In addition to the disassembly, Functions, and Output windows, IDA opens a number of other tabbed windows on your IDA desktop. These tabs are present just under the navigation band (see 
in Figure 4-9). These windows are used to provide alternate or specialized views into the database. The utility of these displays depends on both the characteristics of the binary you are analyzing and your skill with IDA. Several of these windows are sufficiently specialized to require more detailed coverage in later chapters.
Hex View is something of a misnomer in this case, as the IDA Hex View window can be configured to display a variety of formats and doubles as a hex editor. By default, the Hex View window provides a standard hex dump of the program content with 16 bytes per line and ASCII equivalents displayed alongside. As with the disassembly window, several hex views can be opened simultaneously. The first Hex window is titled Hex View-A, the second Hex View-B, the next Hex View-C, and so on. By default, the first Hex window is synchronized with the first disassembly window. When a disassembly view is synchronized with a hex view, scrolling in one window causes the other window to scroll to the same location (same virtual address). In addition, when an item is selected in disassembly view, the corresponding bytes are highlighted in hex view. In Figure 5-5, the disassembly view cursor is positioned at address 0040108C, a call instruction, causing the five bytes that make up the instruction to be highlighted in the Hex window.
Also shown in Figure 5-5 is the hex display context menu, available when you right-click anywhere within the hex display. This context menu is where you may specify with which, if any, disassembly view you would like to synchronize a particular hex display. Deselecting the synchronization option allows a Hex window to be scrolled independently of any disassembly window. Selecting the Edit menu option turns the Hex View into a hex editor. Once you are finished editing, you must either commit or cancel your changes in order to return to view mode. The Data Format menu item allows you to select from a variety of display formats such as 1-, 2-, 4-, or 8-byte hexadecimal; signed decimal; or unsigned decimal integers and various floating point formats. The Columns menu option allows you to change the number of columns used in the display, and the Text option allows you to turn the text dump on and off.
In some cases you may find that the Hex window shows nothing but question marks. This is IDA’s way of telling you that it has no idea what values might occupy a given virtual address range. Such is the case when a program contains a bss[37] section, which typically occupies no space within a file but is expanded by the loader to accommodate the program’s static storage requirements.
The Exports window lists the entry points into a file. These include the program’s execution entry point, as specified in its header section, along with any functions and variables that the file exports for use by other files. Exported functions are commonly found in shared libraries such as Windows DLL files. Exported entries are listed by name, virtual address, and, if applicable, by ordinal number.[38] For executable files, the Exports window always contains at least one entry: the program’s execution entry point. IDA names this entry point start. A typical Exports window entry follows:
LoadLibraryA 7C801D77 578
As with many of the other IDA windows, double-clicking an entry in the Exports window will jump the disassembly window to the address associated with that entry. The Exports window offers functionality available in command-line tools such as objdump (-T), readelf (-s), and dumpbin (/EXPORTS).
The Imports window is a counterpart to the Exports window. It lists all functions that are imported by the binary being analyzed. The Imports window is relevant only when a binary makes use of shared libraries. Statically linked binaries have no external dependencies and therefore no imports. Each entry in the Imports window lists the name of an imported item (function or data) and the name of the library that contains that item. Since the code for an imported function resides in a shared library, the addresses listed with each entry refer to the virtual address of the associated import table entry.[39] An example of an Import window entry is shown here:
0040E108 GetModuleHandleA KERNEL32
Double-clicking this import would jump the disassembly window to address 0040E108. The contents of this memory location in hex view would be ?? ?? ?? ??. IDA is a static analysis tool, and it has no way to know what address will be entered into this memory location when the program is executed. The Imports window also offers functionality available in command-line tools such as objdump (-T), readelf (-s), and dumpbin (/IMPORTS).
An important point to remember about the Imports window is that it displays only the symbols that a binary wants handled automatically by the dynamic loader. Symbols that a binary chooses to load on its own using a mechanism such as dlopen/dlsym or LoadLibrary/GetProcAddress will not be listed in the Imports window.
The Structures window is used to display the layout of any complex data structures, such as C structs or unions, that IDA determines are in use within a binary. During the analysis phase, IDA consults its extensive library of function-type signatures in an attempt to match function parameter types to memory used within the program. The Structures window shown in Figure 5-6 indicates that IDA believes the program uses the sockaddr[40] data structure.
There are many possible reasons why IDA may have arrived at this conclusion. One such reason might be that IDA has observed a call to the C library connect[41] function to establish a new network connection. Double-clicking the name of a data structure (sockaddr in this case) causes IDA to expand the structure, and this allows you to see the detailed layout of the structure, including individual field names and sizes.
The two primary uses for the Structures window are (1) to provide a ready reference for the layout of standard data structures and (2) to provide you with a means to create your own data structures for use as memory layout templates when you discover custom data structures within a program. Structure definition and the application of structures within disassemblies are covered in more detail in Chapter 8.
The Enums window is somewhat similar to the Structures window. When IDA detects the use of a standard enumerated datatype (C enum), that datatype will be listed in the Enums window. You can make your disassemblies far more readable by using enums in place of integer constants. Like the Structures window, the Enums window offers facilities for defining your own enumerated types that you can use with your disassembled binaries.
[37] A bss section is created by a compiler to house all of a program’s uninitialized, static variables. Since no initial value is assigned to these variables, there is no need to allocate space for them in the program’s file image, so the section’s size is noted in one of the program’s headers. When the program is executed, the loader allocates the required space and initializes the entire block to zero.
[38] An export ordinal number may be used in a shared library to make a function accessible by number rather than name. The use of ordinals can speed the address lookup process and allow programmers to hide the names of their functions. Export ordinals are used in Windows DLLs.
[39] An import table provides space for a loader to store addresses of imported functions once the required libraries have been loaded and the addresses of those functions are known. A single import table entry holds the address of one imported function.
[40] A sockaddr structure is a datatype in the C standard library often used to represent an endpoint in a network connection. A sockaddr variable can be used to hold an IP address and port number as part of the process of establishing a TCP connection to a remote computer.
[41] int connect(int sockfd, const struct sockaddr *serv_addr, socklen_t addrlen);