Chapter 12: Passive Analysis
297
PART IV
Figure 12-4 IDA stack frame prior to type consolidation
Figure 12-5 IDA stack frame after type consolidation
Gray Hat Hacking: The Ethical Hacker??™s Handbook
298
Once a structure type has been applied to a block of data, disassembly references
within the block can be displayed using structure offset names, rather than more cryptic
numeric offsets. Figure 12-7 is a portion of a disassembly that makes use of IDA??™s structure
declaration capability. The local variable sa has been declared as a sockaddr_in
struct, and the local variable hostent represents a pointer to a hostent structure.
NOTE The sockaddr_in and hostent data structures are used frequently in
C/C++ for network programming. A sockaddr_in describes an Internet
address, including host IP and port information. A hostent data structure is
used to return the results of a DNS lookup to a C/C++ program.
Disassemblies are made more readable when structure names are used rather than register
plus offset syntax. For comparison, the operand at location 0804A2C8 has been left
unaltered, while the same operand reference at location 0804A298 has been converted to
the structure offset style and is clearly more readable as a field within a hostent struct.
Pages:
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539