From c05ffbd12d377713cd33313387ae24718a672ba5 Mon Sep 17 00:00:00 2001
From: CySHell <rowr12000@gmail.com>
Date: Tue, 7 Jun 2022 12:45:33 +0300
Subject: [PATCH] Version 1.1 - Detect Constructors

---
 .../Constructors/DetectConstructor.py            | 16 ++++++++++++----
 Common/Utils.py                                  |  3 +--
 RttiInfomation/BaseClassDescriptor.py            |  1 -
 RttiInfomation/ClassHierarchyDescriptor.py       |  1 -
 StartInspection.py                               |  5 ++++-
 5 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/ClassDataStructureDetection/Constructors/DetectConstructor.py b/ClassDataStructureDetection/Constructors/DetectConstructor.py
index 0680f79..6b2dc60 100644
--- a/ClassDataStructureDetection/Constructors/DetectConstructor.py
+++ b/ClassDataStructureDetection/Constructors/DetectConstructor.py
@@ -1,4 +1,5 @@
 import binaryninja as bn
+from typing import List
 
 
 def detect(bv: bn.binaryview):
@@ -16,14 +17,21 @@ def detect(bv: bn.binaryview):
                             # pointer is to a struct, this is de-referencing offset 0x0.
                             if instr.operands[0].operation == 23:
                                 if type(instr.operands[0].operands[0]) == bn.highlevelil.HighLevelILVar:
-                                    pointer: bn.highlevelil.HighLevelILVar = instr.operands[1].operands[0]
+                                    pointer: int = instr.operands[1].operands[0]
                                     data_refs = list(bv.get_data_refs_from(pointer))
                                     if data_refs:
                                         if len(data_refs) != 1:
-                                            print(f'Error, too many data refs for {pointer}')
+                                            # print(f'Error, too many data refs for {pointer}')
+                                            pass
                                         else:
                                             # Check if this is a function pointer
                                             if bv.get_function_at(data_refs[0]):
-                                                print(hex(instr.address))
+                                                constructor_addr: List[
+                                                    bn.function.Function] = bv.get_functions_containing(instr.address)
+                                                if len(constructor_addr) == 1:
+                                                    print(
+                                                        f'Suspected constructor at - {hex(constructor_addr[0].start)},'
+                                                        f' vfTable address is - {hex(pointer)}')
                                 else:
-                                    print(f'Error in instruction {instr}')
+                                    # print(f'Error in instruction {instr}')
+                                    pass
diff --git a/Common/Utils.py b/Common/Utils.py
index 9459102..dc98911 100644
--- a/Common/Utils.py
+++ b/Common/Utils.py
@@ -5,10 +5,9 @@
 
 def DemangleName(mangled_name: str) -> str:
     demangled_name: str = subprocess.getoutput([Config.DEMANGLER_FULL_PATH, mangled_name])
-
     # Sometimes classes that use lambda functions cannot be parsed correctly and we get this error msg.
     if demangled_name.startswith('The system cannot find the file specified'):
-        return demangled_name
+        return mangled_name
     else:
         return demangled_name.split(" `RTTI")[0]
 
diff --git a/RttiInfomation/BaseClassDescriptor.py b/RttiInfomation/BaseClassDescriptor.py
index 3f5b0c5..e885f8c 100644
--- a/RttiInfomation/BaseClassDescriptor.py
+++ b/RttiInfomation/BaseClassDescriptor.py
@@ -36,7 +36,6 @@ def __init__(self, bv: bn.binaryview, base_addr: int):
 
         self.mangled_class_name = self.get_mangled_class_name()
         self.demangled_class_name = Utils.DemangleName(self.mangled_class_name)
-
         if ClassContext.base_class_descriptors.get(self.base_addr):
             self.verified = True
         else:
diff --git a/RttiInfomation/ClassHierarchyDescriptor.py b/RttiInfomation/ClassHierarchyDescriptor.py
index f85d965..cea7f7f 100644
--- a/RttiInfomation/ClassHierarchyDescriptor.py
+++ b/RttiInfomation/ClassHierarchyDescriptor.py
@@ -11,7 +11,6 @@ def __init__(self, bv: bn.binaryview, base_addr: int, mangled_class_name: str):
         self.base_addr: int = base_addr
         self.mangled_class_name: str = mangled_class_name
         self.demangled_class_name: str = Utils.DemangleName(self.mangled_class_name)
-
         # Always 0 ?
         self.signature: int = self.bv.read_int(base_addr, 0x4)
         # attributes = 0 - normal inheritance
diff --git a/StartInspection.py b/StartInspection.py
index 530effd..8a606c7 100644
--- a/StartInspection.py
+++ b/StartInspection.py
@@ -10,6 +10,8 @@
 from .Common import Utils
 from . import Config
 from .RttiInfomation import TypeCreation
+from .ClassDataStructureDetection.Constructors import DetectConstructor
+
 
 def is_bv_valid_for_plugin(bv: bn.binaryview) -> bool:
     if bv.arch.name != "x86_64":
@@ -17,6 +19,7 @@ def is_bv_valid_for_plugin(bv: bn.binaryview) -> bool:
         return False
     return True
 
+
 class InspectInBackground(bn.BackgroundTaskThread):
 
     def __init__(self, bv: bn.binaryview):
@@ -25,6 +28,7 @@ def __init__(self, bv: bn.binaryview):
 
     def run(self):
         self.RTTI_inspection()
+        DetectConstructor.detect(self.bv)
 
     def RTTI_inspection(self):
         Utils.LogToFile(f'Logging filename: {Config.LOGFILE_FULL_PATH}')
@@ -45,4 +49,3 @@ def inspect(bv: bn.binaryview):
     else:
         background_thread = InspectInBackground(bv)
         background_thread.start()
-