search

NationalSecurityAgency / ghidra

Ghidra is a software reverse engineering (SRE) framework
https://www.nsa.gov/ghidra
Apache License 2.0
51.13k stars 5.82k forks source link

RecoverClassesFromRTTIScript gives "Error recovering classes" in 10.1-beta but works in 10.0.3 #3646

Closed jrmuizel closed 2 years ago

jrmuizel commented 2 years ago

To Reproduce Steps to reproduce the behavior:

  1. Load binary
  2. Load PDB
  3. Run Autoanalysis
  4. Run RecoverClassesFromRTTIScript

  5. See error

    @ghidra007 any suggestions for debugging this?

ghidra007 commented 2 years ago

Sorry to hear that. You can look in the log in the project manager and see where the error happened. Please copy the stack trace here so it can be looked into on our end. Thanks.

jrmuizel commented 2 years ago

All I get is:

2021-11-17 14:18:54 DEBUG (AutoAnalysisManager) Scheduling analysis worker (RecoverClassesFromRTTIScript.java): class ghidra.app.script.GhidraScript$1  
2021-11-17 14:18:54 DEBUG (ToolTaskManager) Wed Nov 17 14:18:54 EST 2021 Background processing started...  
2021-11-17 14:18:54 DEBUG (ToolTaskManager) Wed Nov 17 14:18:54 EST 2021 Exec Task Auto Analysis  
2021-11-17 14:18:54 DEBUG (AnalysisWorkerCommand) Invoking analysis worker (RecoverClassesFromRTTIScript.java): class ghidra.app.script.GhidraScript$1  
2021-11-17 14:18:55 INFO  (GhidraScript) RecoverClassesFromRTTIScript.java> Checking for missing RTTI information and undefined constructor/destructor functions and creating if possible to find entry point...  
2021-11-17 14:18:55 INFO  RecoverClassesFromRTTIScript.java> Checking for missing RTTI information and undefined constructor/destructor functions and creating if possible to find entry point...  
2021-11-17 14:18:55 INFO  (GhidraScript) RecoverClassesFromRTTIScript.java> Recovering classes using RTTI...  
2021-11-17 14:18:55 INFO  RecoverClassesFromRTTIScript.java> Recovering classes using RTTI...  
2021-11-17 14:19:05 INFO  (GhidraScript) RecoverClassesFromRTTIScript.java> Error recovering classes  
2021-11-17 14:19:05 INFO  RecoverClassesFromRTTIScript.java> Error recovering classes  
2021-11-17 14:19:05 DEBUG (AutoAnalysisManager) Analysis worker completed (RecoverClassesFromRTTIScript.java): class ghidra.app.script.GhidraScript$1  
2021-11-17 14:19:05 INFO  (AutoAnalysisManager) -----------------------------------------------------
    Call Convention ID                         0.001 secs
    RecoverClassesFromRTTIScript.java         10.234 secs
-----------------------------------------------------
     Total Time   10 secs
-----------------------------------------------------
ghidra007 commented 2 years ago

What program are you trying this on? Is it publically available?

ghidra007 commented 2 years ago

I've added code to spit out the stack traces but it won't be ready until the 10.1 build unless you want to modify a few files. If you want to do that, I'll put the edits here.

jrmuizel commented 2 years ago

It's igd10umd64.dll from http://download.windowsupdate.com/msdownload/update/driver/drvs/2013/04/200000265_b70e6e89dc0f24433f6fcc6b33d5f160f30a33cd.cab. The symbols are from the microsoft symbol server.

ghidra007 commented 2 years ago

Thanks!

ghidra007 commented 2 years ago

Just to clarify, you loaded the binary then loaded the pdb separately vice having the pdb analyzer do the pdb?

jrmuizel commented 2 years ago

I think there's a typo in your question so I don't quite understand it. But I'll elaborate my steps

  1. Load the binary
  2. File -> Load PDB File... (have it fetched from ms symbol server) and then click "Load"
  3. Wait for the PDB triggered analysis to finish
  4. Analysis -> Auto Analyze ...
  5. Run RecoverClassesFromRTTIScript
ghidra007 commented 2 years ago

Ok thanks! I'll try to reproduce the issue. Thanks for the extra info. In the past, at least, loading the pdb file separately was different than having the pdb in the same dir as the binary then running analysis with the pdb analyzer turned on. I have no idea if this has anything to do with the issue but wanted to make sure I was following the same steps you are when trying to reproduce. PDB was reworked a few versions ago so I don't know if the load then analyze is any different than the other method anymore.

ghidra007 commented 2 years ago

I have found the issue in new code that was written to split apart the class data types. I'll have a fix out for 10.1. Thanks for finding this.

ghidra007 commented 2 years ago

It's a one line code fix. If you want to try it you can replace EditStructureUtils.java class (located in Ghidra\Features\Decompiler\ghidra_scripts\classrecovery -- can't filter for it in script manager unfortunately since it isn't a script but can edit with external editor) line 223 with

DataTypeComponent component = structure.getComponentContaining(offset);

The issue happened because the getComponentAt behavior recently changed. It used to get the component containing and now it really gets the component at. Since there wasn't one, it was throwing a null later when trying to use the resulting component. I thought I had stamped out all the resulting issues but apparently not.

Since this is a class and not a script, I believe you will have to restart Ghidra for the code change to take effect if you are not using Eclipse but since it is in a script folder, you can actually edit the class and it will get rebuilt.

jrmuizel commented 2 years ago

That fixes it. Thanks a lot.

ghidra007 commented 2 years ago

You're welcome! I appreciate you reporting it so it could be fixed.

ryanmkurtz commented 2 years ago

Fixed by 659892a8103988eb2b00c99bba0b491fd9cd70ef