Igor’s Tip of the Week #161: Extracting substructures

As covered before, the action “Create struct from selection” can be used to quickly create structures from existing data items. 

However, Disassembly view not the only place where it can be used. For example, let’s imagine you’ve created a structure to represent some context used by the binary being analyzed:

00000000 Context         struc ; (sizeof=0x1C)
00000000 version         dd ?
00000004 pid             dd ?
00000008 tid             dd ?
0000000C listhead        dd ?                    ; offset
00000010 listtail        dd ?                    ; offset …

action binary context data disassembly malware analysis quickly structure week