A few weeks ago I already twittered a screenshot that showed what disassembled code looks like in IDA Pro after automatically importing function information from MSDN. Today, I have finally managed to upload our IDA Pro script, ida-msdn, to the zynamics GitHub account. If you are analyzing Windows executable files in IDA Pro you can now benefit from automated API calls documentation.
kernel32.dll after importing function information from MSDN There is a slight problem, however. Since we can not distribute the MSDN documentation ourselves for legal reasons, you need to have your own local installation of the MSDN. Furthermore, the import process is divided into two parts.
At first you have to parse your local MSDN documentation into an XML file. This can be done with msdn-crawler, another open source zynamics project. msdn-crawler parses your locally installed Windows API documentation files from the MSDN and generates an XML file that contains information about Windows API functions (description, argument names and descriptions, and return values). In this first version, msdn-crawler finds 33984 Windows API functions in the MSDN and generates an XML file that contains more than 30 MB of function information. To see a brief example of what the XML file looks like, please check the readme.txt file on GitHub.
Once you have generated the msdn.xml file with msdn-parser you can use ida-msdn to import Windows API documentation into arbitrary IDB files. ida-msdn does two things: First, ida-msdn tries to match imported functions found in the IDB file to function information from the XML file. When information about an imported function is found, the information is imported from the XML file into the IDB file. Second, ida-msdn tries to find out if you are actually working on a DLL file (like shell32.dll or user32.dll) that exports Windows API functions. In that case, the exported functions recognized by ida-msdn are annotated with information from the XML file too.
Happy MSDN importing.
This entry was posted on 2010/04/30 at 09:25 and is filed under Other. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
