(Ida Pro) Find out which functions use the import symbol

reverse-engineering ida
Kachinsky picture Kachinsky · Oct 14, 2013 · Viewed 11.6k times · Source

I am new to Ida and I need to use it to identify which functions within the executable call one of these. I am trying to find a way a packet is encrypted as a security exercise. Lets say I want to look at the imports window and see these, does that mean that those are the only functions referenced in the executable? How can I find where sendto is referenced? I tried to search it by name but the search takes forever and does not seem to find anything.

Address Ordinal Name Library
------- ------- ---- -------
0109150C 111 imp_WSAGetLastError WS2_32
01091524 101 __imp_WSAAsyncSelect WS2_32
0109157C freeaddrinfo WS2_32
01091578 getaddrinfo WS2_32
01091548 57 __imp_gethostname WS2_32
01091518 52 __imp_gethostbyname WS2_32
01091530 23 __imp_socket WS2_32
01091528 21 __imp_setsockopt WS2_32
01091554 20 sendto WS2_32
0109154C 19 __imp_send WS2_32
01091574 18 __imp_select WS2_32
01091558 17 recvfrom WS2_32
01091550 16 __imp_recv WS2_32
01091508 15 __imp_ntohs WS2_32
01091514 14 ntohl WS2_32
01091540 13 __imp_listen WS2_32
0109151C 12 __imp_inet_ntoa WS2_32
01091520 11 __imp_inet_addr WS2_32
01091580 10 __imp_ioctlsocket WS2_32
01091568 115 __imp_WSAStartup WS2_32
01091538 9 __imp_htons WS2_32
01091534 3 __imp_closesocket WS2_32
0109152C WSAIoctl WS2_32
01091510 8 htonl WS2_32
01091570 151 __imp_WSAFDIsSet WS2_32
0109155C 7 getsockopt WS2_32
0109153C 2 __imp_bind WS2_32
01091564 6 getsockname WS2_32
01091560 5 getpeername WS2_32
01091544 1 __imp_accept WS2_32
01091584 4 __imp_connect WS2_32
0109156C 116 __imp_WSACleanup WS2_32

Answer

user1129665 picture user1129665 · Oct 14, 2013

If you want to find where the imported function is used, I have in the Import view this MessageBoxA function:

00406160  MessageBoxA USER32

double click on it, it will gets you to the IDA View and you will see something like:

.idata:00406160 ; int __stdcall MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
.idata:00406160                 extrn __imp_MessageBoxA:dword ; DATA XREF: MessageBoxA^r

click on the function name, MessageBoxA, it will becomes yellow, then click X on the keyboard or right click on the function and then choose Jump to xref to operand .... You will go to where the function is used or you will see dialog box if it's called from more than one place.

Related questions

IDA pro asm instructions change

I just want to know how I can change asm instructions in the IDA-view A: How to edit instructions(for instance: jnz to jmp)? How to insert new instructions(call func1, call func2 inserted to existing code)? I know how …

Read More
How can I find the data structure that represents mine layout of Minesweeper in memory?

I'm trying to learn about reverse engineering, using Minesweeper as a sample application. I've found this MSDN article on a simple WinDbg command that reveals all the mines but it is old, is not explained in any detail and really …

Read More
How does one change an instruction with a hex editor?

I am messing around with some reverse engineering, but I don't know how to change a jnz to jz with a hex editor. I understand it will vary between systems but I'm not sure where to look to find this …

Read More