I'll give you two solutions. The first may not be exactly what you want, depending on the situation. I can elaborate on either method if you would like.
The cheap method: Using filler arrays
If you have a large structure and there are only a few members whose purpose or size are known, it's often useful to fill in the gaps of the structure by creating temporary dummy arrays. This makes the structure definition more readable and maintainable in IDA, and it also allows you to shape the structure to a specific size without defining more members than you need to.
Let's say you have a structure which is known to be 0x400 bytes in size, and you know the definitions of the members at offsets +0x0 and +0x384. Let's also say you know that there are words at +0x4 and +0x6, but you don't know what they represent yet. Then you might define the structure to be something like this:
00000000 MY_STRUCT struc ; (sizeof=0x400)
00000000 ProcessID dd
00000004 field_4 dw
00000006 field_6 dw
00000008 __filler1 db 892 dup(?)
00000384 ProcessObject dd ?
00000388 __filler2 db 116 dup(?)
000003FC __filler3 dd ?
00000400 MY_STRUCT ends
This is much more readable than it would be if I didn't have the __fillerX
elements there. It's also arguably more correct, because you have no way of knowing ahead of time if all the members of the structure are actually qwords.
The reason I have __filler3
at the bottom is because if I ever want to define an element in the region of __filler2
, I can wipe __filler2
(and later add new filler members in that space) without shrinking the overall size of the structure. In fact, if the size is the only thing known at the time of structure definition, defining a final element should probably be the first thing you do. Then you'll never need to figure out the sizes of the filler arrays yourself; the default array size that IDA gives you will always be correct. To do that quickly, I usually just create an array of size N-4 and tack on a dword at the end.
But I actually want 32 qwords!
I can't think of any practical situations where this would be useful, but maybe you can!
In any case, you can, in fact, do this through the IDA API. The functions you want are AddStrucEx
and AddStrucMember
. You should be able to get most of the information you want from the IDA help docs.
If you want a working example of an IDC script to generate structures, you can generate one yourself. Create a few structures, then go to File > Produce File > Dump typeinfo to IDC file...
.
Or this should also work (uses IDAPython):
id = AddStrucEx(-1, "EXAMPLE_STRUCT", 0)
for i in xrange(0,256,8):
AddStrucMember(id, "field_%x"%i, i, FF_DATA|FF_QWRD, -1, 8)