Debugger
Take Memory Snapshot command, IDA Databases and the IDA Debugger
Terminate Process option, Launching the Debugger
Watch List option, Watches

DECISION problem, Problems Window, The Problems Window

declarations, in IDA text view, IDA Text View

decoding function, Burneye, Script-Oriented De-obfuscation, Basic x86emu Operation

decompiler editing options, Hex-Rays, Hex-Rays

decompilers, The What of Disassembly

dedicated frame pointer, Stack Frame Examples

Default checkbox, Save Disassembly Desktop dialog, Customizing IDA Toolbars

Default offset column, Structure Member Access

DEFAULT_FILE_FILTER option, The GUI Configuration File: idagui.cfg

DEFCON 18, Capture the Flag network, Analyzing Shellcode

Deflate (Pack database) option, Closing IDA Databases

DelBpt function, Scripting Debugger Actions

deltas, The Emulator

Demangled Names, Options menu, Name Mangling

Denial of Service attack, Cross-References and Graphing

destination buffer (dest), Enumerating Cross-References

destructor table, Stack Frame Breakdown

destructors, Virtual Functions and Vtables

detecting, Targeted Attacks on Analysis Tools, Detecting Virtualization, Detecting Instrumentation, Detecting Instrumentation

debuggers, Detecting Instrumentation
instrumentation, Detecting Virtualization
virtualization, Targeted Attacks on Analysis Tools

Dfirst function, Data Cross-Reference Functions

DfirstB function, Data Cross-Reference Functions

DIF files, generating, IDA-Generated EXE Files

directory layout, IDA and SELinux, IDA and SELinux, The IDA Directory Layout, The IDA Directory Layout, SDK Introduction

for SDK, SDK Introduction
overview, IDA and SELinux
sig directory, The IDA Directory Layout
til directory, The IDA Directory Layout

Directory option, debugger process options dialog, Using a Hex-Rays Debugging Server

disassembler analysis tool, Preventing Debugging

disassembly, Introduction to Disassembly, Introduction to Disassembly, Introduction to Disassembly, Introduction to Disassembly, Disassembly Theory, Disassembly Theory, The What of Disassembly, The Why of Disassembly, Vulnerability Analysis, The How of Disassembly, Linear Sweep Disassembly, Recursive Descent Disassembly, Obfuscated Code Analysis

anti–static analysis techniques, Obfuscated Code Analysis

first-generation languages, Introduction to Disassembly

fourth-generation languages, Introduction to Disassembly

how performed, Vulnerability Analysis, The How of Disassembly, Linear Sweep Disassembly, Recursive Descent Disassembly

basic algorithm for, The How of Disassembly
linear sweep disassembly, Linear Sweep Disassembly
recursive descent disassembly, Recursive Descent Disassembly

overview, The What of Disassembly

reasons for, The Why of Disassembly

second-generation languages, Disassembly Theory

theory of, Introduction to Disassembly

third-generation languages, Disassembly Theory

disassembly line display options, Basic Code Transformations

disassembly line parts, Code Display Options

disassembly location, jumping to, Jump to Address

Disassembly tab, Basic Code Transformations, IDA Colors, IDA Colors

color selection dialog, IDA Colors
Options menu, Basic Code Transformations

disassembly view, Introduction to the IDA Desktop, Introduction to the IDA Desktop, The Hex View Window

IDA desktop, Introduction to the IDA Desktop
synchronizing with hex view, The Hex View Window

disassembly window, The Principal IDA Displays, IDA Graph View, IDA Graph View

IDA graph view in, IDA Graph View
IDA text view in, IDA Graph View

disassembly window scroll bar, Jump to Address

disclosure event, Discovering New Vulnerabilities with IDA

disclosure, of vulnerability, Discovering New Vulnerabilities with IDA

discovery event, Discovering New Vulnerabilities with IDA

disk image mode, for Bochs, Bochs PE Mode

diskio.hpp file, Writing an IDA Loader Using the SDK, The Simpleton Loader

dispatcher functions, Basic Database Access

Display at startup checkbox, Launching IDA

Display Disassembly Line Parts section, Disassembly tab, Code Display Options

display format, selecting, IDA Stack Views

Display Graphs option, After-the-Fact Vulnerability Discovery with IDA

Display indexes option, Specifying Arrays

Display only defined strings option, Strings window, The Strings Window

display options, disassembly line, Basic Code Transformations

displays, IDA Data Displays, IDA Data Displays, IDA Data Displays, IDA Data Displays, The Principal IDA Displays, The Functions Window, The Functions Window, The Output Window, The Hex View Window, The Exports Window, The Imports Window, The Structures Window, The Enums Window, The Enums Window, The Strings Window, The Names Window, The Names Window, The Segments Window, The Type Libraries Window, The Function Calls Window, The Function Calls Window, Launching the Debugger

and undo, IDA Data Displays

context-sensitive menu actions in, IDA Data Displays

in debugger, Launching the Debugger

principal, IDA Data Displays, The Principal IDA Displays, The Functions Window, The Output Window

disassembly window, The Principal IDA Displays
Functions window, The Functions Window
Output window, The Output Window

secondary, The Functions Window, The Hex View Window, The Exports Window, The Imports Window, The Structures Window, The Enums Window

Enums window, The Enums Window
Exports window, The Exports Window
Hex View window, The Hex View Window
Imports window, The Imports Window
Structures window, The Structures Window

tertiary, The Enums Window, The Strings Window, The Names Window, The Names Window, The Segments Window, The Type Libraries Window, The Function Calls Window, The Function Calls Window

Function Calls window, The Function Calls Window
Names window, The Names Window
Problems window, The Function Calls Window
Segments window, The Segments Window
Signatures window, The Names Window
Strings window, The Strings Window
Type Libraries window, The Type Libraries Window

DisplayWelcome value, Launching IDA

DISPLAY_COMMAND_LINE option, The GUI Configuration File: idagui.cfg, The GUI Configuration File: idagui.cfg, Basic Script Execution

DISPLAY_PATCH_SUBMENU option, The GUI Configuration File: idagui.cfg, The GUI Configuration File: idagui.cfg

diStorm utility, strings

divide-by-zero error, Dynamically Computed Target Addresses

DLL (Dynamic Link Library), x86emu Initialization

dll2idt.exe parser, IDS Files

dnbits field, Basic Initialization of the LPH Structure

Dnext function, Data Cross-Reference Functions

DnextB function, Data Cross-Reference Functions

Do not display this dialog box again option, Additional IDA Configuration Options

Does not return attribute, Function Attributes

Don’t pack database option, IDA Database Creation

DON’T SAVE database option, Closing IDA Databases

dos.ldw (MS-DOS EXE loader), Launching IDA

doStruct function, A pcap Loader for IDA

DOT language, Function Calls

dotty tool, Function Calls

double word. See 4 bytes of storage (dd), Basic IDA Navigation, Custom Cross-Reference Graphs

double-click navigation, Double-Click Navigation, IDA’s Integrated Graph View

double-clicking, The Enums Window, The Strings Window, The Names Window, The Function Calls Window, Double-Click Navigation, Double-Click Navigation, Function Chunks, Editing Structure Members, Cross-Reference Lists, Cross-Reference Lists, Cross-Reference Lists, IDA Scripting

cross-reference address, Cross-Reference Lists
function chunks, Function Chunks
hexadecimal values, Double-Click Navigation
in Function Calls Window, The Function Calls Window
in Names window, The Strings Window
in Output window, Double-Click Navigation
in Segments window, The Names Window
listed scripts, IDA Scripting
strings, in Stings windows, The Enums Window
structure names, Editing Structure Members
symbol names, Cross-Reference Lists

download page, Hex-Rays, Real-World IDA Plug-ins

DR0–3 registers, Breakpoints

DR0–7 registers, Breakpoints

dt_xxx values, The Analyzer

dummy names, Names and Naming, Named Locations, Datatypes and Data Structures, Applying FLIRT Signatures

Dump Embedded PE option, File menu, x86emu and Anti-debugging

Dump option, File menu, Emulator-Assisted De-obfuscation

Dump Typeinfo to IDC File command, Sharing TIL Files

dumpbin utility, dumpbin

dup2 function, Analyzing Shellcode

dw (2 bytes of storage), IDA Stack Views

Dword function, Useful IDC Functions, Database Manipulation Functions, Script-Oriented De-obfuscation

dynamic analysis, of malware, The Why of Disassembly

Dynamic Link Library (DLL), x86emu Initialization

dynamic linking, ldd

dynamic memory allocation function, Heap-Allocated Arrays

dynamically computed target addresses, anti–static analysis techniques, Disassembly Desynchronization

dynamic_cast operator, Name Mangling

d_out function, The Emulator, The Outputter, Processor Notifications

E

EAX register, Other Calling Conventions, IDA Stack Views, Disassembly Desynchronization, Dynamically Computed Target Addresses, Hiding the Debugger

ebc.py, Scripting a Processor Module

EBP (extended base pointer) register, Stack Frame Examples, Dynamically Computed Target Addresses, Detecting Virtualization

ebx register, Import Table Reconstruction

Edit Breakpoint option, Breakpoints

Edit Exceptions button, Debugger Setup dialog, Dealing with Exceptions

Edit menu, Plugins menu, After-the-Fact Vulnerability Discovery with IDA, Class Informer

editing imported functions, Augmenting Function Information

EIP instruction pointer, x86emu Initialization

Element width attribute, Specifying Arrays

ELF binaries, file

ELF encryption tool, Burneye, Static De-obfuscation of Binaries Using IDA

ELF libraries, Creating Pattern Files

ELF-specific parsing, objdump

empty structure definition, Creating a New Structure (or Union)

emu function, The Analyzer

emu.cpp file, The Emulator

Emulate menu, Switch Thread option, x86emu and Anti-debugging

emulation, advantage of over debugging, Emulation-Oriented De-obfuscation

emulators, The Analyzer

Enabled checkbox, Breakpoint Settings dialog, Breakpoints

EnableTracing function, Scripting Debugger Actions

enabling line prefixes, IDA Graph View

End address attribute, Function Attributes

ENTRY symbol, Debugging with Bochs

entry.hpp, for API, Header Files Overview

Enumerate Heap option, View menu, x86emu and Anti-debugging

enumerated datatype, C enum, The Enums Window

enumerating, Enumerating Functions, Enumerating Structure Members, Enumerating Structure Members, Enumerating Structure Members, Stack Frame Breakdown

cross-references, Enumerating Structure Members
functions, Enumerating Functions
single stack frame, Stack Frame Breakdown
structure members, Enumerating Structure Members

Enums window, The Enums Window

envp array, Locating main

epilogue, of functions, Stack Frames

Erdelyi, Gergely, IDA Scripting, Emulating Assembly Language Behavior

error handling, in IDC language, IDC Programs

error messages, Error Handling in IDC

error strings, Identifying and Acquiring Static Libraries

ESC key, IDA Data Displays, Jump to Address

ESI register, Script-Oriented De-obfuscation

ESP-based stack frame, Stack Frame Examples

etc directory, for SDK, SDK Layout

event notification, for plug-ins, Plug-in Initialization

exact matches binary searches, Locating Instruction Sequences

exception confirmation dialog, Dealing with Exceptions

Exception Editing dialog, Dealing with Exceptions

exception handlers, Dynamically Computed Target Addresses, x86emu and Anti-debugging, Dealing with Exceptions

Exception Handling dialog, Dealing with Exceptions

exceptions, IdaStealth, Attaching to a Remote Process, Exception Handling During Remote Debugging

handling during remote debugging, Attaching to a Remote Process
handling with debugger, IdaStealth

Exceptions dialog, Dealing with Exceptions

exceptions.cfg file, Dealing with Exceptions, Attaching to a Remote Process

EXE files, generating, IDA-Generated ASM Files

exe.sig file, Locating main

execstack command, IDA and SELinux

executable files, strings, The Exports Window, The Exports Window

Exports window, The Exports Window
using strings on, strings

executable statements, grouping, Navigation History

execute_sync function, The IDA Software Development Kit

execution, IDA Scripting, Event Notification, Event Notification

of plug-ins, Event Notification
of scripts, IDA Scripting

execution control commands, Process Control

execution traces, Tracing

exec_request_t function, The IDA Software Development Kit

Expand Struct Type option, Edit menu, Editing Structure Members

expanding collapsed structures, Using Standard Structures

exploit-development, The Why of Disassembly, IDA and the Exploit-Development Process, IDA and the Exploit-Development Process, Stack Frame Breakdown, Locating Instruction Sequences

finding useful virtual addresses, Locating Instruction Sequences
locating instruction sequences, Stack Frame Breakdown
stack frame breakdown, IDA and the Exploit-Development Process

export entry, Creating IDS Files

export ordinal number, The Exports Window

Exports window, The Exports Window, Launching the Process

expr.hpp file, Header Files Overview, Configuring Plug-ins

expressions, in IDC language, IDC Variables

extended base pointer (EBP) register, Stack Frame Examples, Dynamically Computed Target Addresses, Detecting Virtualization

extending IDC, with plug-ins, Configuring Plug-ins

extern keyword, The IDC Language

extern section, Discovering New Vulnerabilities with IDA

external (global) symbols, PEiD

external mode graphs, IDA External (Third-Party) Graphing

external-style graph, IDA External (Third-Party) Graphing

extract_address function, Processor Notifications

e_lfanew field, Manually Loading a Windows PE File

F

f argument, Datatypes and Data Structures

F12 hotkey, IDA External (Third-Party) Graphing

F2 hotkey, Breakpoints

fake interrupt descriptor table, x86emu Initialization

Falliere, Nicolas, Detecting Debuggers, Import Table Reconstruction

far addresses, Code Cross-References

Far function attribute, Function Attributes

Fast Library Acquisition for Identification and Recognition (FLAIR), Creating FLIRT Signature Files, Using IDA Freeware

Fast Library Identification and Recognition Technology (FLIRT) signatures. See FLIRT signatures, The this Pointer

fastcall calling convention, The this Pointer

fastcall convention for x86, The C Calling Convention

fastcall modifier, The fastcall Convention for x86

fclose function, File Input/Output Functions

feature field, The processor_t Struct

FF_XXX constants, Structure Manipulation

fgetc function, File Input/Output Functions

field names, Structure Member Access

file classification, Classification Tools, Classification Tools, PE Tools, PEiD

file, Classification Tools
PE Tools, PE Tools
PEiD, PEiD

File column, FLIRT signature selection, Applying FLIRT Signatures

file command, Classification Tools

File dialog, Launching IDA

file extensions, Classification Tools

file loading, Launching IDA

File menu, Emulator-Assisted De-obfuscation, x86emu and Anti-debugging, Real-World IDA Plug-ins, Real-World IDA Plug-ins, IDA Databases and the IDA Debugger, Import Table Reconstruction

Create C File option, Real-World IDA Plug-ins
Create EXE File option, IDA Databases and the IDA Debugger
Dump Embedded PE option, x86emu and Anti-debugging
Dump option, Emulator-Assisted De-obfuscation
Script File option, Import Table Reconstruction

File offset value, Changing Individual Database Bytes

File Open dialog, Launching IDA

File Save dialog, The Simpleton Loader

FILE stream pointer, The Simpleton Loader

FILE type, Writing an IDA Loader Using the SDK

file utility, Classification Tools, Identifying and Acquiring Static Libraries

file-loading dialog, IDA Loader Modules

file2base function, The Simpleton Loader

FileAlignment field, Manually Loading a Windows PE File

FileAlignment value, Manually Loading a Windows PE File

fileformatname parameter, Writing an IDA Loader Using the SDK, The Simpleton Loader, The Simpleton Loader

filelength function, File Input/Output Functions

FilemonClass class, Detecting Instrumentation

filename pattern, The GUI Configuration File: idagui.cfg

FILEREG_PATCHABLE, The Simpleton Loader

FILE_EXTENSIONS option, The GUI Configuration File: idagui.cfg

Find all occurrences checkbox, Text Search dialog, Text Searches

FindBinary function, Database Manipulation Functions, Locating Instruction Sequences

FindCode function, Database Manipulation Functions, Enumerating Instructions

FindData function, Database Manipulation Functions

FindText function, Database Manipulation Functions

FindWindow function, Detecting Instrumentation

FindXXX functions, Database Manipulation Functions

first-generation languages, Introduction to Disassembly

first_from function, Enumerating Cross-References

first_to function, Enumerating Cross-References

fixed-length instructions, Linear Sweep Disassembly

fix_proc utility, Building Processor Modules

flag field, Basic Initialization of the LPH Structure

flags field for loaders, Writing an IDA Loader Using the SDK

flags field, for plug-ins, Writing a Plug-in

FLAIR (Fast Library Acquisition for Identification and Recognition), Applying FLIRT Signatures, Using IDA Freeware

flair directory, Applying FLIRT Signatures

flair57.zip version, Applying FLIRT Signatures

Flake, Halvar, Discovering New Vulnerabilities with IDA

flat memory model, Function Attributes

FLIRT (Fast Library Identification and Recognition Technology) signatures, Library Recognition Using FLIRT Signatures, Library Recognition Using FLIRT Signatures, Library Recognition Using FLIRT Signatures, Applying FLIRT Signatures, Creating FLIRT Signature Files, Identifying and Acquiring Static Libraries, Startup Signatures

applying, Library Recognition Using FLIRT Signatures

creating signature files, Applying FLIRT Signatures, Creating FLIRT Signature Files, Identifying and Acquiring Static Libraries

creating pattern files, Identifying and Acquiring Static Libraries
static libraries for, Creating FLIRT Signature Files

overview, Library Recognition Using FLIRT Signatures

startup signatures, Startup Signatures

flowchart-style graph, graph view, Introduction to the IDA Desktop

flowcharts, IDA External (Third-Party) Graphing

flows, IDA Graph View

fl_CF-type cross-references, Enumerating Cross-References

Follow system keyboard layout option, Preferences dialog, OS X Console Specifics

Follow TCP Stream command, Analyzing Shellcode

Font command, IDA Desktop Tips and Tricks

Font menu, Basic Debugger Displays

foo function, Function Call Instructions

foobar subroutine, Jump to Address

footer function, Processor Notifications

fopen function, File Input/Output Functions

for loops, IDC Statements

forking existing projects, CollabREate, collabREate

form argument, Creating Customized Forms with the SDK

form function, User Interaction Functions

form parameter, Basic Database Access

formal parameter names, Augmenting Function Information

format strings, Basic Database Access, Stack Frame Breakdown

formatting, Formatting Instruction Operands, Formatting Instruction Operands, Formatting Instruction Operands, Using Structure Templates, Using Structure Templates

constants, options for, Formatting Instruction Operands
global variables, as structures, Using Structure Templates
instruction operands, Formatting Instruction Operands
stack-allocated structures, Using Structure Templates

formcb_t function, Creating Customized Forms with the SDK

forward navigation button, Navigation History

fourth-generation languages, Introduction to Disassembly

fprintf function, File Input/Output Functions, Stack Frame Breakdown

fpro.h, for API, Header Files Overview

fputc function, File Input/Output Functions

frame pointer, Stack Frames, Function Attributes

Frame pointer delta attribute, Function Attributes

frame.hpp, Header Files Overview, Function Manipulation

FreeBSD application, Applying FLIRT Signatures, Creating Signature Files, Locating main, Analyzing Shellcode

freeware versions, of IDA, Obtaining IDA Pro

free_til function, A pcap Loader for IDA

from address, in cross-references, Cross-References and Graphing

frregs field, Enumerating Structure Members

frsize field, Enumerating Structure Members

FS register, Dynamically Computed Target Addresses

full-line comments, Anterior and Posterior Lines

FuncItems generator, Enumerating Instructions

funcs control block, Iteration Techniques Using the IDA API

funcs.hpp, Header Files Overview, Iteration Techniques Using the IDA API

function call, Function Call Instructions, The Function Calls Window, The Function Calls Window, The Function Calls Window, Cross-References, Cross-References, External Flowcharts, External Call Graphs

graphs, The Function Calls Window, Cross-References, External Flowcharts
instructions, Function Call Instructions
tree, The Function Calls Window

Function Calls window, The Function Calls Window

function comments, Function Comments

Function editing dialog, Function Attributes

function parameters, Navigation History, Calling Conventions

function tails, Function Chunks

Function Tracing option, Debugger menu, Breakpoints

functions, Navigation History, Stack Frames, Other Calling Conventions, Manipulating Functions, Creating New Functions, Creating New Functions, Creating New Functions, Function Chunks, Function Attributes, Converting Data to Code (and Vice Versa), Datatypes and Data Structures, Name Mangling, IDA’s Integrated Graph View, Augmenting Function Information, Augmenting Function Information, Useful IDC Functions, Functions for Reading and Modifying Data, User Interaction Functions, User Interaction Functions, Manipulating Database Names, Manipulating Database Names, Functions Dealing with Functions, Code Cross-Reference Functions, Data Cross-Reference Functions, Data Cross-Reference Functions, Database Manipulation Functions, Database Search Functions, Commonly Used SDK Functions, Iteration Techniques Using the IDA API, Emulator-Assisted De-obfuscation, Breakpoints

attributes for, Function Chunks

augmenting information for, Augmenting Function Information

calling, Stack Frames

chunks of, Creating New Functions

compiling, Other Calling Conventions

creating new, Creating New Functions

deleting, Creating New Functions

emulated by x86emu, Emulator-Assisted De-obfuscation

enumerating, using API, Iteration Techniques Using the IDA API

for SDK, Commonly Used SDK Functions

in IDC language, Useful IDC Functions, Functions for Reading and Modifying Data, User Interaction Functions, User Interaction Functions, Manipulating Database Names, Manipulating Database Names, Functions Dealing with Functions, Code Cross-Reference Functions, Data Cross-Reference Functions, Data Cross-Reference Functions, Database Manipulation Functions, Database Search Functions

code cross-reference, Code Cross-Reference Functions
data cross-reference, Data Cross-Reference Functions
database manipulation, Data Cross-Reference Functions
database search, Database Manipulation Functions
dealing with functions, Manipulating Database Names
disassembly line components, Database Search Functions
file input/output, User Interaction Functions
for user interaction, Functions for Reading and Modifying Data
manipulating database names, Manipulating Database Names
reading and modifying data, Useful IDC Functions
string-manipulation, User Interaction Functions

oriented control flow graph, IDA’s Integrated Graph View

overloading, C++, Name Mangling

overview of, Navigation History

signatures for, Augmenting Function Information

stack pointer adjustments, Function Attributes

tracing, Breakpoints

types, setting, Datatypes and Data Structures

undefine, Converting Data to Code (and Vice Versa)

Functions data display, Introduction to the IDA Desktop

Functions list generator, IDAPython Scripting Examples

Functions menu, x86emu and Anti-debugging

Functions window, Introduction to the IDA Desktop, The Principal IDA Displays, The Functions Window, Jump to Address, Cross-Reference Lists, Opcode Obfuscation

func_t (funcs.hpp), datatypes for SDK, Useful SDK Datatypes, Segment Manipulation, Iteration Techniques Using the IDA API

fuzzing technique, The Why of Disassembly

f_LOADER type, Processor Module Architecture

G

G hotkey, Jump to Address, The Console Configuration File: idatui.cfg

g++ compiler, GNU, The C Calling Convention, Sharing TIL Files

g++ versions, Name Mangling

Gaobot worm, PE Tools

Gas (GNU Assembler), A Basic Disassembly Algorithm

gcc compiler, GNU, The C Calling Convention

GCC tags, Identifying and Acquiring Static Libraries

GDB Configuration dialog, Using a Hex-Rays Debugging Server

gdb sessions, Additional Debugger Features

gdb(GNU Debugger), Preventing Debugging, Launching the Debugger

gdbserver component, GNU Debugger, Launching the Debugger

gdb_server, Additional Debugger Features, Using a Hex-Rays Debugging Server

GDL (Graph Description Language), Function Calls, Linux Console Specifics

gdl.hpp, for API, Header Files Overview

General dialog, The Disassembly Window, Working with Strings

General Registers view, Basic Debugger Displays

General Registers window, Basic Debugger Displays, Breakpoints

general-purpose searches, Searching the Database

Generate serial names option, Working with Strings

generating signatures, The IDA Directory Layout

Get prefix, Useful IDC Functions

GetArrayElement function, Data Storage in Netnodes

GetBptAttr function, Scripting Debugger Actions

GetBptEA function, Scripting Debugger Actions

GetBptQty function, Scripting Debugger Actions

GetCommandLine function, Locating main

GetCommandLineA function, Import Table Reconstruction

GetDebuggerEvent function, Scripting Debugger Actions, Automating Debugger Actions with IDA Plug-ins, Hiding the Debugger

GetDisasm function, Database Search Functions

GetEntryPointQty function, Enumerating Exported Functions

GetEnvironmentStrings function, Locating main

GetEventXXX function, Scripting Debugger Actions

GetFrameLvarSize function, Stack Frame Breakdown

GetFrameRegsSize function, Stack Frame Breakdown

getFuncAddr function, Discovering New Vulnerabilities with IDA

GetFunctionAttr function, Manipulating Database Names, Enumerating Instructions

GetFunctionFlags function, Finding and Labeling Function Arguments

GetFunctionName function, Manipulating Database Names

GetInputFile function, Enumerating Exported Functions

getline function, Plug-in User Interface Options

getmainargs library function, Locating main

GetMemberName function, Discovering New Vulnerabilities with IDA

GetMemberOffset function, Enumerating Functions

GetMemberSize function, Discovering New Vulnerabilities with IDA

GetMnem function, Database Search Functions

GetModulehandleA function, Opcode Obfuscation

getnseg function, Segment Manipulation

getn_area function, Iteration Techniques Using the IDA API

getn_func function, Manipulating Database Names

getopcode.c program, Locating Instruction Sequences

GetOperandValue function, Database Search Functions

GetOpnd function, Database Search Functions

GetOpType function, Database Search Functions

GetProcAddress function, Imported Function Obfuscation, Imported Function Obfuscation, Emulator-Assisted De-obfuscation, Simple Decryption and Decompression Loops, Import Table Reconstruction, Import Table Reconstruction

GetRegValue function, Breakpoints, Watches

getseg function, Structure Manipulation, The Simpleton Loader

GetStrucSize, Enumerating Functions

get_byte function, Commonly Used SDK Functions

get_first_cref_from function, Code Cross-References

get_first_cref_to function, Code Cross-References

get_first_dref_from function, Code Cross-References

get_first_dref_to function, Code Cross-References

get_frame function, Manipulating Database Names

get_frame_retsize function, Processor Notifications

get_func function, Manipulating Database Names

get_func_name function, Manipulating Database Names

get_func_qty function, Manipulating Database Names

get_long function, Commonly Used SDK Functions

get_many_bytes function, Commonly Used SDK Functions

get_member function, Structure Manipulation

get_member_by_name function, Structure Manipulation

get_name function, Manipulating Database Names

get_name_ea function, Manipulating Database Names

get_next_area function, Iteration Techniques Using the IDA API

get_next_cref_from function, Code Cross-References

get_next_cref_to function, Code Cross-References

get_next_dref_from function, Code Cross-References

get_next_dref_to function, Code Cross-References

get_next_func function, Manipulating Database Names

get_original_byte function, Commonly Used SDK Functions

get_original_long function, Commonly Used SDK Functions

get_original_word function, Commonly Used SDK Functions

get_original_XXX functions, Commonly Used SDK Functions

get_reg_val function, Automating Debugger Actions with IDA Plug-ins

get_screen_ea function, Basic Database Access

get_segm_by_name function, Structure Manipulation

get_segm_name function, Segment Manipulation

get_struc function, Structure Manipulation

get_struc_id function, Structure Manipulation

get_true_segm_name function, Segment Manipulation

get_word function, Commonly Used SDK Functions

Gigapede, Background

global (external) symbols, nm

global array, Scripting Debugger Actions

global offset table (GOT), Enumerating Cross-References, Stack Frame Breakdown, Locating Instruction Sequences

global persistent arrays, Persistent Data Storage in IDC

global variables, formatting as structures, Using Structure Templates

globally allocated arrays, Array Member Access

globally allocated structures, Globally Allocated Structures

gl_comm variable, The Outputter

gnome-terminal, Gnome, Linux Console Specifics

GNU Assembler (Gas), A Basic Disassembly Algorithm

GNU binutils tool suite, objdump

GNU compilers, The C Calling Convention, Structure Member Access, Sharing TIL Files

GNU Debugger (gdb), Preventing Debugging, Launching the Debugger

GNU linker, Building Processor Modules

Go button, Launching IDA

GOT (global offset table), Enumerating Cross-References, Stack Frame Breakdown, Locating Instruction Sequences

got section, Discovering New Vulnerabilities with IDA, Finding Useful Virtual Addresses

goto statements, Hex-Rays

graph components, Cross-References and Graphing

Graph Description Language (GDL), Function Calls, Linux Console Specifics

graph mode, IDA’s Integrated Graph View

graph node, External Call Graphs

Graph Overview data display, Introduction to the IDA Desktop, IDA Graph View, Custom Cross-Reference Graphs

Graph tab, The Disassembly Window

graph view, Introduction to the IDA Desktop, IDA’s Integrated Graph View

graph viewer, qwingraph, Function Calls

graph view–style display, Introduction to the IDA Desktop

graph-based display mode, IDA freeware 5.0, Using IDA Freeware

graphing, Function Calls, IDA External (Third-Party) Graphing, IDA External (Third-Party) Graphing, External Call Graphs, External Call Graphs, Custom Cross-Reference Graphs, Custom Cross-Reference Graphs

integrated graph view, Custom Cross-Reference Graphs

third-party graphing, IDA External (Third-Party) Graphing, IDA External (Third-Party) Graphing, External Call Graphs, External Call Graphs, Custom Cross-Reference Graphs

call graphs, External Call Graphs
cross-reference graphs, External Call Graphs
custom cross-reference graphs, Custom Cross-Reference Graphs
flowcharts, IDA External (Third-Party) Graphing

graphing applications, Function Calls

graphs, The Function Calls Window, IDA’s Integrated Graph View, Summary

grouping nodes in, IDA’s Integrated Graph View
used in Function Calls Window, The Function Calls Window

graphviz project, IDA External (Third-Party) Graphing

GRAPH_FORMAT variable, Function Calls

GRAPH_VISUALIZER option, Function Calls, Linux Console Specifics, Configuration Files

grep-style search, The IDA Application Programming Interface

Group Nodes option, IDA Graph View, IDA’s Integrated Graph View

grouping, IDA Graph View, IDA Graph View, Navigation History, IDA’s Integrated Graph View

blocks, in disassembly window, IDA Graph View
executable statements, Navigation History
nodes, within graphs, IDA’s Integrated Graph View

GUI configuration file, The IDA Directory Layout

GUI versions, of IDA, Using IDA’s Batch Mode

gunzip archive, Windows Installation

H

Hall of Shame, Hex-Rays website, IDA Pro Background

handling exceptions, IdaStealth, IdaStealth, Attaching to a Remote Process

during remote debugging, Attaching to a Remote Process
with debugger, IdaStealth

Hardware Breakpoint checkbox, Breakpoint Settings dialog, Breakpoints

Hardware breakpoint mode radio buttons, Breakpoint Settings dialog, Breakpoints

hardware breakpoints, Breakpoints, Breakpoints, Debugging Obfuscated Code, Launching the Process

hash function, Imported Function Obfuscation

hashset function, Data Storage in Netnodes

hashstr function, Data Storage in Netnodes

hashval function, Data Storage in Netnodes

hashvals, Data Storage in Netnodes, Data Storage in Netnodes

hashval_long function, Data Storage in Netnodes

hashXXX functions, Data Storage in Netnodes

HAS_CALL flags, The Analyzer

HAS_JABS flag, The Analyzer

HAS_JREL flag, The Analyzer

head command, Library Recognition Using FLIRT Signatures

header fields, PE Tools, PE Tools

header files, for API, The IDA Application Programming Interface, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview, Header Files Overview

area.hpp, Header Files Overview
auto.hpp, Header Files Overview
bytes.hpp, Header Files Overview
dbg.hpp, Header Files Overview
entry.hpp, Header Files Overview
expr.hpp, Header Files Overview
fpro.h, Header Files Overview
frame.hpp, Header Files Overview
funcs.hpp, Header Files Overview
gdl.hpp, Header Files Overview
ida.hpp, Header Files Overview
idp.hpp, Header Files Overview
kernwin.hpp, Header Files Overview
lines.hpp, Header Files Overview
loader.hpp, Header Files Overview
name.hpp, Header Files Overview
netnode.hpp, Header Files Overview
pro.h, Header Files Overview
search.hpp, Header Files Overview
segment.hpp, Header Files Overview
struct.hpp, Header Files Overview
typeinf.hpp, Header Files Overview
ua.hpp, Header Files Overview
xref.hpp, Header Files Overview

header function, Processor Notifications

header structure, MS-DOS, Using Standard Structures

heap program, Stack-Allocated Arrays

heap-allocated arrays, Heap-Allocated Arrays

heap-allocated structures, Stack-Allocated Structures

HeapAlloc function, Emulator-Assisted De-obfuscation

heap_array variable, Heap-Allocated Arrays

help files, The GUI Configuration File: idagui.cfg

help member, for plug-ins, Writing a Plug-in

Help menu, IDA, Purchasing IDA

HELPFILE option, The Main Configuration File: ida.cfg

hex dumps, Text Searches, Common Features of Console Mode

hex editor, The Hex View Window

hex searches, conducting, Binary Searches

hex values, two-digit, Text Searches

Hex View window, Thoughts on IDA’s User Interface, The Hex View Window, Binary Searches, Basic Debugger Displays

Hex-Rays, IDA Pro Background, IDA Support Resources, Reporting Bugs, Real-World IDA Plug-ins, Real-World IDA Plug-ins, Remote Debugging with IDA, Appcall, Appcall

blog, Appcall
bulletin boards, posting on, Reporting Bugs
debugging server, remote debugging using, Remote Debugging with IDA
download page for, Real-World IDA Plug-ins
plug-in, Real-World IDA Plug-ins
stance on piracy, IDA Pro Background
support page and forums, IDA Support Resources

hexadecimal constant, Formatting Instruction Operands

hexadecimal values, Double-Click Navigation

hidden messages, restoring, Launching IDA

Hide Casts option, Hex-Rays

Hide Group option, IDA’s Integrated Graph View

HideDebugger.idc script, Hiding the Debugger

hide_wait_box function, Plug-in Execution

hiding debugger, Import Table Reconstruction

History subkey, IDA Windows registry key, Launching IDA

HKEY_CURRENT_USER\ Software\Hex-Rays\IDA registry key, Launching IDA, The Console Configuration File: idatui.cfg

HKEY_CURRENT_USER\Software\Hex-Rays\IDA\Hidden Messages registry key, The Console Configuration File: idatui.cfg

hook_to_notification_point function, Plug-in Initialization, The Outputter, Automating Debugger Actions with IDA Plug-ins

Hostname option, debugger process options dialog, Using a Hex-Rays Debugging Server

hotkey field, Configuring Plug-ins

hotkey reassignment, in idagui.cfg, The GUI Configuration File: idagui.cfg

hotkeys, Thoughts on IDA’s User Interface, Associating IDC Scripts with Hotkeys

HTI_PAK1 constant, A pcap Loader for IDA

HTI_XXX values, A pcap Loader for IDA

HTML document, file

HTML files, The GUI Configuration File: idagui.cfg, IDA-Generated HTML Files

HTTP response packet, A pcap Loader for IDA

HT_DBG function, Automating Debugger Actions with IDA Plug-ins

HT_DBG notification type, Automating Debugger Actions with IDA Plug-ins

hyperlinks, vs. names, Basic IDA Navigation

HyperUnpackMe2, x86emu and Anti-debugging

I

I/O functions, Header Files Overview

icebp instruction, Dealing with Exceptions

id field for processors, Basic Initialization of the LPH Structure

IDA, Obtaining IDA Pro, Obtaining IDA Pro, IDA Licenses, Purchasing IDA, Purchasing IDA, Upgrading IDA, IDA Support Resources, Your IDA Installation, Windows Installation, Windows Installation, Windows Installation, The IDA Directory Layout, The IDA Directory Layout, The IDA Directory Layout, Launching IDA, Launching IDA, Using the Binary File Loader, IDA Database Creation, IDA Database Creation, IDA Database Creation, IDA Database Creation, Closing IDA Databases, Reopening a Database, Introduction to the IDA Desktop, Introduction to the IDA Desktop, Desktop Behavior During Initial Analysis, Desktop Behavior During Initial Analysis, IDA Graph View, IDA Graph View, IDA Graph View, IDA Graph View, IDA Graph View, IDA Graph View, IDA Graph View, The Function Calls Window, IDA Stack Views, Working with Strings, Creating IDA Structures, Creating IDA Structures, Editing Structure Members, Editing Structure Members, Parsing C Structure Declarations, Console Mode IDA, Augmenting Function Information, IDC Objects, Script-Oriented De-obfuscation, Script-Oriented De-obfuscation, collabREate, collabREate, Basic Debugger Displays, Basic Debugger Displays, Background, Using IDA Freeware 5.0

as software, Obtaining IDA Pro, Obtaining IDA Pro, IDA Licenses, Purchasing IDA, Upgrading IDA, The IDA Directory Layout

licenses, IDA Licenses
purchasing, Purchasing IDA
upgrading, Upgrading IDA
user interface of, The IDA Directory Layout
versions, Obtaining IDA Pro

configuration file, Windows Installation

crashes, restarting after, Closing IDA Databases

cross-references, The Function Calls Window

database files, Using the Binary File Loader, IDA Database Creation, IDA Database Creation, IDA Database Creation, Reopening a Database, IDA Stack Views, Background

and debugger, Background
closing, IDA Database Creation
creation of, IDA Database Creation
overview, Using the Binary File Loader
reopening, Reopening a Database
searching, IDA Stack Views

database, as virtual memory, Script-Oriented De-obfuscation

desktop, Introduction to the IDA Desktop, Introduction to the IDA Desktop, Desktop Behavior During Initial Analysis, Desktop Behavior During Initial Analysis

behavior of during analysis, Introduction to the IDA Desktop
overview, Introduction to the IDA Desktop
tips and tricks for, Desktop Behavior During Initial Analysis

directory, Your IDA Installation

download page, Console Mode IDA

executables, Windows Installation

extensions, loaders directory, The IDA Directory Layout

freeware 5.0, Using IDA Freeware 5.0

graph view, in disassembly window, IDA Graph View, IDA Graph View, IDA Graph View, IDA Graph View, IDA Graph View, IDA Graph View

creating additional disassembly windows, IDA Graph View
grouping and collapsing blocks in, IDA Graph View
overview, IDA Graph View
panning in, IDA Graph View
rearranging blocks in, IDA Graph View

IDA Palace, IDA Support Resources

IDA Sync, Windows Asynchronous Sockets techniques used by, collabREate

installer, Purchasing IDA

loader, IDA Database Creation

modules, plug-ins directory, The IDA Directory Layout

notifications, CollabREate, collabREate

parser, Parsing C Structure Declarations

scripting, IDC Objects, Script-Oriented De-obfuscation

stack-pointer analysis, Augmenting Function Information

Strings options, Working with Strings

structures, Creating IDA Structures, Creating IDA Structures, Editing Structure Members, Editing Structure Members

creating new, Creating IDA Structures
editing structure members, Editing Structure Members
stack frames as, Editing Structure Members

text view, in disassembly window, IDA Graph View

View-EIP disassembly window, Basic Debugger Displays

View-ESP disassembly window, Basic Debugger Displays

Windows registry key, Launching IDA

workspace, Launching IDA

IDA command line, Basic Script Execution

IDA comments, using semicolon prefix in, Commenting in IDA

IDA-generated variable names, mapping, IDA Stack Views

IDA-View window, Introduction to the IDA Desktop, The Principal IDA Displays

ida-x86emu plug-in, Windows-Only User Interface–Generation Techniques, Emulation-Oriented De-obfuscation, ida-x86emu

ida.cfg file, The IDA Directory Layout, Code Display Options, Function Calls, Linux Console Specifics, Configuration Files

IDA.HLP file, Creating Customized Forms with the SDK

ida.hpp file, The IDA Application Programming Interface, Header Files Overview

ida.idc file, Associating IDC Scripts with Hotkeys

ida.int comment file, Augmenting Predefined Comments with loadint

ida.int file, Creating IDS Files

ida.key file, IDA Pro Background

idaapi module, IDAPython, Appcall

idaapi.processor_t class, Processor Module Architecture

idag.exe, Windows Installation

idag64.exe, 32-bit vs. 64-bit IDA

idagui.cfg configuration file, The IDA Directory Layout, The Main Configuration File: ida.cfg, The Infamous Patch Program Menu, Basic Script Execution

idaidp.hpp, Writing a Processor Module Using the SDK

idainfo (ida.hpp), datatypes for SDK, Useful SDK Datatypes

idainfo structure, Header Files Overview

idamake.pl, Building Your Plug-ins

IdaPdf plug-in, MyNav

IDAPython plug-in, Windows Installation, IDAPython, IDAPython Scripting Examples, IDAPython Scripting Examples, Enumerating Instructions, Enumerating Instructions, IDAPython

examples, IDAPython, IDAPython Scripting Examples, IDAPython Scripting Examples, Enumerating Instructions, Enumerating Instructions

enumerating cross-references, Enumerating Instructions
enumerating exported functions, Enumerating Instructions
enumerating functions, IDAPython Scripting Examples
enumerating instructions, IDAPython Scripting Examples

idaq.exe, Windows Installation

idaq64.exe, IDA and SELinux

idasdk61.zip file, The IDA Software Development Kit

IDAStealth configuration dialog, IdaStealth

IdaStealth plug-in, for debugger, Hiding the Debugger

idatui.cfg file, The IDA Directory Layout, The GUI Configuration File: idagui.cfg

idauser.cfg file, The Main Configuration File: ida.cfg

idauserg.cfg file, The GUI Configuration File: idagui.cfg

idausert.cfg file, The GUI Configuration File: idagui.cfg

idautils module, IDAPython

idaw.exe, Windows Installation

ida_export function, Header Files Overview

IDA_SDK_VERSION macro, Header Files Overview

IDB mode, for Bochs, Debugging with Bochs

IDB_2_PAT utility, Creating Pattern Files

idb_event::byte_patched, Plug-in Initialization

idb_event::cmt_changed, Plug-in Initialization

IDC command dialog, IDC Functions

idc directory, The IDA Directory Layout

IDC functions, SDK implementation, IDC/SDK Cross-Reference

IDC language, IDC Variables, IDC Variables, IDC Statements, IDC Functions, IDC Programs, IDC Programs, IDC Programs, Error Handling in IDC, Useful IDC Functions, Functions for Reading and Modifying Data, User Interaction Functions, User Interaction Functions, Manipulating Database Names, Manipulating Database Names, Functions Dealing with Functions, Code Cross-Reference Functions, Data Cross-Reference Functions, Data Cross-Reference Functions, Database Manipulation Functions, Database Search Functions, Database Search Functions, IDC Scripting Examples, Enumerating Functions, Enumerating Instructions, Enumerating Exported Functions, Enumerating Exported Functions, Emulating Assembly Language Behavior, IDC/SDK Cross-Reference

error handling in, IDC Programs

examples, Database Search Functions, IDC Scripting Examples, Enumerating Functions, Enumerating Instructions, Enumerating Exported Functions, Enumerating Exported Functions, Emulating Assembly Language Behavior

emulating assembly language behavior, Emulating Assembly Language Behavior
enumerating cross-references, Enumerating Instructions
enumerating exported functions, Enumerating Exported Functions
enumerating functions, Database Search Functions
enumerating instructions, Enumerating Functions
finding and labeling function arguments, Enumerating Exported Functions

expressions, IDC Variables

functions, Useful IDC Functions, Functions for Reading and Modifying Data, User Interaction Functions, User Interaction Functions, Manipulating Database Names, Manipulating Database Names, Functions Dealing with Functions, Code Cross-Reference Functions, Data Cross-Reference Functions, Data Cross-Reference Functions, Database Manipulation Functions, Database Search Functions

code cross-reference, Code Cross-Reference Functions
data cross-reference, Data Cross-Reference Functions
database manipulation, Data Cross-Reference Functions
database search, Database Manipulation Functions
dealing with functions, Manipulating Database Names
disassembly line components, Database Search Functions
file input/output, User Interaction Functions
for user interaction, Functions for Reading and Modifying Data
manipulating database names, Manipulating Database Names
reading and modifying data, Useful IDC Functions
string-manipulation, User Interaction Functions

objects, IDC Functions

persistent data storage in, Error Handling in IDC

programs, IDC Programs

SDK cross-reference for, IDC/SDK Cross-Reference

statements, IDC Statements

variables, IDC Variables

idc module, IDAPython

IDC script, Script-Oriented De-obfuscation

IDC slices, IDC Expressions

IDC statements, Import Table Reconstruction

IDC-based loader, Writing a Scripted Loader

idc.idc file, IDC Objects

idc_create_netnode function, Extending IDC

idc_func_t datatype, Configuring Plug-ins

idc_value_t (expr.hpp), datatypes for SDK, Useful SDK Datatypes, Extending IDC

Identical Functions, PatchDiff2, After-the-Fact Vulnerability Discovery with IDA

Identifier search, Text Searches

idp.def file, Building Processor Modules

idp.hpp file, Header Files Overview, Processor Notifications

IDP_INTERFACE_VERSION constant, The IDA Plug-in Architecture

ids directory, The IDA Directory Layout

IDS files, The IDA Directory Layout, Augmenting Function Information, Augmenting Function Information

augmenting information for functions, Augmenting Function Information
IDA parlance, The IDA Directory Layout

ids hierarchy, IDS Files

IDS utilities, Augmenting Function Information

idsnames file, Creating IDS Files

idsutils, Augmenting Function Information

Ignore instructions/data definitions option, Strings window, The Strings Window

ImageBase field, Manually Loading a Windows PE File

IMAGE_DOS_HEADER structure, Using Standard Structures, Manually Loading a Windows PE File

IMAGE_NT_HEADERS structure, Using Standard Structures, Manually Loading a Windows PE File, Manually Loading a Windows PE File

IMAGE_SECTION_HEADER structure, Manually Loading a Windows PE File

IMAGE_SECTION_HEADER template, Manually Loading a Windows PE File

Import REConstruction (ImpREC) utility, Background

import table, The Imports Window

imported functions, Augmenting Function Information, Augmenting Function Information, Opcode Obfuscation

editing, Augmenting Function Information
obfuscation, anti–static analysis techniques, Opcode Obfuscation

Imports window, The Imports Window, Opcode Obfuscation

import_node netnode, Header Files Overview

import_type function, A pcap Loader for IDA

ImpREC (Import REConstruction) utility, Background

in instruction, Detecting Virtualization

include (INC) files, generating, IDA-Generated ASM Files

include directive, Parsing C Header Files, Associating IDC Scripts with Hotkeys

include directory, SDK Layout

include files, Parsing C Header Files

Include in names list option, for named locations, Named Locations

include statement, Associating IDC Scripts with Hotkeys

indent parameter, The Outputter

INDENTATION option, Configuration Files

index function, Creating Signature Files

Index of IDC functions, The IDC Language, Associating IDC Scripts with Hotkeys

Indexes radio buttons, Specifying Arrays

inf.mf flag, Processor Notifications

inheritance hierarchy, determining, Runtime Type Identification

inheritance relationships, in C++, Runtime Type Identification

init member, for plug-ins, Writing a Plug-in

init method, Automating Debugger Actions with IDA Plug-ins

initialization, of plug-ins, Plug-in Initialization

init_loader_options function, Writing an IDA Loader Using the SDK, The Simpleton Loader

inline constructors, Runtime Type Identification

inline functions, Inheritance Relationships

Input file option, debugger process options dialog, Using a Hex-Rays Debugging Server

Input File options, Using the Binary File Loader

ins.cpp file, The processor_t Struct

insert key, Creating a New Structure (or Union), Using Standard Structures, Loading New TIL Files

Insert option, Parsing C Structure Declarations

insn_t (ua.hpp), datatypes for SDK, Header Files Overview, Useful SDK Datatypes, Basic Initialization of the LPH Structure

installation of 32-bit Python, IDAPython, IDAPython

installing, Your IDA Installation, Windows Installation, Windows Installation, Windows Installation, IDA and SELinux, IDA and SELinux, IDA and SELinux, Installing Plug-ins

32-bit vs. 64-bit, IDA and SELinux
and SELinux, IDA and SELinux
directory layout, IDA and SELinux
on Linux, Windows Installation
on OS X, Windows Installation
on Windows, Windows Installation
plug-ins, Installing Plug-ins

install_make.txt file, SDK Layout

install_visual.txt file, Building Your Plug-ins

install_xxx.txt files, SDK Layout, Plug-in Execution

instruction emulator, Writing a Processor Module Using the SDK, Emulation-Oriented De-obfuscation

instruction operands, formatting, Formatting Instruction Operands

Instruction Pointer (IP), Tracing

instruction sets, CPU, The IDA Software Development Kit

Instruction Tracing option, Debugger menu, Breakpoints

Instructions constant, Basic Initialization of the LPH Structure

instrumentation, detecting, Detecting Virtualization

int 3 instruction, Dynamically Computed Target Addresses, Breakpoints, Dealing with Exceptions

int get_segm_qty function, Segment Manipulation

int set_segm_name function, Segment Manipulation

int type, Datatypes and Data Structures

integer index, Augmenting Function Information

Intel syntax, A Basic Disassembly Algorithm

intel_data function, The Outputter

internal heap implementation, Emulator-Assisted De-obfuscation

interpreter, for Python byte code, Python Byte Code

invoke_callbacks function, Processor Notifications

IP (Instruction Pointer), Tracing

iret instruction, Disassembly Desynchronization

iscode member, Enumerating Cross-References

IsDebugged field, PEB, Hiding the Debugger

IsDebuggerPresent function, Detecting Instrumentation, Emulator-Assisted De-obfuscation, Hiding the Debugger

isLoaded function, Useful IDC Functions, Functions for Reading and Modifying Data, Commonly Used SDK Functions

is_far_jump function, Processor Notifications

is_sp_based function, Processor Notifications

is_switch function, Processor Notifications

Items on line attribute, Specifying Arrays

iteration techniques, using API, Iteration Techniques Using the IDA API, Iteration Techniques Using the IDA API, Enumerating Structure Members, Enumerating Structure Members

enumerating cross-references, Enumerating Structure Members
enumerating functions, Iteration Techniques Using the IDA API
enumerating structure members, Enumerating Structure Members

iTERM, OS X Console Specifics

itype field, The Analyzer

J

j suffix, Code Cross-References
ja instruction, Jump Tables and Switch Statements
Java byte code, Python Byte Code
Java Database Connectivity (JDBC), collabREate
Java loader, Alternative Loader Strategies
Java virtual machine, Virtual Machine-Based Obfuscation
JDBC (Java Database Connectivity), collabREate
jmp esi instruction, Stack Frame Breakdown
jmp esp instruction, Stack Frame Breakdown
jmp statement, Linear Sweep Disassembly
Jump command, Discovering New Vulnerabilities with IDA
jump flow type, IDA Graph View, Code Cross-References
Jump function, Functions for Reading and Modifying Data, User Interaction Functions, Locating main
jump tables, compiler differences for, Compiler Personalities
Jump to Address command, Discovering New Vulnerabilities with IDA
Jump to Address dialog, Jump to Address
Jump To Cursor button, x86emu Emulator dialog, Basic x86emu Operation
Jump to Next Position option, Navigation History
Jump to Previous Position operation, Jump to Address
Jump to Problem command, The GUI Configuration File: idagui.cfg
jump-style cross-references, Code Cross-References
JumpQ option, The GUI Configuration File: idagui.cfg
jumpto function, Basic Database Access
junk strings, The Strings Window
jz instruction, Disassembly Desynchronization

K

Kernel Options, IDA File Loading, Function Chunks

kernel32.dll, Imported Function Obfuscation, Imported Function Obfuscation, Basic Debugger Displays, Launching the Process, Import Table Reconstruction, Hiding the Debugger

kernel32_GetCommandLineA, Import Table Reconstruction

kernel32_VirtualAlloc function, Appcall

kernwin.hpp, for API, Header Files Overview

key file, safeguarding, Purchasing IDA

keyboards, IDA Graph View, Linux Console Specifics, Linux Console Specifics

different layouts, Linux Console Specifics
zoom control, IDA Graph View

Kiel OMF 166 object files, Creating Pattern Files

konsole, KDE’s, Linux Console Specifics

Koret, Joxean, Class Informer

L

label component, Creating Customized Forms with the SDK

launching, Your IDA Installation, Launching IDA, Launching IDA, Launching IDA, Launching IDA, Launching the Debugger, Launching the Debugger

debugger, Launching the Debugger
Go button, Launching IDA
New button, Launching IDA
Previous button, Launching IDA
process, Launching the Debugger
Windows installer, Your IDA Installation

ldd (list dynamic dependencies) utility, ldd

ldr directory, for SDK, SDK Layout

LDRF_RELOAD flag, Writing an IDA Loader Using the SDK

LDSC (loader description) object, Writing an IDA Loader Using the SDK

leave instruction, Stack Frame Examples, Customizing Existing Processors

legacy mode graphs, Linux Console Specifics

len function, Enumerating Instructions

letter codes, nm

Levine, John R., ldd

lib directory, for SDK, SDK Layout

libbfd (Binary File Descriptor library), objdump

libc.a version, Applying FLIRT Signatures

libc_FreeBSD80.exc file, Creating Signature Files

libc_FreeBSD80.pat file, Creating Pattern Files

libc_start_main function, Locating main, Locating main

Library func attribute, Function Attributes

library handle, Emulator-Assisted De-obfuscation

Library name column, FLIRT signature selection, Applying FLIRT Signatures

license agreement dialog, Using IDA’s Batch Mode

license enforcement, Hex-Rays’ Stance on Piracy

licenses, for IDA, Obtaining IDA Pro

life cycle, of plug-ins, Writing a Plug-in

limitations, Console Mode IDA, Console Mode IDA, Using IDA Freeware 5.0

of consoles, Console Mode IDA
of IDA freeware 5.0, Using IDA Freeware 5.0

Line prefixes option, Code Display Options

line prefixes, enabling, IDA Graph View

linear sweep disassembly, Linear Sweep Disassembly

lines.hpp file, Header Files Overview, The Outputter

link libraries, User Interface Generation with Qt

linking, ldd

linput_t (loader input type), Writing an IDA Loader Using the SDK

Linux, Windows Installation, Linux Console Specifics, Linux Console Specifics, Linux Console Specifics, Linux Console Specifics, Linux Console Specifics, Linux Console Specifics

based IDA installation, Linux Console Specifics
console mode for, Linux Console Specifics
console mouse server for, Linux Console Specifics
installing on, Windows Installation
terminal programs on, Linux Console Specifics
text display in, Linux Console Specifics

linux_server server component, Remote Debugging with IDA

linux_serverx64 server component, Remote Debugging with IDA

list dynamic dependencies (ldd) utility, ldd

listing view, Introduction to the IDA Desktop

listing-style display, Introduction to the IDA Desktop

list_callers function, Enumerating Cross-References

Litchfield, David, Locating Instruction Sequences

little-endian, CUP, Linear Sweep Disassembly

lnames data member, Other processor_t Members

Load a New File dialog, IDA File Loading

Load Desktop command, IDA Desktop Tips and Tricks

Load desktop option, Windows menu, Customizing IDA Toolbars

Load from file radio button, x86emu Set Memory Values dialog, Basic x86emu Operation

Load type library option, in Type Libraries window, The Signatures Window

loader description (LDSC) object, Writing an IDA Loader Using the SDK

loader input type (linput_t), Writing an IDA Loader Using the SDK

loader modules, for binary files, IDA Loader Modules, IDA Loader Modules, IDA Loader Modules, The Simpleton Loader, The Simpleton Loader

overview, IDA Loader Modules
pcap loader, The Simpleton Loader
simpleton loader, The Simpleton Loader
writing using SDK, IDA Loader Modules

Loader segment checkbox, Change segment attributes dialog, IDA Databases and the IDA Debugger

Loader segments button, Memory snapshot confirmation dialog, IDA Databases and the IDA Debugger

loader warnings, IDA Database Files

loader-generated informational messages, IDA Database Files

loader.hpp file, Header Files Overview, The IDA Plug-in Architecture, IDA Loader Modules

loaders directory, The IDA Directory Layout, Launching IDA

LOADER_EXT variable, The Simpleton Loader

loader_failure function, Writing an IDA Loader Using the SDK

loader_t structure, Header Files Overview, IDA Loader Modules

loadfile function, File Input/Output Functions

loading files, IDA File Loading, Loading New TIL Files

Loading Offset field, IDA File Loading

loading process, IDA Loader Modules

Loading Segment field, IDA File Loading

loadint utilities, Creating IDS Files

loadint57.zip version, Creating IDS Files

LoadLibrary function, Imported Function Obfuscation, Simple Decryption and Decompression Loops

LoadLibraryA function, Imported Function Obfuscation, Emulator-Assisted De-obfuscation

load_file function, Writing an IDA Loader Using the SDK, A pcap Loader for IDA, Processor Module Architecture

load_pcap_file function, A pcap Loader for IDA

load_simpleton_file, The Simpleton Loader

Local Bochs debugger, Debugging with Bochs

local debugging, Launching the Debugger

Local name option, for named locations, Named Locations

Local Types command, Parsing C Structure Declarations

Local Types entry dialog, Parsing C Structure Declarations

Local Types window, Parsing C Structure Declarations

local variables, Other Calling Conventions, Local Variable Layout, Parameters and Local Variables

layout, in stack frames, Other Calling Conventions
naming, Parameters and Local Variables

Local variables area attribute, Function Attributes

locations, renaming, Named Locations

LocByName function, Functions Dealing with Functions, Enumerating Cross-References

LocByNameEx function, Manipulating Database Names

lodsb instruction, Script-Oriented De-obfuscation

Log if same IP option, Tracing Options dialog, Tracing

logical addresses, IDA-Generated MAP Files

loopne instruction, Linear Sweep Disassembly

lowercase letter codes, nm

LPH struct, Writing a Processor Module Using the SDK, Basic Initialization of the LPH Structure

lpSubKey parameter, Augmenting Function Information

lread4bytes function, The Simpleton Loader

LST files, generating, IDA-Generated ASM Files

ltoa function, User Interaction Functions

M

Mac keyboard, vs. PC keyboard, Linux Console Specifics

Mach-O loader, Processor Module Architecture

Machine field, Manually Loading a Windows PE File

machine languages, Disassembly Theory, Code Display Options

MackT, Background

MACRO keyword, The Console Configuration File: idatui.cfg

macros, The Console Configuration File: idatui.cfg, IDA Scripting

mac_server server component, Remote Debugging with IDA

mac_serverx64 server component, Remote Debugging with IDA

magic files, file

magic numbers, file

main method, compiler differences for, Locating main

Main toolbar, turning off, IDA Colors

make files, plug-ins, Real-World IDA Plug-ins

Make imports section option, IDA-Generated EXE Files

MakeByte function, Database Manipulation Functions

MakeCode function, Data Cross-Reference Functions

makecode parameter, The Simpleton Loader

MakeComm function, Database Manipulation Functions

MakeFunction function, Database Manipulation Functions

MakeLine function, The Outputter, The Outputter

MakeNameEx function, Manipulating Database Names

MakeStr function, Database Manipulation Functions

MakeUnkn function, Data Cross-Reference Functions

make_data notification, Processor Notifications

malicious PDF files, IdaPdf

malloc function, The Functions Window, Stack-Allocated Arrays, Discovering New Vulnerabilities with IDA

malware analysis, reasons for disassembly, The Why of Disassembly

mangled names, Name Mangling

manipulating disassembly, Disassembly Manipulation, Parameters and Local Variables, Commenting in IDA, Basic Code Transformations, Formatting Instruction Operands, Manipulating Functions, Stack Pointer Adjustments, Basic Data Transformations, Working with Strings

arrays, attributes for, Working with Strings
code display options, Basic Code Transformations
commenting, Commenting in IDA
converting data to code (and vice versa), Stack Pointer Adjustments
data transformations, Basic Data Transformations
formatting instruction operands, Formatting Instruction Operands
functions, Manipulating Functions
naming, Parameters and Local Variables

Manual load option, for file headers, Using Standard Structures

manually overriding purged bytes, Augmenting Function Information

MAP files, generating, IDA-Generated MAP Files

mapping, IDA-generated variable names, IDA Stack Views

Mark as autogenerated option, Working with Strings

Mark consecutive traced events with same IP option, Tracing Options dialog, Tracing

MASM (Microsoft Assembler), A Basic Disassembly Algorithm

master list of structures, Using Standard Structures

Matched Functions, PatchDiff2, After-the-Fact Vulnerability Discovery with IDA

Maximum possible size attribute, Specifying Arrays

MAXSTR constant, IDC/SDK Cross-Reference

MAX_NAMES_LENGTH option, Configuration Files

MD5 value, CollabREate, collabREate

mem2base function, A pcap Loader for IDA

members array, Enumerating Structure Members

member_t (struct.hpp), datatypes for SDK, Useful SDK Datatypes, Structure Manipulation

Memory Organization dialog, Using the Binary File Loader

Memory snapshot confirmation dialog, IDA Databases and the IDA Debugger

memory usage parameters, The Main Configuration File: ida.cfg

memqty field, Enumerating Structure Members

memset operation, Debug vs. Release Binaries, Finding Useful Virtual Addresses

menu bar, console user interface, Console Mode IDA

Message function, IDC Statements, Functions for Reading and Modifying Data, Appcall

MessageBoxA function, Opcode Obfuscation

messages, Launching IDA, IDA Database Files, IDA Database Files

loader-generated informational, IDA Database Files
restoring hidden, Launching IDA

Metasploit project, Locating Instruction Sequences, Analyzing Shellcode

Micallef, Steve, IDA Support Resources, SDK Layout

Microsoft Assembler (MASM), A Basic Disassembly Algorithm

Microsoft Developer Network (MSDN), dumpbin

Microsoft linker, Building Processor Modules

Microsoft Visual C++ compiler, Function Chunks

Microsoft Visual Studio suite, dumpbin

Microsoft, Patch Tuesday cycle, Vulnerability Analysis

Minimum offset column, Structure Member Access

MIPS binary, Emulating Assembly Language Behavior

MIPS processor module, Using the Assemble Dialog

Misc tab, color selection dialog, IDA Colors

mitigation event, Discovering New Vulnerabilities with IDA

mitigation, of vulnerability, Discovering New Vulnerabilities with IDA

mkidp syntax, Building Processor Modules

mkidp.exe utility, Building Processor Modules

mnemonics, Disassembly Theory

modal dialogs, Cross-Reference Lists, Using the SDK’s Chooser Dialogs

modeless dialogs, Cross-Reference Lists, Using the SDK’s Chooser Dialogs

Modify menu item, Basic Debugger Displays

module directory, for SDK, SDK Layout

Modules view, Basic Debugger Displays

Modules window, Basic Debugger Displays

mouse support, Common Features of Console Mode

mov instructions, Function Call Instructions, Stack Frame Examples, Augmenting Predefined Comments with loadint

mov statements, Enumerating Exported Functions

Move Current Segment command, Manually Loading a Windows PE File

move_segm function, Writing an IDA Loader Using the SDK

movsb instruction, Tracing

MS-DOS 8.3 name-length convention, Creating Signature Files

MS-DOS EXE loader (dos.ldw), Launching IDA

MS-DOS executable file, file

MS-DOS header structure, Using Standard Structures

MS-DOS stub, Building Processor Modules

MSDN (Microsoft Developer Network), dumpbin

msfpescan tool, Metasploit project, Locating Instruction Sequences

msg function, Basic Database Access

mutual ptrace technique, Detecting Debuggers

MyNav plug-in, Class Informer

mynav.py script, Class Informer

my_func function, IDC Functions

MZ magic number, Classification Tools, Using Standard Structures

N

N hotkey, Names and Naming, Register Names

nalt.hpp file, Header Files Overview

Name conflict dialog, Named Locations

name decoration, Name Mangling

Name directive, IDS Files

Name function, Manipulating Database Names

Name generation area, Working with Strings

name mangling, c++filt, Name Mangling

Name of function attribute, Function Chunks

name parameter, Segment Manipulation, The Simpleton Loader

name-change dialog, Names and Naming

name-demangling options, Name Mangling

name-length convention, MS-DOS 8.3, Creating Pattern Files

name.hpp, Header Files Overview

NameChars set, Configuration Files

named constants, catalog of, Formatting Instruction Operands

named licenses, IDA Licenses

named locations, Named Locations, Named Locations, Named Locations, Named Locations, Named Locations, Named Locations, Named Locations

Autogenerated name option, Named Locations
Create name anyway option, Named Locations
Include in names list option, Named Locations
Local name option, Named Locations
Public name option, Named Locations
Weak name option, Named Locations

NameEx function, Manipulating Database Names

Names window, The Strings Window, Parameters and Local Variables

names, vs. hyperlinks, Basic IDA Navigation

naming, Names and Naming, Parameters and Local Variables, Named Locations, Hex-Rays, Import Table Reconstruction

conventions, Hex-Rays, Hex-Rays
import table entries, Import Table Reconstruction
parameters and local variables, Names and Naming
register names, Named Locations

NASM (Netwide Assembler), A Basic Disassembly Algorithm, strings

navigating disassembly, Basic IDA Navigation, Double-Click Navigation, Jump to Address, Jump to Address, IDA Stack Views

double-click navigation, Double-Click Navigation
jump to address, Jump to Address
navigation history, Jump to Address
searching database, IDA Stack Views

navigation band, Introduction to the IDA Desktop, Opcode Obfuscation

navigation history list, IDA’s Integrated Graph View

ncol parameter, Using the SDK’s Chooser Dialogs

ndisasm utility, strings

neflags parameter, Writing an IDA Loader Using the SDK

NEF_XXX flags, Writing an IDA Loader Using the SDK

negative deltas, The Emulator

netnode class, Error Handling in IDC, Header Files Overview, Data Storage in Netnodes

netnode index value, Extending IDC

netnode.hpp file, Header Files Overview

netnodenumber member, Header Files Overview, Creating Netnodes

netnodes, Netnodes, Netnodes, Creating Netnodes, Deleting Netnodes and Netnode Data, IDC/SDK Cross-Reference

creating, Netnodes
data storage in, Creating Netnodes
deleting, Deleting Netnodes and Netnode Data

Netwide Assembler (NASM), A Basic Disassembly Algorithm, Disassemblers

network attack sessions, Analyzing Shellcode

network connection, X.25-style, Formatting Instruction Operands

New button, Launching IDA

new operator, Virtual Functions and Vtables

New Project dialog, Visual Studio, Building Your Plug-ins

new vertices, introducing, IDA Graph View

Newger, Jan, Hiding the Debugger

Next Sequence of Bytes option, Search menu, Binary Searches

NextFunction function, Manipulating Database Names

nm utility, PEiD

No edge arrow, IDA Graph View

no operation (NOP) instructions, Using the Assemble Dialog, Locating Instruction Sequences

nodeidx_t operator, Creating Netnodes

nodes, Cross-References, IDA’s Integrated Graph View

noGPM option, TVision, Linux Console Specifics

nonmodal dialog, Using the SDK’s Chooser Dialogs

nonstandard structures, Creating IDA Structures

NOP (no operation) instructions, Using the Assemble Dialog, Locating Instruction Sequences

NOP slides, Finding Useful Virtual Addresses, Analyzing Shellcode

Normal edge arrow, IDA Graph View

normal flow, IDA Graph View

notification event, Discovering New Vulnerabilities with IDA

notification of vulnerability, Discovering New Vulnerabilities with IDA

notify field, The Outputter

notify function, Processor Notifications

NOVICE option, The GUI Configuration File: idagui.cfg

NO_OBSOLETE_FUNCS macro, The IDA Plug-in Architecture

NtContinue function, Dealing with Exceptions

ntdll.dll, Launching the Process, Hiding the Debugger, Dealing with Exceptions

ntdll_NtQueryInformationProcess function, Hiding the Debugger

NtGlobalFlags field, PEB, Hiding the Debugger

NtQueryInformationProcess function, Hiding the Debugger

NtSetInformationThread function, Hiding the Debugger

NTSTATUS code, Hiding the Debugger

NULL pointer, Data Storage in Netnodes

Number of elements attribute, Specifying Arrays

Number of opcode bytes option, Code Display Options

NumberOfSections field, Manually Loading a Windows PE File

O

obfuscated code analysis, Obfuscated Code Analysis, Obfuscated Code Analysis, Obfuscated Code Analysis, Disassembly Desynchronization, Opcode Obfuscation, Imported Function Obfuscation, Targeted Attacks on Analysis Tools, Targeted Attacks on Analysis Tools, Detecting Virtualization, Detecting Instrumentation, Detecting Debuggers, Preventing Debugging, Static De-obfuscation of Binaries Using IDA, Script-Oriented De-obfuscation, x86emu and Anti-debugging, Disassembler/Debugger Integration, IDA Databases and the IDA Debugger, Launching the Process, Simple Decryption and Decompression Loops, Import Table Reconstruction, Import Table Reconstruction

anti–dynamic analysis techniques, Targeted Attacks on Analysis Tools, Targeted Attacks on Analysis Tools, Detecting Virtualization, Detecting Instrumentation, Detecting Debuggers

detecting debuggers, Detecting Instrumentation
detecting instrumentation, Detecting Virtualization
detecting virtualization, Targeted Attacks on Analysis Tools
preventing debugging, Detecting Debuggers

anti–static analysis techniques, Obfuscated Code Analysis, Obfuscated Code Analysis, Disassembly Desynchronization, Opcode Obfuscation, Imported Function Obfuscation

disassembly desynchronization, Obfuscated Code Analysis
dynamically computed target addresses, Disassembly Desynchronization
imported function obfuscation, Opcode Obfuscation
targeted attacks on analysis tools, Imported Function Obfuscation

static de-obfuscation of binaries, Preventing Debugging, Static De-obfuscation of Binaries Using IDA, Script-Oriented De-obfuscation

script-oriented, Static De-obfuscation of Binaries Using IDA
x86emu emulation-oriented, Script-Oriented De-obfuscation

using debugger with, Disassembler/Debugger Integration, IDA Databases and the IDA Debugger, Launching the Process, Simple Decryption and Decompression Loops, Import Table Reconstruction, Import Table Reconstruction

decryption and decompression loops, Simple Decryption and Decompression Loops
hiding debugger, Import Table Reconstruction
import table reconstruction, Import Table Reconstruction
launching process, Launching the Process
overview, Disassembler/Debugger Integration

virtual machine-based, x86emu and Anti-debugging

obfuscation process, PE Tools, Background

obfuscators, Disassembler/Debugger Integration, Simple Decryption and Decompression Loops

objdump utility, ldd, ldd, objdump, objdump, objdump, objdump

debugging information, objdump
disassembly listing, objdump
private headers, ldd
section headers, ldd
symbol information, objdump

object class, IDC Functions

object life cycle, in C++, Virtual Functions and Vtables

objects, in IDC language, IDC Functions

OEP (original entry point) recognition, Disassembler/Debugger Integration

Offset column, Stack Frame Examples

offset cross-reference, Data Cross-References

OllyDbg, Background

OllyDump, Background

OMF libraries, Creating Pattern Files

opcode bytes, The Main Configuration File: ida.cfg

opcodes (operation codes), Introduction to Disassembly

Open command, file loading, Launching IDA

Open Register Window menu item, Basic Debugger Displays

Open Subviews command, IDA Desktop Tips and Tricks, Basic Debugger Displays

Open Subviews menu, Introduction to the IDA Desktop, The Principal IDA Displays, Common Features of Console Mode

OpenRCE, IDA Support Resources, IDAPython, Detecting Debuggers, Real-World IDA Plug-ins

OpenSSL cryptographic library, Applying FLIRT Signatures, Augmenting Function Information

operand values, Useful SDK Datatypes

operation codes (opcodes), Disassembly Theory

optimization, Debug vs. Release Binaries

Options checkboxes, IDA File Loading

options for constants, formatting, Formatting Instruction Operands

Options menu, Font menu, Basic Debugger Displays

optype_t constants, The Analyzer

op_t (ua.hpp), datatypes for SDK, Header Files Overview, Useful SDK Datatypes, The Analyzer

OR operation, Script-Oriented De-obfuscation

ord function, User Interaction Functions

ord parameter, The Simpleton Loader

ordinal number, Augmenting Function Information

ordinary flow type, IDA Graph View, Code Cross-References

original entry point (OEP) recognition, Background

Original value field, Changing Individual Database Bytes

OS X, Windows Installation, Linux Console Specifics, OS X Console Specifics

console mode for, Linux Console Specifics
installing on, Windows Installation

OS X Mach-O binaries, otool

Other option, IdaPdf, IdaPdf

otool utility, ldd

out function, The Outputter

out instruction, Script-Oriented De-obfuscation

out.cpp file, The Emulator

OUTDIR variable, The Simpleton Loader

OutLine function, The Outputter

OutMnem function, The Outputter

outop function, The Emulator, The Outputter

output generator, Writing a Processor Module Using the SDK

Output window, Introduction to the IDA Desktop, The Principal IDA Displays, The Output Window, Emulator-Assisted De-obfuscation

OutputDebugString function, Launching the Process

OutputDebugStringA function, Hiding the Debugger

outputter, for processor modules, The Emulator

OutValue function, The Outputter

out_line function, The Outputter

out_one_operand function, The Emulator, The Outputter, The Outputter

out_register function, The Outputter

out_snprintf function, The Outputter

out_symbol function, The Outputter

out_tagoff function, The Outputter

out_tagon function, The Outputter

overlapping windowing capability, TVision library, Console Mode IDA

overriding purged bytes, manually, Augmenting Function Information

Overview Navigator, Introduction to the IDA Desktop, Applying FLIRT Signatures

overview navigator, IDA desktop, Introduction to the IDA Desktop

o_displ type, The Emulator

o_imm type, The Emulator

o_mem type, The Emulator

o_near type, The Emulator

P

p suffix, Code Cross-References

Pack database (Deflate) option, Closing IDA Databases

Pack database (Store) option, Closing IDA Databases

pack pragma, Structure Member Access

packed data, restoring from, Reopening a Database

PaiMei framework, IDA External (Third-Party) Graphing

panning, in disassembly window, IDA Graph View

para parameter, Segment Manipulation

parameters, Names and Naming, Augmenting Function Information, Augmenting Function Information, IDC Functions, Finding and Labeling Function Arguments

names, formal, Augmenting Function Information
naming, Names and Naming
passing, IDC Functions
recognition, automating, Finding and Labeling Function Arguments

Parameters option, debugger process options dialog, Using a Hex-Rays Debugging Server

parsing errors, Error Handling in IDC

Pascal directive, IDS Files

Pascal-style strings, The Strings Window

Password option, debugger process options dialog, Using a Hex-Rays Debugging Server

pat.txt file, FLAIR, Creating Pattern Files

patch application event, After-the-Fact Vulnerability Discovery with IDA

patch availability event, After-the-Fact Vulnerability Discovery with IDA

Patch Bytes dialog, The Infamous Patch Program Menu

Patch Program menu, The Infamous Patch Program Menu, The Infamous Patch Program Menu, Changing Individual Database Bytes, Changing Individual Database Bytes

changing individual database bytes, The Infamous Patch Program Menu
changing word in database, Changing Individual Database Bytes
using Assemble dialog, Changing Individual Database Bytes

Patch Tuesday cycle, Microsoft, Vulnerability Analysis

Patch Word dialog, Changing a Word in the Database

patchable parameter, The Simpleton Loader

PatchByte function, Useful IDC Functions, Emulating Assembly Language Behavior, Script-Oriented De-obfuscation, Hiding the Debugger

PatchDbgByte function, Hiding the Debugger

PatchDiff2, After-the-Fact Vulnerability Discovery with IDA, After-the-Fact Vulnerability Discovery with IDA, After-the-Fact Vulnerability Discovery with IDA, After-the-Fact Vulnerability Discovery with IDA, After-the-Fact Vulnerability Discovery with IDA, After-the-Fact Vulnerability Discovery with IDA, After-the-Fact Vulnerability Discovery with IDA

graphical function comparison, After-the-Fact Vulnerability Discovery with IDA
Identical Functions, After-the-Fact Vulnerability Discovery with IDA
Matched Functions, After-the-Fact Vulnerability Discovery with IDA
Set Match dialog, After-the-Fact Vulnerability Discovery with IDA
Set Match feature, After-the-Fact Vulnerability Discovery with IDA
Unmatched Functions, After-the-Fact Vulnerability Discovery with IDA

PatchDword function, Useful IDC Functions, Emulating Assembly Language Behavior

patched files, After-the-Fact Vulnerability Discovery with IDA

patching binaries, Patching Binaries and Other IDA Limitations, The Infamous Patch Program Menu, IDA Output Files and Patch Generation, IDA-Generated MAP Files, IDA-Generated MAP Files, IDA-Generated ASM Files, IDA-Generated ASM Files, IDA-Generated ASM Files, IDA-Generated EXE Files, IDA-Generated HTML Files, After-the-Fact Vulnerability Discovery with IDA

after discovering vulnerability, After-the-Fact Vulnerability Discovery with IDA

Patch Program menu, The Infamous Patch Program Menu

Produce File menu, IDA Output Files and Patch Generation, IDA-Generated MAP Files, IDA-Generated MAP Files, IDA-Generated ASM Files, IDA-Generated ASM Files, IDA-Generated ASM Files, IDA-Generated EXE Files, IDA-Generated HTML Files

ASM files, IDA-Generated MAP Files
DIF files, IDA-Generated EXE Files
EXE files, IDA-Generated ASM Files
HTML files, IDA-Generated HTML Files
INC (include) files, IDA-Generated ASM Files
LST files, IDA-Generated ASM Files
MAP files, IDA-Generated MAP Files

PatchWord function, Useful IDC Functions

PatchXXX functions, Useful IDC Functions, Basic x86emu Operation

patch_byte funtion, Commonly Used SDK Functions

patch_long function, Commonly Used SDK Functions

patch_many_bytes function, Commonly Used SDK Functions

patch_word function, Commonly Used SDK Functions

pattern files, for FLIRT signature files, Identifying and Acquiring Static Libraries

pattern-matching, The IDA Directory Layout, Fast Library Identification and Recognition Technology

Pause button, toolbar buttons, Process Control

Pause Process option, Debugger menu, Launching the Debugger

PC keyboard, vs. Mac keyboard, Linux Console Specifics

pc.cmt file, Augmenting Predefined Comments with loadint

pcap file format, A pcap Loader for IDA

pcap loader, The Simpleton Loader

pcap_file_header structure, The Simpleton Loader, A pcap Loader for IDA

pcap_types string, A pcap Loader for IDA

PDB (Program Database) file, IDA Database Files

PDF files, IdaPdf

PDF Objects window, IdaPdf

PE (Portable Executable) format, The How of Disassembly, PE Tools, Launching IDA, Creating Signature Files, Creating Signature Files, Processor Module Architecture, x86emu Initialization, Emulator-Assisted De-obfuscation, Launching the Process, Bochs IDB Mode

binaries, Windows, x86emu Initialization
files, Windows, Emulator-Assisted De-obfuscation
mode, for Bochs, Bochs IDB Mode
signatures, Creating Signature Files

PE Sniffer utility, PE Tools

PE Tools, PE Tools

pe.ldw (Windows PE loader), Launching IDA

pe.sig file, Locating main

PEB (process environment block), x86emu Initialization, Import Table Reconstruction, Bochs IDB Mode

PEiD, PEiD

persistent data storage, in IDC language, Error Handling in IDC

persistent named objects, Persistent Data Storage in IDC

personal settings directory, Linux Console Specifics

pe_ prefix, Creating Signature Files

pe_*.pat file, Creating Signature Files

pe_gcc.pat file, Creating Signature Files

pe_sections.idc script, IDA-Generated EXE Files

pe_vc.pat file, Creating Signature Files

pfn pointer, The Emulator

ph variable, Header Files Overview

phrase field, The Outputter

piracy, Hex-Rays stance on, Obtaining IDA Pro

Pistelli, Daniel, Windows-Only User Interface–Generation Techniques

PlayStation PSX libraries, Sony, Identifying and Acquiring Static Libraries

plb.exe parser, Creating Pattern Files

plb.txt file, Creating Pattern Files

Please confirm dialog, IDA Databases and the IDA Debugger

PLT (procedure linkage table), Enumerating Cross-References

plug-in configuration values, Visual Studio, Building Your Plug-ins

plug-ins, The IDA Directory Layout, SDK Layout, The IDA Plug-in Architecture, The IDA Plug-in Architecture, Writing a Plug-in, Writing a Plug-in, Writing a Plug-in, Writing a Plug-in, Writing a Plug-in, Writing a Plug-in, Writing a Plug-in, Writing a Plug-in, Writing a Plug-in, Writing a Plug-in, Plug-in Initialization, Plug-in Initialization, Event Notification, Building Your Plug-ins, Installing Plug-ins, Installing Plug-ins, Configuring Plug-ins, Extending IDC, Plug-in User Interface Options, Using the SDK’s Chooser Dialogs, Creating Customized Forms with the SDK, Windows-Only User Interface–Generation Techniques, Scripted Plug-ins, Real-World IDA Plug-ins, Real-World IDA Plug-ins, IDAPython, collabREate, collabREate, ida-x86emu, Class Informer, MyNav, Automating Debugger Actions with IDA Plug-ins, Attaching to a Remote Process

building, Building Your Plug-ins

class informer, collabREate

collabREate, collabREate

configuring, Installing Plug-ins

directory for, The IDA Directory Layout, SDK Layout

event notification for, Plug-in Initialization

execution of, Event Notification

extending IDC with, Configuring Plug-ins

for debugger, Automating Debugger Actions with IDA Plug-ins

Hex-Rays, Real-World IDA Plug-ins

ida-x86emu, ida-x86emu

IdaPdf, MyNav

IDAPython, IDAPython

initialization of, Plug-in Initialization

installing, Installing Plug-ins

life cycle of, Writing a Plug-in

MyNav, Class Informer

scripted, Scripted Plug-ins

user interface options for, Extending IDC, Plug-in User Interface Options, Using the SDK’s Chooser Dialogs, Creating Customized Forms with the SDK, Windows-Only User Interface–Generation Techniques

customized forms with SDK, Using the SDK’s Chooser Dialogs
using SDK chooser dialogs, Plug-in User Interface Options
Windows-only, Creating Customized Forms with the SDK
with Qt, Windows-Only User Interface–Generation Techniques

using during remote debugging, Attaching to a Remote Process

writing, The IDA Plug-in Architecture, Writing a Plug-in, Writing a Plug-in, Writing a Plug-in, Writing a Plug-in, Writing a Plug-in, Writing a Plug-in, Writing a Plug-in, Writing a Plug-in, Writing a Plug-in

comment member, Writing a Plug-in
flags field, Writing a Plug-in
help member, Writing a Plug-in
init member, Writing a Plug-in
run member, Writing a Plug-in
term member, Writing a Plug-in
version field, Writing a Plug-in
wanted_hotkey member, Writing a Plug-in
wanted_name member, Writing a Plug-in

plug-ins configuration file, Customizing IDA

PLUGIN object, The IDA Plug-in Architecture

PLUGIN.flags, The Plug-in Life Cycle

PLUGIN.init function, The Plug-in Life Cycle

PLUGIN.run function, The Plug-in Life Cycle, Plug-in Execution

PLUGIN.term function, The Plug-in Life Cycle, Event Notification

PLUGIN.wanted_hotkey, Configuring Plug-ins

Plugins menu, Edit menu, After-the-Fact Vulnerability Discovery with IDA, Class Informer

plugins.cfg file, Customizing IDA, Installing Plug-ins

PLUGIN_ENTRY function, User Interface Generation with Qt

PLUGIN_EXT variable, The Simpleton Loader

plugin_file field, Installing Plug-ins

PLUGIN_FIX bit, Writing a Plug-in

PLUGIN_FIX flag, The Plug-in Life Cycle, Building Your Plug-ins

PLUGIN_KEEP value, The Plug-in Life Cycle

PLUGIN_OK value, The Plug-in Life Cycle

PLUGIN_PROC bit, The Plug-in Life Cycle

PLUGIN_PROC flag, The Plug-in Life Cycle

PLUGIN_SKIP value, The Plug-in Life Cycle

plugin_t class, Header Files Overview, The IDA Plug-in Architecture, User Interface Generation with Qt, Writing an IDA Loader Using the SDK

PLUGIN_UNL flag, The Plug-in Life Cycle

PLUGIN_XXX constants, The IDA Plug-in Architecture

PointerToRawData field, Manually Loading a Windows PE File, Manually Loading a Windows PE File

polymorphism, Runtime Type Identification

pop instruction, The Emulator, Disassembly Desynchronization

pop-up windows, tool tip–style, Datatypes and Data Structures

popa instruction, Script-Oriented De-obfuscation, Simple Decryption and Decompression Loops

popf instruction, Script-Oriented De-obfuscation, Dealing with Exceptions

Port option, debugger process options dialog, Using a Hex-Rays Debugging Server

Portable Executable (PE) format. See PE format, The Emulator

positive deltas, The Emulator

POSIX wait function, Preventing Debugging

POSIX-style regular expressions, Text Searches

pragma pack directive, Parsing C Structure Declarations

predecessor instruction, IDA External (Third-Party) Graphing

Predefined symbols section, IDC Programs

Preferences dialog, X11, OS X Console Specifics

prefixes, for autogenerated names, The Names Window

Preserve case, Working with Strings

preventing debuggers, Preventing Debugging

PrevFunction function, Functions Dealing with Functions

Previous button, Launching IDA

print function, Functions for Reading and Modifying Data

Print recursion dots, Custom Cross-Reference Graphs

printable characters, ASCII, Deep Inspection Tools

printf function, The C Calling Convention

printf-style format string, Functions for Reading and Modifying Data

printf_line function, The Outputter

print_type function, Runtime Type Identification

pro.h, for API, The IDA Application Programming Interface, Header Files Overview

Problems window, The Function Calls Window

procedure linkage table (PLT), Enumerating Cross-References

process control tools, Basic Debugger Displays

process control, with debugger, Basic Debugger Displays, Process Control, Breakpoints, Tracing, Watches

breakpoints, Process Control
stack traces, Tracing
tracing, Breakpoints
watches, Watches

process environment block (PEB), x86emu Initialization, Import Table Reconstruction, Bochs IDB Mode

process image, Background

Process Monitor, Detecting Instrumentation

Process Options command, Debugger menu, Using a Hex-Rays Debugging Server

Process Stalker component, PaiMei framework, IDA External (Third-Party) Graphing

process tracing, Preventing Debugging

ProcessDebugPort function, Hiding the Debugger

processes, attaching debuggers to, The IDA Debugger

ProcessInformation parameter, Hiding the Debugger

ProcessInformationClass parameter, Hiding the Debugger

processor modules, IDA Processor Modules, Writing a Processor Module Using the SDK, Writing a Processor Module Using the SDK, The processor_t Struct, Basic Initialization of the LPH Structure, The Analyzer, The Emulator, Processor Notifications, Processor Notifications, Building Processor Modules, Customizing Existing Processors, Customizing Existing Processors, Customizing Existing Processors, Scripting a Processor Module

and Python byte code, IDA Processor Modules

architecture of, Customizing Existing Processors

building, Building Processor Modules

customizing existing, Customizing Existing Processors

scripting, Scripting a Processor Module

using SDK, Writing a Processor Module Using the SDK, Writing a Processor Module Using the SDK, The processor_t Struct, Basic Initialization of the LPH Structure, The Analyzer, The Emulator, Processor Notifications, Processor Notifications

analyzer, Basic Initialization of the LPH Structure
emulator, The Analyzer
initialization of LPH structure, The processor_t Struct
outputter, The Emulator
processor notifications, Processor Notifications
processor_t members, Processor Notifications
processor_t struct, Writing a Processor Module Using the SDK

processor notifications, Plug-in Initialization

Processor Options button, IDA File Loading

Processor options section, The Main Configuration File: ida.cfg

Processor Type drop-down menu, IDA File Loading

PROCESSOR_ENTRY function, Processor Module Architecture

processor_t object, Plug-in Initialization

processor_t struct, Writing a Processor Module Using the SDK

processor_t.newprc notification, Other processor_t Members

procs directory, The IDA Directory Layout, IDA File Loading

procs file, Other processor_t Members

proctemplate.py, Scripting a Processor Module

Produce File menu, IDA Output Files and Patch Generation, IDA-Generated MAP Files, IDA-Generated MAP Files, IDA-Generated ASM Files, IDA-Generated ASM Files, IDA-Generated ASM Files, IDA-Generated EXE Files, IDA-Generated HTML Files

ASM files, IDA-Generated MAP Files
DIF files, IDA-Generated EXE Files
EXE files, IDA-Generated ASM Files
HTML files, IDA-Generated HTML Files
INC (include) files, IDA-Generated ASM Files
LST files, IDA-Generated ASM Files
MAP files, IDA-Generated MAP Files

Produce file submenu, File menu, IDA External (Third-Party) Graphing

Program Database (PDB) file, IDA Database Files

program entry point, A Basic Disassembly Algorithm

programs, in IDC language, IDC Objects

project properties dialog, Visual Studio, Building Your Plug-ins

Project Selection dialog, CollabREate, collabREate

prologue, of functions, Stack Frames

Propagate option, Set Match dialog, After-the-Fact Vulnerability Discovery with IDA

Properties dialog, The Functions Window

protected binary, Burneye, Emulator-Assisted De-obfuscation

PR_xxx flags, Basic Initialization of the LPH Structure

Pseudocode option, View menu, Real-World IDA Plug-ins

pseudocode window, Hex-Rays

pseudocode, Hex-Rays, Hex-Rays

ptrace API, Preventing Debugging

Public name option, for named locations, Named Locations

purchasing IDA, Purchasing IDA

purecall function, Virtual Functions and Vtables

Purged bytes attribute, Function Attributes

Purged bytes field, Augmenting Function Information

Push Data button, Set Memory Values dialog, Basic x86emu Operation

push instruction, Stack Frame Examples, The Emulator

push operations, The C Calling Convention

Push Stack Data dialog, Basic x86emu Operation

push statements, Enumerating Exported Functions

pusha instruction, Script-Oriented De-obfuscation

pushf instruction, Script-Oriented De-obfuscation, Emulator-Assisted De-obfuscation

puts function, External Cross-Reference Graphs

Python byte code, IDA Processor Modules

Python function, Discovering New Vulnerabilities with IDA

Python interpreter, IDA Processor Modules

Python script, Finding Useful Virtual Addresses, Simple Decryption and Decompression Loops

Python website, IDAPython, IDAPython

python_data function, The Emulator

PYTHON_LAST constant, Basic Initialization of the LPH Structure

Q

QApplication class, User Interface Generation with Qt
qfopen function, Header Files Overview
qfprintf function, Header Files Overview
qnumber macro, Basic Initialization of the LPH Structure
qsnprintf function, Header Files Overview, User Interface Generation with Qt
qstrlen function, User Interface Generation with Qt
qstrncpy function, Header Files Overview
qstrXXXX function, Header Files Overview
QT namespace, Windows-Only User Interface–Generation Techniques
Qt port, IDA External (Third-Party) Graphing
Qt socket classes, collabREate
QuickEdit mode, Windows Console Specifics
QuickUnpack, Opcode Obfuscation
Quit action, The GUI Configuration File: idagui.cfg
qwingraph graph viewer, Function Calls
qword field, Heap-Allocated Structures

R

r value, IDA Stack Views

radio buttons, Creating Customized Forms with the SDK

RCE forums, IDA Support Resources, Real-World IDA Plug-ins

rdtsc instruction, x86emu and Anti-debugging

read cross-reference, Data Cross-References

read function, POSIX, The Simpleton Loader

read/write traces, Tracing

readelf utility, objdump

readlong function, File Input/Output Functions

README file, tilib utility, Sharing TIL Files

readme.txt file, Identifying and Acquiring Static Libraries, Creating Pattern Files, Creating IDS Files, SDK Introduction, Writing a Processor Module Using the SDK

FLAIR, Creating Pattern Files
idsutils, Creating IDS Files
SDK, SDK Introduction, Writing a Processor Module Using the SDK

readshort function, File Input/Output Functions

readstr function, File Input/Output Functions

realcvt function, Processor Notifications

rearranging blocks, in disassembly window, IDA Graph View

reasons, for disassembly, The Why of Disassembly, Vulnerability Analysis, Vulnerability Analysis, Vulnerability Analysis, Vulnerability Analysis, Vulnerability Analysis

compiler validation, Vulnerability Analysis
debugging displays, Vulnerability Analysis
malware analysis, The Why of Disassembly
software interoperability, Vulnerability Analysis
vulnerability analysis, Vulnerability Analysis

Rebase Program menu option, Manually Loading a Windows PE File

Recent Scripts menu option, Basic Script Execution

Recent Scripts window, Basic Script Execution

recoverying source code, The What of Disassembly

recursive descent algorithm, Return Instructions

recursive descent disassembly, Recursive Descent Disassembly, Recursive Descent Disassembly, Sequential Flow Instructions, Conditional Branching Instructions, Function Call Instructions, Function Call Instructions

conditional branching instructions, Conditional Branching Instructions
function call instructions, Function Call Instructions
return instructions, Function Call Instructions
sequential flow instructions, Sequential Flow Instructions
unconditional branching instructions, Recursive Descent Disassembly

Recursive option, Custom Cross-Reference Graphs

recvfrom function, Analyzing Shellcode

Red Hat distributions, Identifying and Acquiring Static Libraries

redefine process, Disassembly Desynchronization

referenced variables, stack frame view, IDA Stack Views

references, in C++, Inheritance Relationships

Refresh memory command, Debugger menu, Appcall

reg.cpp file, Basic Initialization of the LPH Structure

register names, naming, Named Locations

register-renaming dialog, Register Names

registry key, Windows, Launching IDA

RegNames array, Basic Initialization of the LPH Structure

RegOpenKey function, Datatypes and Data Structures, Augmenting Function Information

regular comments, Regular Comments

regular expressions, POSIX-style, Text Searches

relationships, deducing between classes, Inheritance Relationships

relative virtual address (RVA), Manually Loading a Windows PE File

release binaries, vs. debug binaries, Locating main

Remote debugger configuration dialog, Using a Hex-Rays Debugging Server

remote debugging, Additional Debugger Features, Remote Debugging with IDA, Using a Hex-Rays Debugging Server, Attaching to a Remote Process, Attaching to a Remote Process

attaching to remote process, Using a Hex-Rays Debugging Server
exception handling during, Attaching to a Remote Process
using Hex-Rays debugging server, Remote Debugging with IDA
using scripts and plug-ins during, Attaching to a Remote Process

Remove Function Tail option, Function Chunks

remove option (qwingraph), Linux Console Specifics

Rename and Set Type option, Hex-Rays

Rename option, context-sensitive menu, Names and Naming

renaming, Named Locations, Import Table Reconstruction, Import Table Reconstruction

import table entries, Import Table Reconstruction
locations, Named Locations

renimp.idc script, Import Table Reconstruction

reopening, IDA database files, Closing IDA Databases

REP prefix, Tracing

repair option, Database Repair dialog, Reopening a Database

repeatable comments, Repeatable Comments

reporting bugs, Reporting Bugs

request_COMMAND function, Automating Debugger Actions with IDA Plug-ins

res->num field, Extending IDC

res->set_string, Extending IDC

Research & Resources forum, Hex-Rays, SDK Layout

Reset Desktop command, IDA Desktop Tips and Tricks

Reset desktop option, Windows menu, Customizing IDA Toolbars

restarting IDA, after crashes, Closing IDA Databases

restoring, Launching IDA, Launching IDA, Reopening a Database

from packed data, Reopening a Database
hidden messages, Launching IDA

ResumeProcess macro, Scripting Debugger Actions

RET instruction, The C Calling Convention

ret instruction, Stack Frame Examples, Datatypes and Data Structures

RET N variant, Function Attributes

return instructions, Function Call Instructions

return statement, IDC Functions, Emulator-Assisted De-obfuscation, Automating Debugger Actions with IDA Plug-ins

reversing engineer programs, The What of Disassembly

Rfirst function, Functions Dealing with Functions

RfirstB function, Functions Dealing with Functions

right-click options, The Names Window, The Signatures Window, The Signatures Window, Names and Naming, Formatting Instruction Operands, Formatting Instruction Operands, Basic Data Transformations

and name changing, Names and Naming
constants, Formatting Instruction Operands
data items, Basic Data Transformations
in Segments window, The Names Window
in Signatures window, The Signatures Window
in Type Libraries window, The Signatures Window

>> (right-shift operator), IDC Variables, Script-Oriented De-obfuscation

right-shift operator (>>), IDC Variables, Script-Oriented De-obfuscation

RISC-style architectures, The Analyzer

Rnext function, Functions Dealing with Functions

RnextB function, Functions Dealing with Functions

Roberts, J. C., Creating Pattern Files

Rolles, Rolf, IDA Processor Modules, Virtual Machine-Based Obfuscation

ROM images, Disassemblers, Unknown File Analysis

RTCx, Debug vs. Release Binaries

RtlUserThreadStart function, Launching the Process

RTTI (Runtime Type Identification) implementations, Name Mangling, Name Mangling, Jump Tables and Switch Statements

compiler differences for, Jump Tables and Switch Statements
in C++, Name Mangling

RTTICompleteObjectLocator structure, Runtime Type Identification

rules, for working with malware in debugging environment, IDA Databases and the IDA Debugger

Run button, Basic x86emu Operation, Dealing with Exceptions, Dealing with Exceptions

exception confirmation dialog, Dealing with Exceptions
x86emu Emulator dialog, Basic x86emu Operation

Run command, Process Control

run function, Extending IDC, Automating Debugger Actions with IDA Plug-ins

run member, for plug-ins, Writing a Plug-in

Run option, Debugger menu, Launching the Debugger

Run to Cursor button, Basic x86emu Operation, Emulator-Assisted De-obfuscation, Process Control, Process Control

toolbar buttons, Process Control
x86emu Emulator dialog, Basic x86emu Operation, Emulator-Assisted De-obfuscation

Run to Cursor command, in Burneye, Emulator-Assisted De-obfuscation

Run to Cursor option, Debugger menu, Launching the Debugger

Run Until Return button, toolbar buttons, Process Control

runtime errors, Error Handling in IDC

Runtime Type Identification implementations. See RTTI implementations, Scripting Debugger Actions

RunTo function, Scripting Debugger Actions

run_requests function, Automating Debugger Actions with IDA Plug-ins

Rutkowska, Joanna, Detecting Virtualization

RVA (relative virtual address), Manually Loading a Windows PE File

S

Sabanal, Paul Vincent, Inheritance Relationships

safeguarding key file, Purchasing IDA

sandbox environments, Opcode Obfuscation

Save Database dialog, Closing IDA Databases

Save Desktop command, IDA Desktop Tips and Tricks

Save Desktop option, Windows menu, Basic Debugger Displays

Save Disassembly Desktop dialog, Customizing IDA Toolbars

Saved registers attribute, Function Attributes

savefile function, File Input/Output Functions

save_file function, Writing an IDA Loader Using the SDK, The Simpleton Loader

ScreenEA function, Functions for Reading and Modifying Data, Enumerating Instructions

Script cancellation dialog, IDC Programs

script de-obfuscation of binaries, Static De-obfuscation of Binaries Using IDA

script entry dialog, Basic Script Execution

Script File option, File menu, Import Table Reconstruction

script-based behavior, Bochs PE Mode

scripting, IDA Scripting, IDA Scripting, Basic Script Execution, IDC Variables, IDC Variables, IDC Statements, IDC Statements, IDC Functions, IDC Objects, IDC Programs, Error Handling in IDC, Associating IDC Scripts with Hotkeys, Associating IDC Scripts with Hotkeys, Useful IDC Functions, Functions for Reading and Modifying Data, User Interaction Functions, User Interaction Functions, Manipulating Database Names, Manipulating Database Names, Code Cross-Reference Functions, Data Cross-Reference Functions, Data Cross-Reference Functions, Database Manipulation Functions, Database Search Functions, Database Search Functions, Database Search Functions, Enumerating Functions, Enumerating Instructions, Enumerating Exported Functions, Enumerating Exported Functions, Emulating Assembly Language Behavior, IDAPython, IDAPython Scripting Examples, Scripted Plug-ins, Writing a Scripted Loader, Scripting a Processor Module, Watches, Attaching to a Remote Process

associating IDC scripts with hotkeys, Associating IDC Scripts with Hotkeys

execution of, IDA Scripting

for debugger, Watches

IDAPython, IDAPython

IDAPython examples, IDAPython Scripting Examples

IDC examples, Database Search Functions, Database Search Functions, Enumerating Functions, Enumerating Instructions, Enumerating Exported Functions, Enumerating Exported Functions, Emulating Assembly Language Behavior

emulating assembly language behavior, Emulating Assembly Language Behavior
enumerating cross-references, Enumerating Instructions
enumerating exported functions, Enumerating Exported Functions
enumerating functions, Database Search Functions
enumerating instructions, Enumerating Functions
finding and labeling function arguments, Enumerating Exported Functions

IDC functions, Associating IDC Scripts with Hotkeys, Useful IDC Functions, Functions for Reading and Modifying Data, User Interaction Functions, User Interaction Functions, Manipulating Database Names, Manipulating Database Names, Code Cross-Reference Functions, Data Cross-Reference Functions, Data Cross-Reference Functions, Database Manipulation Functions, Database Search Functions

code cross-reference, Code Cross-Reference Functions
data cross-reference, Data Cross-Reference Functions
database manipulation, Data Cross-Reference Functions
database search, Database Manipulation Functions
dealing with functions, Manipulating Database Names
disassembly line components, Database Search Functions
file input/output, User Interaction Functions
for user interaction, Functions for Reading and Modifying Data
manipulating database names, Manipulating Database Names
reading and modifying data, Useful IDC Functions
string-manipulation, User Interaction Functions

IDC language, Basic Script Execution, IDC Variables, IDC Variables, IDC Statements, IDC Statements, IDC Functions, IDC Objects, IDC Programs, Error Handling in IDC

error handling in, IDC Programs
expressions, IDC Variables
functions, IDC Statements
objects, IDC Functions
persistent data storage in, Error Handling in IDC
programs, IDC Objects
statements, IDC Statements
variables, IDC Variables

loaders, Writing a Scripted Loader

plug-ins, Scripted Plug-ins

processor modules, Scripting a Processor Module

using during remote debugging, Attaching to a Remote Process

scripting functions, Hex-Rays, Scripting Debugger Actions

SDK (software development kit), Reporting Bugs, The IDA Software Development Kit, SDK Introduction, SDK Introduction, SDK Layout, SDK Layout, SDK Layout, SDK Layout, SDK Layout, SDK Layout, SDK Layout, SDK Layout, SDK Layout, Configuring a Build Environment, The IDA Application Programming Interface, Netnodes, Useful SDK Datatypes, Commonly Used SDK Functions, Iteration Techniques Using the IDA API, IDA Loader Modules, Writing a Processor Module Using the SDK, Writing a Processor Module Using the SDK, The processor_t Struct, Basic Initialization of the LPH Structure, The Analyzer, The Emulator, Processor Notifications, Processor Notifications, IDC/SDK Cross-Reference, IDC/SDK Cross-Reference, IDC/SDK Cross-Reference

API (Application Programming Interface), SDK Layout, The IDA Application Programming Interface, Netnodes, Useful SDK Datatypes, Commonly Used SDK Functions, Iteration Techniques Using the IDA API

header files, The IDA Application Programming Interface
iteration techniques using, Iteration Techniques Using the IDA API
netnodes, Netnodes
SDK datatypes, Useful SDK Datatypes
SDK functions, Commonly Used SDK Functions

configuring build environment, Configuring a Build Environment

creating loader modules using, IDA Loader Modules

creating processor modules using, Writing a Processor Module Using the SDK, Writing a Processor Module Using the SDK, The processor_t Struct, Basic Initialization of the LPH Structure, The Analyzer, The Emulator, Processor Notifications, Processor Notifications

analyzer, Basic Initialization of the LPH Structure
emulator, The Analyzer
initialization of LPH structure, The processor_t Struct
outputter, The Emulator
processor notifications, Processor Notifications
processor_t members, Processor Notifications
processor_t struct, Writing a Processor Module Using the SDK

directory layout, SDK Introduction, SDK Introduction, SDK Layout, SDK Layout, SDK Layout, SDK Layout, SDK Layout, SDK Layout, SDK Layout

bin directory, SDK Introduction
etc directory, SDK Layout
include directory, SDK Layout
ldr directory, SDK Layout
lib directory, SDK Layout
module directory, SDK Layout
plug-ins directory, SDK Layout
top-level directory, SDK Layout

functions, IDC/SDK Cross-Reference

IDC language cross-reference for, IDC/SDK Cross-Reference

implementation, IDC functions, IDC/SDK Cross-Reference

installing, SDK Layout

support, Hex-Rays, Reporting Bugs

sdk directory, IDA Support Resources

sdk_versions.h file, Header Files Overview

search features, Search menu, Jump to Address

search.hpp, for API, Header Files Overview

SEARCH_DOWN flag, Database Search Functions

second-generation languages, Disassembly Theory

section:address portion, Code Display Options

SectionAlignment field, Manually Loading a Windows PE File

SectionAlignment value, Manually Loading a Windows PE File

SecureCRT, Linux Console Specifics

segend function, Processor Notifications

Segment Configuration dialog, Basic x86emu Operation

segment-creation dialog, Manually Loading a Windows PE File

segment.hpp file, Header Files Overview, Structure Manipulation, Manually Loading a Windows PE File

segmented addresses, Code Cross-References

Segments button, x86emu Emulator dialog, Basic x86emu Operation

Segments window, The Names Window, IDA Databases and the IDA Debugger

segment_t (segment.hpp), datatypes for SDK, Header Files Overview, Useful SDK Datatypes

segstart function, Processor Notifications

SEH (structured exception handling) process, x86emu and Anti-debugging, Dealing with Exceptions, Dealing with Exceptions, Dealing with Exceptions

Chain plug-in, Dealing with Exceptions
exceptions, Windows, Dealing with Exceptions
handlers, Dealing with Exceptions

Select a debugger dialog, Launching the Debugger

Select Command dialog, CollabREate, collabREate

Select Debugger option, Debugger menu, Launching the Debugger, Simple Decryption and Decompression Loops

SELinux, IDA and SELinux

semaphore, Dynamically Computed Target Addresses

; (semicolon) hotkey, Commenting in IDA

semicolon (;) hotkey, Commenting in IDA

semicolon prefix, used for IDA comments, Commenting in IDA

Sequence of Bytes option, Text Searches, Locating Instruction Sequences

sequential flow instructions, Sequential Flow Instructions

Set Breakpoint option, Basic x86emu Operation

Set Function Type command, Datatypes and Data Structures, Appcall

Set Import Address Save Point option, Emulator-Assisted De-obfuscation

Set Match dialog, After-the-Fact Vulnerability Discovery with IDA, After-the-Fact Vulnerability Discovery with IDA, After-the-Fact Vulnerability Discovery with IDA

PatchDiff2, After-the-Fact Vulnerability Discovery with IDA
Propagate option, After-the-Fact Vulnerability Discovery with IDA

Set Match feature, PatchDiff2, After-the-Fact Vulnerability Discovery with IDA

Set Match option, After-the-Fact Vulnerability Discovery with IDA

Set Memory button, x86emu Emulator dialog, Basic x86emu Operation

Set Memory Values dialog, Basic x86emu Operation

Set node color to default option, IDA’s Integrated Graph View

Set specific options button, Using a Hex-Rays Debugging Server

Set Video Mode menu option, Window menu, Common Features of Console Mode

SetArrayLong function, Data Storage in Netnodes

SetArrayString function, Data Storage in Netnodes

SetBptAttr function, Scripting Debugger Actions

SetBptCnd function, Scripting Debugger Actions, Import Table Reconstruction

SetRegValuefunction, Scripting Debugger Actions

setting function type, Datatypes and Data Structures

Setup Data Types dialog, Options menu, Basic Data Transformations, Editing Structure Members

Setup long names button, Name Mangling

Setup option, Strings window, Script-Oriented De-obfuscation

Setup short names button, Name Mangling

Setup Strings window, The Strings Window

set_idc_func_ex function, Configuring Plug-ins

set_idp_options function, Processor Notifications

set_name function, Manipulating Database Names

set_processor_type function, Processor Module Architecture

set_reg_val function, Automating Debugger Actions with IDA Plug-ins

set_segm_addressing function, The Simpleton Loader

shared library, Launching the Debugger

sharing TIL files, Loading New TIL Files

shell script (#!/bin/sh), Classification Tools

shellcode, Disassemblers, Finding Useful Virtual Addresses

shift-down arrow, IDA-Generated ASM Files

shift-up arrow, IDA-Generated ASM Files

Shiva ELF obfuscation tool, Preventing Debugging

Shiva process, Preventing Debugging

Shiva program, Obfuscated Code Analysis, Disassembly Desynchronization, Opcode Obfuscation

shnames data member, Processor Notifications

SHOW_SP option, Configuration Files

show_wait_box function, Plug-in Execution

SHOW_XREFS option, Configuration Files

shr instruction, Script-Oriented De-obfuscation

shrd instruction, Script-Oriented De-obfuscation

Shrink Struct Type option, Edit menu, Editing Structure Members

sidt instruction, Detecting Virtualization

Siemens C166 microcontroller application, Unknown File Analysis

sig directory, The IDA Directory Layout

sigmake documentation file, Creating Pattern Files

sigmake.exe utility, FLAIR, Creating Pattern Files

sigmake.txt file, Creating Signature Files

signature selection dialog, Applying FLIRT Signatures

signature selection, FLIRT, Applying FLIRT Signatures

signatures, The IDA Directory Layout, The Names Window, Augmenting Function Information, Augmenting Function Information

function type, Augmenting Function Information
generating, The IDA Directory Layout
Signatures Window, The Names Window

Signatures window, The Names Window

Signed elements option, Specifying Arrays

signed shifts, Script-Oriented De-obfuscation

simple arithmetic instructions, Sequential Flow Instructions

Simpleton file format, Writing a Scripted Loader

simpleton loader, The Simpleton Loader

simplex method, Augmenting Function Information

Simplified Wrapper Interface Generator (SWIG), IDAPython, IDAPython

Sirmabus, RTTI Implementations, collabREate

size field, The Analyzer

size parameter, Structure Manipulation

SizeOfRawData field, Manually Loading a Windows PE File

sizer function, Plug-in User Interface Options

sizer parameter, Plug-in User Interface Options

Skip button, x86emu Emulator dialog, Basic x86emu Operation

Skochinsky, Igor, Inheritance Relationships, Jump Tables and Switch Statements, Class Informer

slice operator, IDC Expressions

sockaddr data structure, The Imports Window

socket descriptor, Stack Frame Breakdown

SoftIce, Detecting Debuggers

software breakpoints, Preventing Debugging, Breakpoints, Debugging Obfuscated Code, Launching the Process

software development kit. See SDK, Vulnerability Analysis

software interoperability, reasons for disassembly, Vulnerability Analysis

Solaris 10 x86 system, Identifying and Acquiring Static Libraries

solid arrows, IDA Text View

Sony PlayStation PSX libraries, Creating Pattern Files

sorting alphabetically, in Functions window, Jump to Address

source code recovery, The What of Disassembly

SPARC code, Processor Module Architecture

sparse arrays, Persistent Data Storage in IDC

splash screen, Launching IDA

sprintf function, User Interaction Functions, Enumerating Cross-References, Discovering New Vulnerabilities with IDA

ssleay32.dll library, Creating IDS Files

SSLEAY32.idt file, Creating IDS Files

stack adjustments, Stack Pointer Adjustments

stack cleanup, Augmenting Function Information

stack frames, Navigation History, Stack Frames, Other Calling Conventions, Other Calling Conventions, Stack Frame Examples, Editing Structure Members

as IDA structures, Editing Structure Members
calling conventions for, Stack Frames
examples of, Other Calling Conventions
local variable layout in, Other Calling Conventions
viewing, Stack Frame Examples

Stack pointer option, Code Display Options

stack pointers, adjustments for, Function Attributes

Stack Trace command, Debugger menu, Tracing

stack traces, in debugger, Tracing

stack variables, IDA Stack Views, Names and Naming

Stack View window, Basic Debugger Displays

stack-allocated arrays, Stack-Allocated Arrays

stack-allocated structures, Stack-Allocated Structures, Using Structure Templates

stack-based buffer overflow, IDA and the Exploit-Development Process

stack-manipulation operations, Sequential Flow Instructions

standard calling convention, The C Calling Convention

standard structures, Parsing C Header Files

standard template library (STL), After-the-Fact Vulnerability Discovery with IDA

Start address attribute, Function Attributes

start function, Applying FLIRT Signatures, Opcode Obfuscation

Start Process option, Debugger menu, Launching the Debugger, Launching the Debugger

start symbol, Launching the Process

STARTITEM directives, Creating Customized Forms with the SDK

startup directory, FLAIR, Creating FLIRT Signature Files, Creating Signature Files

startup routine, Startup Signatures

startup signatures, Startup Signatures

startup.bat file, Creating Signature Files

startup.idc, Bochs PE Mode

statements, in IDC language, IDC Statements

static analysis, of malware, The Why of Disassembly

static de-obfuscation of binaries, Preventing Debugging, Static De-obfuscation of Binaries Using IDA, Script-Oriented De-obfuscation, x86emu Initialization, Basic x86emu Operation, Basic x86emu Operation, Emulator-Assisted De-obfuscation, x86emu and Anti-debugging

script-oriented, Static De-obfuscation of Binaries Using IDA

x86emu emulation-oriented, Script-Oriented De-obfuscation, x86emu Initialization, Basic x86emu Operation, Basic x86emu Operation, Emulator-Assisted De-obfuscation, x86emu and Anti-debugging

and anti-debugging, x86emu and Anti-debugging
de-obfuscation using, Basic x86emu Operation
features of, Emulator-Assisted De-obfuscation
initialization of, x86emu Initialization
operation of, Basic x86emu Operation

Static func attribute, Function Attributes

static keyword, IDC Statements

static libraries, for FLIRT signatures, Creating FLIRT Signature Files

static linking function, ldd

statically linked binaries, External Call Graphs

stats netnode, Automating Debugger Actions with IDA Plug-ins

stdcall calling convention, The C Calling Convention, Function Attributes, Augmenting Function Information, Header Files Overview, Emulator-Assisted De-obfuscation

stdcall functions, Function Attributes, Augmenting Function Information, Basic x86emu Operation, Emulator-Assisted De-obfuscation, Hiding the Debugger

Step button, x86emu Emulator dialog, Basic x86emu Operation

Step command, Basic Debugger Displays

Step Into button, toolbar buttons, Process Control

Step Over button, toolbar buttons, Process Control

StepInto function, Scripting Debugger Actions

StepOver function, Scripting Debugger Actions

StepUntilRet function, Scripting Debugger Actions

STL (standard template library), After-the-Fact Vulnerability Discovery with IDA

Stop on debugging message option, Debugger Setup dialog, Launching the Process

Stop on debugging start option, Debugger Setup dialog, Launching the Process

Stop on library load/unload option, Debugger Setup dialog, Launching the Process

Stop on process entry point option, Debugger Setup dialog, Launching the Process

Stop on thread start/exit option, Debugger Setup dialog, Launching the Process

STOP_CODE constant, Basic Initialization of the LPH Structure

storage, of bytes, IDA Stack Views

Store (Pack database) option, Closing IDA Databases

store_til function, A pcap Loader for IDA

stosb instruction, Script-Oriented De-obfuscation

strcat function, IDC Variables

strcpy function, Cross-Reference Lists, IDC Variables, Enumerating Cross-References, Discovering New Vulnerabilities with IDA, Discovering New Vulnerabilities with IDA

strdup function, IDC Variables

stream argument, Stack Frame Breakdown

stream disassemblers, Disassemblers

string data configuration, The Strings Window, Working with Strings

string scanning, The Strings Window

strings, strings, strings, The Enums Window, The Enums Window, Binary Searches, Specifying Data Sizes, Specifying Data Sizes, Working with Strings

C-style null-terminated, Working with Strings
displaying in Strings windows, The Enums Window
double-clicking, The Enums Window
options for, Specifying Data Sizes
Unicode, Binary Searches
using on executable files, strings
utility, strings

strings command, The Strings Window, Library Recognition Using FLIRT Signatures

strings utility, Imported Function Obfuscation

Strings window, The Enums Window, The Strings Window, The Strings Window, The Strings Window

Display only defined strings option, The Strings Window
Ignore instructions/data definitions option, The Strings Window
overview, The Enums Window

strip utility, file

stripping binary executable files, file

strlen function, User Interaction Functions

strstr function, User Interaction Functions

Struct Var option, Edit menu, Using Structure Templates

struct.hpp (struc_t), datatypes for SDK, Useful SDK Datatypes

struct.hpp, for API, Header Files Overview

structure definition, Creating a New Structure (or Union), Editing Structure Members, Stack Frames as Specialized Structures

collapsed, Editing Structure Members
empty, Creating a New Structure (or Union)

structure members, enumerating, Enumerating Structure Members

Structure name field, Create Structure/Union dialog, Creating a New Structure (or Union)

structure notation, Using Structure Templates

structure offset, applying, Using Structure Templates

structure selection dialog, Using Structure Templates

structure templates, using, Editing Structure Members

structured exception handling (SEH) process, x86emu and Anti-debugging

structures, Editing Structure Members, Using Structure Templates, Using Standard Structures, Using Standard Structures, Using Standard Structures, Using Standard Structures

collapsing, Using Standard Structures
expanding, Using Standard Structures
fields, changing name of, Editing Structure Members
formatting global variables as, Using Structure Templates
master list of, Using Standard Structures

Structures window, The Structures Window, Creating a New Structure (or Union)

struc_t (struct.hpp), datatypes for SDK, Header Files Overview, Useful SDK Datatypes, Manipulating Database Names, Segment Manipulation, Enumerating Structure Members

stubs, Other processor_t Members

substr function, User Interaction Functions

successor instruction, IDA External (Third-Party) Graphing

summary stack view, IDA Stack Views

superclass constructors, Inheritance Relationships

support, IDA Support Resources, IDA Support Resources, IDA Support Resources, IDA Support Resources, IDA Support Resources, IDA Support Resources, IDA Support Resources

Hex-Rays support page and forums, IDA Support Resources
IDA Palace, IDA Support Resources
Ilfak’s blog, IDA Support Resources
official help documentation, IDA Support Resources
OpenRCE.org, IDA Support Resources
RCE forums, IDA Support Resources

supset function, Data Storage in Netnodes

supstr function, Data Storage in Netnodes

supval function, Data Storage in Netnodes

supvals, Data Storage in Netnodes

swidth component, Creating Customized Forms with the SDK

SWIG (Simplified Wrapper Interface Generator), IDAPython, IDAPython

Switch Debugger menu, Debugger menu, Launching the Debugger

switch statements, compiler differences for, Compiler Personalities

Switch Thread option, Emulate menu, x86emu and Anti-debugging

switch variable, Jump Tables and Switch Statements

symbol-selection dialog, Formatting Instruction Operands

symbols, nm, The Imports Window, Cross-Reference Lists, Cross-Reference Lists

appearing in comments, Cross-Reference Lists
dispalyed on Imports window, The Imports Window
global (external), nm

Synchronize to idb option, Parsing C Structure Declarations

synchronizing activities, using CollabREate, collabREate

synchronous debugger function, Scripting Debugger Actions

synchronous interaction, Automating Debugger Actions with IDA Plug-ins

system calls, Other Calling Conventions

T

tabs, IDA desktop, Introduction to the IDA Desktop

tags, Creating Netnodes

Take Memory Snapshot command, Debugger menu, IDA Databases and the IDA Debugger

Target assembler, IDA-Generated ASM Files

target assembly language syntax, IDA-Generated ASM Files

TASM (Borland’s Turbo Assembler), A Basic Disassembly Algorithm

TCP session, Analyzing Shellcode

TEB (thread environment block), Dynamically Computed Target Addresses, x86emu Initialization, Hiding the Debugger, Dealing with Exceptions, Bochs IDB Mode

tElock program, Dynamically Computed Target Addresses, Dynamically Computed Target Addresses, Opcode Obfuscation

Tenable Security, Windows-Only User Interface–Generation Techniques

term member, for plug-ins, Writing a Plug-in

term method, Automating Debugger Actions with IDA Plug-ins

Terminal application, Mac, Linux Console Specifics

Terminal keyboard settings dialog, Mac, OS X Console Specifics

terminal programs, Linux, Linux Console Specifics

Terminate button, toolbar buttons, Process Control

Terminate Process option, Debugger menu, Launching the Debugger

term_output_buffer function, The Outputter

text display, Linux, Linux Console Specifics

Text option, Hex window, The Hex View Window

Text Search dialog, Text Searches

text searches, of database, Text Searches

text view, switching to graph view, Custom Cross-Reference Graphs

text-mode user interface configuration file, The IDA Directory Layout

The initial autoanalysis has been finished message, Desktop Behavior During Initial Analysis, Library Recognition Using FLIRT Signatures

third-generation languages, Disassembly Theory

third-party graph viewer, IDA External (Third-Party) Graphing

this pointer, in C++, Sharing TIL Files

This type of output file is not supported message, IDA-Generated ASM Files

thiscall calling convention, The fastcall Convention for x86, Sharing TIL Files

thread environment block (TEB), Dynamically Computed Target Addresses, x86emu Initialization, Hiding the Debugger, Dealing with Exceptions, Bochs IDB Mode

thread information block (TIB), Hiding the Debugger

Thread Local Storage (TLS) callback functions, Launching the Process, Hiding the Debugger

ThreadInformationClass parameter, Hiding the Debugger

Threads view, Basic Debugger Displays

thunk functions, Locating main

ThunRTMain function, Locating main

TIB (thread information block), Hiding the Debugger

TIB[NNNNNNNN] database section, Dealing with Exceptions

til directory, The IDA Directory Layout

TIL files, IDA Database Files, Using Standard Structures, Loading New TIL Files, Loading New TIL Files

loading new, Loading New TIL Files
overview, Using Standard Structures
sharing, Loading New TIL Files

til2idb function, A pcap Loader for IDA

tilib tool, Hex-Rays, Loading New TIL Files

time stamp counter (TSC), x86emu and Anti-debugging

timelimit option, Linux Console Specifics

tips and tricks, for IDA Desktop, Desktop Behavior During Initial Analysis

Title case, Working with Strings

TLS (Thread Local Storage) callback functions, Launching the Process, Hiding the Debugger

tmainCRTStartup function, Locating main

to address, in cross-references, Cross-References and Graphing

toggling values, Basic Debugger Displays

tool tip–style pop-up window, Datatypes and Data Structures

toolbar, Reopening a Database, Introduction to the IDA Desktop, IDA Colors, Customizing IDA Toolbars, Customizing IDA Toolbars, Customizing IDA Toolbars, Basic Debugger Displays

area, IDA desktop, Reopening a Database
arrangements, Customizing IDA Toolbars
buttons, Customizing IDA Toolbars, Basic Debugger Displays
configuration menu, Customizing IDA Toolbars
customizing, IDA Colors

Toolbars command, Introduction to the IDA Desktop

tools, Classification Tools, PEiD, ldd, ldd, objdump, dumpbin, dumpbin, dumpbin, Deep Inspection Tools

c++filt utility, dumpbin
dumpbin utility, dumpbin
for deep inspection, Deep Inspection Tools
for file classification, Classification Tools
ldd utility, ldd
nm utility, PEiD
objdump utility, ldd
otool utility, objdump

Tools menu, PE Tools, PE Tools

top-level directory, for SDK, SDK Layout

TouchArg function, The Emulator

Trace buffer size option, Tracing Options dialog, Breakpoints

Trace checkbox, Breakpoint Settings dialog, Breakpoints

trace option, Breakpoints

Trace over debugger segments option, Tracing Options dialog, Tracing

Trace over library functions option, Tracing Options dialog, Tracing

trace_level parameter, Scripting Debugger Actions

Tracing Options dialog, Breakpoints

tracing, in debugger, Breakpoints

trampoline, Locating Instruction Sequences

translate function, Processor Notifications

TriMedia libraries, Creating Pattern Files

TSC (time stamp counter), x86emu and Anti-debugging

TTY console, Using IDA’s Batch Mode

Turbodiff, After-the-Fact Vulnerability Discovery with IDA

turn color off tag, The Outputter

turn color on tag, The Outputter

TVHEADLESS environment variable, Using IDA’s Batch Mode

TVision library, Console Mode IDA

TVision port, Linux Console Specifics

TVOPT settings, Linux Console Specifics

tvtuning.txt, Linux Console Specifics

two-digit hex values, Binary Searches

type component, Creating Customized Forms with the SDK

type field, Useful SDK Datatypes, Creating Customized Forms with the SDK, The Analyzer

Type Libraries window, The Signatures Window

typedef statement, Parsing C Header Files

TypeDescriptor structure, Runtime Type Identification

typeid operator, Name Mangling

typeinf.hpp, Header Files Overview

typinf.hpp, A pcap Loader for IDA

U

U hotkey, Stack Pointer Adjustments, Editing Structure Members

ua.hpp file, Header Files Overview, Basic Initialization of the LPH Structure

ua_next_xxx functions, The Analyzer

ui_notification_t constants, Basic Database Access

uname command, Building Your Plug-ins

uncollapsing nodes, IDA’s Integrated Graph View

uncompressing UPX binary, using emulator, Emulator-Assisted De-obfuscation

unconditional branching instructions, Recursive Descent Disassembly

Undefine option, Stack Pointer Adjustments, Disassembly Desynchronization

undefine process, Disassembly Desynchronization

undefining functions, Stack Pointer Adjustments

undetected string data, The Strings Window

undo command, absence of, IDA Data Displays

undo feature, Thoughts on IDA’s User Interface

undocumented CPU instructions, Code Display Options

Ungroup Nodes option, IDA’s Integrated Graph View

Unicode strings option, The Strings Window, Binary Searches, Imported Function Obfuscation

universal unpacker, Hex-Rays, Simple Decryption and Decompression Loops

Unix-style make files, Configuring a Build Environment

Unmatched Functions, PatchDiff2, After-the-Fact Vulnerability Discovery with IDA

unsigned shifts, Script-Oriented De-obfuscation

untar archive, Windows Installation

upgrading, Upgrading IDA

uppercase letter codes, nm

UPX, Opcode Obfuscation, Opcode Obfuscation, Opcode Obfuscation, Simple Decryption and Decompression Loops, Simple Decryption and Decompression Loops, Simple Decryption and Decompression Loops, Import Table Reconstruction

decompression routine, Simple Decryption and Decompression Loops
decompression stub, Opcode Obfuscation
packer, Opcode Obfuscation
program, Opcode Obfuscation, Simple Decryption and Decompression Loops, Import Table Reconstruction

UPX-packed binaries, Disassembler/Debugger Integration

Use graph view by default checkbox, Graph tab, Introduction to the IDA Desktop

Use option key as meta key checkbox, Terminal application, Linux Console Specifics

Use “dup” construct option, Specifying Arrays

User cross-reference graph dialog, Custom Cross-Reference Graphs

user interface, The IDA Directory Layout, The IDA Directory Layout, Extending IDC, Plug-in User Interface Options, Using the SDK’s Chooser Dialogs, Creating Customized Forms with the SDK, Windows-Only User Interface–Generation Techniques

for plug-ins, Extending IDC, Plug-in User Interface Options, Using the SDK’s Chooser Dialogs, Creating Customized Forms with the SDK, Windows-Only User Interface–Generation Techniques

customized forms with SDK, Using the SDK’s Chooser Dialogs
using SDK chooser dialogs, Plug-in User Interface Options
Windows-only, Creating Customized Forms with the SDK
with Qt, Windows-Only User Interface–Generation Techniques

of IDA Pro, The IDA Directory Layout

user interface notifications, Plug-in Initialization

User xref charts, Custom Cross-Reference Graphs

User xref graph, Custom Cross-Reference Graphs

User Xrefs Chart option, Graphs menu, Custom Cross-Reference Graphs

user-generated cross-reference graphs, Custom Cross-Reference Graphs

USE_DANGEROUS_FUNCTIONS macro, The IDA Application Programming Interface

USE_STANDARD_FILE_FUNCTIONS macro, Header Files Overview, The Simpleton Loader

utilities directory, IDA Support Resources

u_ana member, Basic Initialization of the LPH Structure

u_emu member, The Emulator

u_out member, The Emulator

u_outspec function, Processor Notifications

V

variables, IDA Stack Views, Globally Allocated Arrays, The IDC Language, IDC Variables

in IDC language, The IDC Language
index values of, Globally Allocated Arrays
names, IDA-generated, IDA Stack Views

var_ prefix, IDA Stack Views

va_arg macro, C++, Event Notification

vc32rtf signatures, The Signatures Window

vcsample file, SDK Layout

Veracode, Vulnerability Analysis

version field, Writing a Plug-in, Basic Initialization of the LPH Structure

version member, Writing an IDA Loader Using the SDK

versions, Obtaining IDA Pro

vertices, IDA Graph View, Cross-References and Graphing

VGA font, Linux Console Specifics

View menu, x86emu and Anti-debugging, Discovering New Vulnerabilities with IDA, Discovering New Vulnerabilities with IDA, Real-World IDA Plug-ins

Cross References option, Discovering New Vulnerabilities with IDA
Enumerate Heap option, x86emu and Anti-debugging
Pseudocode option, Real-World IDA Plug-ins

View window, Watches

viewing machine language bytes, Code Display Options

virtual addresses, IDA Text View

virtual functions, The this Pointer, Data Cross-References

virtual machine-based obfuscation, x86emu and Anti-debugging

virtual repeatable comment, Repeatable Comments

VirtualAddress field, Manually Loading a Windows PE File

VirtualAlloc function, Emulator-Assisted De-obfuscation, Discovering New Vulnerabilities with IDA, Bochs IDB Mode, Appcall

virtualization, Targeted Attacks on Analysis Tools, Targeted Attacks on Analysis Tools, Targeted Attacks on Analysis Tools, Detecting Virtualization, Detecting Virtualization, Detecting Virtualization, Detecting Virtualization

detecting, Targeted Attacks on Analysis Tools, Detecting Virtualization, Detecting Virtualization, Detecting Virtualization, Detecting Virtualization

processor-specific behavioral changes, Detecting Virtualization
specific behaviors, Detecting Virtualization
specific hardware, Detecting Virtualization
specific software, Detecting Virtualization

software, Targeted Attacks on Analysis Tools

virtualizing obfuscator, Opcode Obfuscation

Visual C++ compiler, Microsoft, Creating New Functions

Visual Studio suite, Microsoft, dumpbin

Visual Studio Win32 Application Wizard, Building Your Plug-ins

VMProtect, Opcode Obfuscation, x86emu and Anti-debugging

VMware Tools collection, Detecting Virtualization

VPAGESIZE option, Configuration Files

vtables, in C++, The this Pointer

vulnerability advisory, After-the-Fact Vulnerability Discovery with IDA

vulnerability analysis, The Why of Disassembly, Vulnerability Analysis, Vulnerability Analysis, Discovering New Vulnerabilities with IDA, IDA and the Exploit-Development Process, IDA and the Exploit-Development Process, Stack Frame Breakdown, Locating Instruction Sequences, Finding Useful Virtual Addresses

analyzing shellcode, Finding Useful Virtual Addresses

discovering vulnerabilities, Vulnerability Analysis

exploit-development process, IDA and the Exploit-Development Process, IDA and the Exploit-Development Process, Stack Frame Breakdown, Locating Instruction Sequences

finding useful virtual addresses, Locating Instruction Sequences
locating instruction sequences, Stack Frame Breakdown
stack frame breakdown, IDA and the Exploit-Development Process

handling after-fact discoveries, Discovering New Vulnerabilities with IDA

reasons for disassembly, The Why of Disassembly

vulnerability discovery, Vulnerability Analysis

W

w suffix, Data Cross-References, Imported Function Obfuscation

Wait For Next Event (WFNE) flags, Scripting Debugger Actions

wait_for_next_event function, Automating Debugger Actions with IDA Plug-ins

wanted_hotkey data member, Writing a Plug-in, Installing Plug-ins

wanted_hotkey value, Writing a Plug-in

wanted_name data member, Writing a Plug-in, Installing Plug-ins

Warning function, Functions for Reading and Modifying Data, Enumerating Instructions

warning function, Basic Database Access

warnings, for loaders, IDA Database Files

wasBreak function, Plug-in Execution

Watch Address dialog, Watches

Watch List option, Debugger menu, Watches

watch lists, Watches

watch points, Watches

watches, in debugger, Stack Traces

Weak name option, for named locations, Named Locations

weak symbol, marking, Named Locations

web server, Apache, ldd

Welcome dialog, Launching IDA

WFNE (Wait For Next Event) flags, Scripting Debugger Actions

WFNE_CONT flag, Scripting Debugger Actions

WFNE_SUSP event type, Scripting Debugger Actions

Whittaker, Andy, Unknown File Analysis

width characters, The Outputter

width component, Creating Customized Forms with the SDK

Width field, Working with Strings

widths parameter, Using the SDK’s Chooser Dialogs

wildcards, The GUI Configuration File: idagui.cfg

Win32 Application Wizard, Visual Studio, Building Your Plug-ins

Win32 Project template, Building Your Plug-ins

win32_remote.exe server component, Remote Debugging with IDA

win64_remotex64.exe server component, Remote Debugging with IDA

wince_remote_arm.dll server component, Remote Debugging with IDA

Windows, IDA Support Resources, IDA Support Resources, Common Features of Console Mode, Windows Console Specifics

console mode for, Common Features of Console Mode
installing on, IDA Support Resources
launching installer, IDA Support Resources

Windows Asynchronous Sockets techniques, collabREate

Windows calculator program, dumpbin

Windows CE ARM, Launching the Debugger

Windows library handle, Emulator-Assisted De-obfuscation

Windows menu, Save Desktop option, Basic Debugger Displays

Windows PE binaries, ida-x86emu plug-in, x86emu Initialization

Windows PE file, manually loading, Unknown File Analysis

Windows PE loader (pe.ldw), Launching IDA

Windows registry key, Launching IDA

Windows SEH exceptions, Dealing with Exceptions

Windows SEH handlers, Dealing with Exceptions

wingraph32 application, Function Calls

WinGraph32 window, External Call Graphs

WinHelp-style help files, The GUI Configuration File: idagui.cfg

wininet.dll file, Launching the Debugger

WinLicense, Opcode Obfuscation, Imported Function Obfuscation

WinMain function, Locating main

WinMain variation, Locating main

Wireshark, A pcap Loader for IDA, Detecting Instrumentation, Analyzing Shellcode

Word function, Useful IDC Functions

word-patching capability, Changing a Word in the Database

word. See 1 byte of storage (db), Useful IDC Functions

wrapper code, External Call Graphs

write cross-references, Data Cross-References

write traces, Tracing

write4 capability, IDA and the Exploit-Development Process

writelong function, File Input/Output Functions

writeshort function, File Input/Output Functions

writestr function, File Input/Output Functions

ws2_32 networking library, Import Table Reconstruction

X

X Windows consoles, Linux Console Specifics

X.25-style network connection, Formatting Instruction Operands

X11, installing, OS X Console Specifics

x86 code, Processor Module Architecture

x86 compiler, The Standard Calling Convention

x86 hardware-debug registers, x86emu and Anti-debugging

x86 instruction, The GUI Configuration File: idagui.cfg

x86 processor module, Using the Binary File Loader

x86emu breakpoints, Basic x86emu Operation

x86emu Emulator dialog, Basic x86emu Operation, Basic x86emu Operation, Basic x86emu Operation, Basic x86emu Operation, Basic x86emu Operation, Basic x86emu Operation, Basic x86emu Operation, Basic x86emu Operation, Basic x86emu Operation, Emulator-Assisted De-obfuscation

Jump To Cursor button, Basic x86emu Operation
Push Data button, Basic x86emu Operation
Run button, Basic x86emu Operation
Run To Cursor button, Basic x86emu Operation, Emulator-Assisted De-obfuscation
Segments button, Basic x86emu Operation
Set Memory button, Basic x86emu Operation
Skip button, Basic x86emu Operation
Step button, Basic x86emu Operation

x86emu emulator, de-obfuscation of binaries using, Script-Oriented De-obfuscation, x86emu Initialization, Basic x86emu Operation, Basic x86emu Operation, Emulator-Assisted De-obfuscation, x86emu and Anti-debugging

and anti-debugging, x86emu and Anti-debugging
de-obfuscation using, Basic x86emu Operation
features of, Emulator-Assisted De-obfuscation
initialization of, x86emu Initialization
operation of, Basic x86emu Operation

x86emu library function dialog, Emulator-Assisted De-obfuscation

x86emu plug-in, Emulation-Oriented De-obfuscation

x86emu Set Memory Values dialog, Basic x86emu Operation

XML templates, Writing an IDA Loader Using the SDK

xmodmap command, OS X Console Specifics

xmodmap utility, OS X Console Specifics

xor instruction, Disassembly Desynchronization

xref.hpp file, Header Files Overview, Code Cross-References, The Emulator

xrefblk_t structure, Enumerating Instructions, Code Cross-References, Enumerating Cross-References

xrefs (cross-references). See cross-references, External Cross-Reference Graphs

Xrefs From graph, External Cross-Reference Graphs

Xrefs To graph, External Call Graphs

XrefsFrom generator, Enumerating Instructions

XrefType function, Functions Dealing with Functions, Enumerating Cross-References, Code Cross-References

xterm, running, Linux Console Specifics

xtol function, User Interaction Functions

XXXset function, Data Storage in Netnodes

XXXval function, Data Storage in Netnodes

Y

Y hotkey, Datatypes and Data Structures
y variable, Stack Frame Examples, IDA Stack Views
Yason, Mark Vincent, Inheritance Relationships
Yes edge arrow, IDA Graph View
You may start to explore the input file right now message, Desktop Behavior During Initial Analysis

Z

Zbikowski, Mark, Classification Tools
zoom control, keyboard, IDA Graph View
ZwContinue function, Dealing with Exceptions

Previous Chapter

B. IDC/SDK Cross-Reference

About the Author