Better-rtti-parser - IDA script to parse RTTI information in executable

Related tags

Security related resources better-rtti-parser
Overview

RTTI parser

Parses RTTI information from executable.

Example

HexRays decompiler view

Before:

decompiler view before

After:

decompiler view after

Functions window

Before:

functions window before

After:

functions window after

Structs window

structs windows

Install & Run

  1. git clone https://github.com/MlsDmitry/better-rtti-parser
  2. Click on "IDA > File > Script file" and choose rtti_parse.py
  3. Happy RE time!

Why another RTTI parser ?

I didn't really liked code in SusanRTTI repo and it didn't do what I want ( rename functions to BaseClass::AnotherClass::sub_4B5A ). I decided to spend few more hours to rewrite code, learn how to write IDA plugins. Finally, it became a lot faster, I really liked it, so I'll continue to update it.

Known issues

No Code refs found for _ZNTV...

Problem:

I didn't find a way to get address of first character of string that matched at some position. If know/found solution just add answer in #1 issue

Steps to resolve:

Find full symbol name for __class_type_info, __si_class_type_info or __vmi_class_type_info by searching in IDA and replace old ones in TiClassKind in rtti_parse.py.

Current cover

  • GNU g++ 64-bit
  • IDA Pro 7.4-7.6
  • Rename functions to BaseClass::AnotherClass::sub_4B5A format
  • Create structures for vtables
  • Fix: place "v" at the end of symbol only if there are no parameters for function
  • Fix: some functions are only renamed, but retyping fails
  • Find destructors ( Not really sure how accurate it will be )
  • Make class graph
  • IDA Pro 7.0-7.3 support
  • GNU G++ 32-bit
  • MSVC 64-bit
  • MSVC 32-bit

Test environment

  • Windows 10 2021 H1
  • IDA Pro 7.6
  • Python 3.10 ( I'm surprised this python version works well )
  • x64 GNU g++ binary

Examples

Check out example folder. There are .elf files for you to test.

Example output ->

an image should be here

Credits

  1. @IgorSkochinsky for http://www.hexblog.com/wp-content/uploads/2012/06/Recon-2012-Skochinsky-Compiler-Internals.pdf ( plugin algo entirely based on his research )
  2. @layle_ctf made my life easier with IDA remote script execution and debugging https://github.com/ioncodes/idacode
You might also like...
IDAPatternSearch adds a capability of finding functions according to bit-patterns into the well-known IDA Pro disassembler based on Ghidra’s function patterns format.

IDA Pattern Search by Argus Cyber Security Ltd. The IDA Pattern Search plugin adds a capability of finding functions according to bit-patterns into th

David Lazar 48 Dec 29, 2022
User-friendly reference finder in IDA
User-friendly reference finder in IDA

IDARefHunter Updated: This project's been introduced on IDA Plugin Contest 2021! Why do we need RefHunter? Getting reference information in one specif

Jiwon 29 Dec 4, 2022
Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks.
Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks.

Driver Buddy Reloaded Quickstart Table of Contents Installation Usage About Driver Buddy Reloaded Finding DispatchDeviceControl Labelling WDM & WDF St

Paolo 'VoidSec' Stagno 199 Jan 4, 2023
IDA Pro Python plugin to analyze and annotate Linux kernel alternatives
IDA Pro Python plugin to analyze and annotate Linux kernel alternatives

About This is an IDA Pro (Interactive Disassembler) plugin allowing to automatically analyze and annotate Linux kernel alternatives (content of .altin

Open Source Security, Inc. 16 Oct 12, 2022
IDA scripts for hypervisor (Hyper-v) analysis and reverse engineering automation
IDA scripts for hypervisor (Hyper-v) analysis and reverse engineering automation

Re-Scripts IA32-VMX-Helper (IDA-Script) IA32-MSR-Decoder (IDA-Script) IA32 VMX Helper It's an IDA script (Updated IA32 MSR Decoder) which helps you to

Behrooz Abbassi 16 Oct 8, 2022
IDA Frida Plugin for tracing something interesting.
IDA Frida Plugin for tracing something interesting.

IDAFrida A simple IDA plugin to generate FRIDA script. Edit template for functions or you can use the default template. Select functions you want to t

PandaOS 133 Dec 24, 2022
Patching - Interactive Binary Patching for IDA Pro
Patching - Interactive Binary Patching for IDA Pro

Patching - Interactive Binary Patching for IDA Pro Overview Patching assembly code to change the behavior of an existing program is not uncommon in ma

null 589 Dec 30, 2022
A BurpSuite extension to parse 5GC NF OpenAPI 3.0 files to assess 5G core networks
A BurpSuite extension to parse 5GC NF OpenAPI 3.0 files to assess 5G core networks

5GC_API_parse Description 5GC API parse is a BurpSuite extension allowing to assess 5G core network functions, by parsing the OpenAPI 3.0 not supporte

PentHertz 57 Dec 16, 2022
Cobalt Strike Beacon configuration extractor and parser.

Cobalt Strike Configuration Extractor and Parser Overview Pure Python library and set of scripts to extract and parse configurations (configs) from Co

Stroz Friedberg 102 Dec 18, 2022
Comments
  • AttributeError: module 'ida_bytes' has no attribute 'compiled_binpat_vec_t'

    AttributeError: module 'ida_bytes' has no attribute 'compiled_binpat_vec_t'

    I got this error on IDA pro 7.5

    C:\Users\Commando10\Desktop\better-rtti-parser-master\better-rtti-parser-master\rtti_parse.py: module 'ida_bytes' has no attribute 'compiled_binpat_vec_t' Traceback (most recent call last): File "C:\Users\Commando10\Desktop\IDA_PRO\IDA Pro 7.5\python\3\ida_idaapi.py", line 616, in IDAPython_ExecScript exec(code, g) File "C:/Users/Commando10/Desktop/better-rtti-parser-master/better-rtti-parser-master/rtti_parse.py", line 136, in main() File "C:/Users/Commando10/Desktop/better-rtti-parser-master/better-rtti-parser-master/rtti_parse.py", line 131, in main process() File "C:/Users/Commando10/Desktop/better-rtti-parser-master/better-rtti-parser-master/rtti_parse.py", line 94, in process addr_ea = search(symbol_name) File "C:/Users/Commando10/Desktop/better-rtti-parser-master/better-rtti-parser-master\core\common.py", line 85, in search pattern_obj = ida_bytes.compiled_binpat_vec_t() AttributeError: module 'ida_bytes' has no attribute 'compiled_binpat_vec_t'

    opened by mucomplex 3
  • No code refs found for _ZTV3N10__cxxabiv117__class_type_infoE / _ZTV

    No code refs found for _ZTV3N10__cxxabiv117__class_type_infoE / _ZTV

    For temporal solution see README #Known Issues

    I didn't find a way to get address of first character of string that matched at some position. So I cannot match __class_type_info, __si_class_type_info or __vmi_class_type info without including ABI version and symbol mangling prefix :(

    opened by MlsDmitry 1
  • Add feature to run as IDA plugin

    Add feature to run as IDA plugin

    Add feature to run as IDA plugin

    • drop files in 'IDA_DIR/plugins' folder to use as plugin
    • plugin is available in Edit -> Plugins menu
    • can set hotkey in Options -> Shortcuts menu
    • still also works as regular script, no effect on functionality, only convenience
    opened by anzz1 0
  • sometimes typename is none

    sometimes typename is none

    Hello,

    I have a weird issue in your script that sometimes it didn't found the typename and the script crash. As I don't have many time right now to debug I made a simple patch. Do you have a idea why it happend ?

    diff '--color=auto' -ru ida-better-rtti-parser_mod/core/common.py ida-better-rtti-parser/core/common.py
--- ida-better-rtti-parser_mod/core/common.py	2022-09-22 11:29:18.943743648 +0200
+++ ida-better-rtti-parser/core/common.py	2022-09-22 11:29:57.103631866 +0200
@@ -144,10 +144,7 @@
     Ex:
     Base::SomeClass::ClassTemplate<int,double,char> --> ClassTemplate
     """
-    if name:
-        return re.sub('(<.*>|.*::)', '', name)
-    else:
-        return None
+    return re.sub('(<.*>|.*::)', '', name)
 
 
 def get_function_signature(func_ea) -> FunctionSignature:
@@ -181,9 +178,8 @@
     sig = get_function_signature(func_ea)
     
     for typename in typenames:
-        if typename:
-            ret += str(len(typename))
-            ret += typename
+        ret += str(len(typename))
+        ret += typename
 
     ret += 'E'
    opened by dummys 1
Owner
CTF player, Reverse Engineer
null
GitHub
A small POC plugin for launching dumpulator emulation within IDA, passing it addresses from your IDA view using the context menu.

Dumpulator-IDA Currently proof-of-concept This project is a small POC plugin for launching dumpulator emulation within IDA, passing it addresses from

Michael 9 Sep 21, 2022
This is python script that will extract the functions call in all used DLL in an executable and then provide a mapping of those functions to the attack classes defined and curated malapi.io.

F2Amapper This is python script that will extract the functions call in all used DLL in an executable and then provide a mapping of those functions to

Ajit Kumar 3 Sep 3, 2022
IDA Python Script for anti ollvm

IDA Python Script for anti ollvm

Shocker 62 Dec 23, 2022
An IDA pro python script to decrypt Qbot malware string

Qbot-Strings-Decrypter An IDA pro python script to decrypt Qbot malware strings.

stuckinvim 6 Sep 1, 2022
This repo explains in details about buffer overflow exploit development for windows executable.

Buffer Overflow Exploit Development For Beginner Introduction I am beginner in security community and as my fellow beginner, I spend some of my time a

cris_0xC0 11 Dec 17, 2022
Local server for IDA Lumina feature

About POC of an offline server for IDA Lumina feature.

Synacktiv 166 Dec 30, 2022
Tools for converting Nintendo DS binaries to an ELF file for Ghidra/IDA

nds2elf Requirements nds2elf.py uses LIEF and template.elf to form a new binary. LIEF is available via pip: pip3 install lief Usage DSi and DSi-enhan

Max Thomas 17 Aug 14, 2022
IDA loader for Apple's iBoot, SecureROM and AVPBooter

IDA iBoot Loader IDA loader for Apple's iBoot, SecureROM and AVPBooter Installation Copy iboot-loader.py to the loaders folder in IDA directory. Credi

matteyeux 74 Dec 23, 2022
IDA plugin for quickly copying disassembly as encoded hex bytes

HexCopy IDA plugin for quickly copying disassembly as encoded hex bytes. This whole plugin just saves you two extra clicks... but if you are frequentl

OALabs 46 Oct 30, 2022
HashDB API hash lookup plugin for IDA Pro

HashDB IDA Plugin Malware string hash lookup plugin for IDA Pro. This plugin connects to the OALABS HashDB Lookup Service. Adding New Hash Algorithms

OALabs 237 Dec 21, 2022