Extracting docs from MSDN to IDA

Update: Version 1.2.1 released.

msdnGrab now handles queries for both Win32 API functions and C/C++ functions. C/C++ querying has been vastly improved, and seems to work even better now. Some mistakes do happen though, but seems quite rare so far.

Also added functionality to open the page in the browser to so that the rest of the information can be viewed.

Usage:

F3: Grab docs for Win32 API function, insert as comment
Ctrl-F3: Grab docs for C/C++ function, insert as comment
Ctrl-Shift-F3: Open page in browser

Comments always welcome.

Github: https://github.com/eugeii/msdn-grab

When reversing, all too often I run into Windows API functions that I have to look up on MSDN to get any sense out of it. I’m not sure about you but I certainly cannot keep the Win32 API in my head.

Hence, for a long time my reversing set up, visually, is:

  1. Left monitor: Research material (including docs, MSDN, …)
  2. Middle monitor: IDA
  3. Right monitor: VM and debugger

msdnPage1

Every time I come across a Windows API, I usually end up tossing it into Google, grabbing the MSDN page (usually the first hit, with the right search terms), and then glancing at that page. If it’s a somewhat common API, I usually go “ah, yes, I recognize you”, or if it’s something totally obscure, I’ll read the docs. Reverse enough and it’s usually the former (hopefully, at least!).

Of course, the most useful part of MSDN for me, is the short description of the function’s purpose at the top and certainly the function definition. With that usually the function makes sense already. If not, then the parameter description and the return value would complete the picture. But by and large, I’m going for the description and definition.

MSDN Grab

As MSDN is extremely structured, I thought it would be useful if grabbing the information can be automated. A little IDAPython later, I came up with a small script to pull the MSDN information from the MSDN site, and insert it as a repeating comment on the function in question. What this means is that regardless of where you find the function (be it in a call, or at the function itself), the script will put that comment on the function itself, and make it repeating, so that everywhere that function appears, that definition will appear. Here’s the actual repeatable comment that was inserted:

idaActualFunctionWithMsdn1

The default key-binding for the script is F3. Highlighting a function name (a valid Win32 API function) and hitting F3 will pull the docs from MSDN and insert it.

And here’s an example of an function in IDA, without and with annotation. It’s a little small, click on it to expand:

idaWithWithoutMsdn1

Caveats!

  1. Of course, more features can be implemented, and the script can be made better in many ways. This is the base (simple) version of the script, for anybody to use/modify/enhance if they so wish.

  2. One quirk to note. Right now the script will search for the highlighted term in Google, and pull the first link from Google, and assume that it is a valid MSDN page. If it isn’t, it will grab the wrong contents. Doing that check is fairly easy, but there are so many ways to go about it that I’ll leave it to you to implement the way you like it!

  3. I feel this script works well enough that its useful even in it’s unmodified form. I am, however, not touting it as a super-polished piece of code.

  4. The correct working of the script depends on two things: Getting the correct page, and how the MSDN page is laid out. I assume that Google returns the correct page, and I do simple filtering to ensure that it is at least a page hosted on Microsoft MSDN. Also, as I mentioned, MSDN is pretty structured. Hence, once we get to the MSDN page, the extraction works – today. However, should Microsoft alter the layout, the script may break. And well, Microsoft has only recently changed the layout drastically. If and when that happens I’ll release a new version, if anybody finds it useful.

GitHub: https://github.com/eugeii/msdn-grab