Microsoft Visual Studio C++ Class information extraction.
This plugin aims to aid in reverse engineering binaries compiled with MSVC and written in C++. Such binaries often contain extremely useful information about the classes and types used within it - Information that is invaluable to reverse engineering efforts.
This plugin performs 3 main actions:
RTTI Inspection
Search the executable for RTTI (Real-Time Type information) structures, and define the actual symbols with types within the BinaryView, including demangled class names.
-BEFORE-
-AFTER-
Resolve and Define Virtual-Function tables
Any C++ class will have its own vfTable within the executable. Identifying this vfTable is crucial in order to understand what functions belong to what class.
This plugin takes this process one step further - Using Graph theory algorithms it will approximate which class owns which function within a given vfTable. This is important because not all derived classes override functions within their base class, which means that the derived class vfTable might contain functions that belong to the base class, and often times functions belonging to several different base classes.
-BEFORE-
-AFTER-
Detect and Define Constructor\Destructor functions
Base on information obtained in the preceeding steps, it is possible to locate suspected constructor and Destructor functions for the various detected classes. The plugin will either annotate the suspected constructor\destructor with a comment or change the name of the function to reflect the detection.
Define class types for known Classes
Using information extracted from the MSVC compiler (CL) regarding the memory layout of compiled classes it is possible to define the actual class type as it apears in memory - This type can later be applied to any function using the "This" pointer. Version 1.0 of this plugin contains memory layout information from many classes of the following libraries:
- standard lib
- Protobuf
- Standard Template Library
- CryptoPP The plugin will autoamtically define any class type in its database if the corresponding class is found to be resident in the executable.
This plugin installs as a normal binja plugin - just clone it into the plugins' directory. Edit the Config.py file for values suitable to your environment.
- Supports MSVC compiled binaries Only
- x86 32\64 bit architecture only
- Currently no support for Multiple Virtual Inheritence (Support for this will be added in the future)
This plugin uses the Demumble project in order to demangle C++ symbols - https://github.com/nico/demumble.
This plugin is released under an MIT license.