Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Negated structure offsets
See original GitHub issueIs your feature request related to a problem?
When code traverses a multiple linked list data structure, e.g. traversing _PEB_LDR_DATA via InInitializationOrderLinks:
typedef struct _LDR_DATA_TABLE_ENTRY
{
/* 0x0000 */ struct _LIST_ENTRY InLoadOrderLinks;
/* 0x0010 */ struct _LIST_ENTRY InMemoryOrderLinks;
/* 0x0020 */ struct _LIST_ENTRY InInitializationOrderLinks;
/* 0x0030 */ void* DllBase;
/* 0x0038 */ void* EntryPoint;
...
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; /* size: 0x00e0 */
You get pointers to the above structure with an offset of 0x10 (offset of InInitializationOrderLinks).
If you give this pointer the type struct _LDR_DATA_TABLE_ENTRY all the offsets are obviously wrong.
Describe the solution you’d like
IDA handles this by allowing the user to supply a struct offset, see: https://www.hexblog.com/?p=63
So you hit T on the usage of the struct and define the offset 0x10 and you get your correct types.
Describe alternatives you’ve considered
Currently I copy the old structure and create a new structure with its name prefixed by the offset _0x010 and deleting the first 2 entries in the structure.
However, this is:
- annoying
- doesn’t work when the pointer uses struct members that are before the offset and hence got removed from the struct by this work around.
Additional context
When working with linked list data structures this features is needed often.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:34
- Comments:23 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Even though I agree with all the above, IDA 7.2 actually improved it even more with shifted pointers. See https://www.hex-rays.com/products/ida/support/idadoc/1695.shtml and https://www.hex-rays.com/products/ida/7.2/index.shtml.
Basically, you can define
where:
I think having that in Ghidra too would solve all the issues above, and generically.
For everyone needing this (including me): I’m currently working on implementing shifted pointers, expect a PR in the next few days 😉