Rtti1Model has an additional field when compared to RTTI1DataType causing overlap when applied to MSVC 4.X binaries

[Wall-AF]

I see that 4byte_ptr_or_disp pClassHierarchyDescriptor; // ref to ClassHierarchyDescriptor (RTTI 3) for class has been added to the replacement type Rtti1Model that isn't in the (now deprecated) RTTI1DataType. Is this a mistake, or has the spec moved on?

If it has changed, what is the correct way to revert back to the original?

[Wall-AF]

According to https://blog.quarkslab.com/visual-c-rtti-inspection.html, the RTTI_1 definition is:

typedef const struct _s__RTTIBaseClassDescriptor {
  _TypeDescriptor *pTypeDescriptor;
  unsigned long numContainedBases;
  _PMD where;
  unsigned long attributes;
} __RTTIBaseClassDescriptor;

[ghidra007]

I'm pretty sure this has been this way for a long time in Ghidra.

Your link is to a page dated 2013 referring to older RTTI structures. This one describes it the way we have it modeled: https://www.lukaszlipski.dev/post/rtti-msvc/

We do have another outstanding ticket to handle the older RTTI format. https://github.com/NationalSecurityAgency/ghidra/issues/1790

It is possible that a recent change to remove a validation step is allowing some to be created that were not before.

Were you seeing the old style being applied at some point and are now not? If so, what version of Ghidra was that in and when did you see a change?

[Wall-AF]

@ghidra007 I only just discovered this through searching for RTTI_1 as it was too big for the space it should've fit and I couldn't change it! I don't know when the new models replaced the deprecated types. I am using my own version of Ghidra, but keep it up-to-date regularly. I'll get the commit when I'm back at my PC in the next few days if you need it.

[ghidra007]

@Wall-AF I don't think we ever used the deprecated types in the analyzer. I think we might have at one point included them as built in types users could use or there might have been a script that used them. There are two other tickets reporting that we do not handle the old RTTI correctly and it sounds like this is the same issue. In the meantime, maybe you can copy the structure from the built-in types and edit to remove the the last field then clear and replace your rtti1's with your new structure.

[Wall-AF]

@ghidra007 I can either copy or create (which I did) my own structure and use that. What I found sad (and surprising) was that the old structure was there, but unusable (from the GUI at least) and that Ghidra had failed to even notice the use of RTTI in my app when I imported and performed the built-in analysis initially!

FYI, my current version of Ghidra is based upon commit dec414e with all sorts of mods from PASCAL style (left-to-right) parameter stacking through to 16-bit far pointer (partial) support and a myriad of other little bits and pieces!

[ghidra007]

@ghidra007 I can either copy or create (which I did) my own structure and use that. What I found sad (and surprising) was that the old structure was there, but unusable (from the GUI at least) and that Ghidra had failed to even notice the use of RTTI in my app when I imported and performed the built-in analysis initially!

FYI, my current version of Ghidra is based upon commit dec414e with all sorts of mods from PASCAL style (left-to-right) parameter stacking through to 16-bit far pointer (partial) support and a myriad of other little bits and pieces!

Can you describe why the old structure was unusable? Are you saying that you can't create a data type of that type in the Listing? Can you share the path and name in the data type manager of the structure you are referring to? Thanks.

[Wall-AF]

@ghidra007 I can either copy or create (which I did) my own structure and use that. What I found sad (and surprising) was that the old structure was there, but unusable (from the GUI at least) and that Ghidra had failed to even notice the use of RTTI in my app when I imported and performed the built-in analysis initially! FYI, my current version of Ghidra is based upon commit dec414e with all sorts of mods from PASCAL style (left-to-right) parameter stacking through to 16-bit far pointer (partial) support and a myriad of other little bits and pieces!

Can you describe why the old structure was unusable? Are you saying that you can't create a data type of that type in the Listing? Can you share the path and name in the data type manager of the structure you are referring to? Thanks.

1) None of the Java code is/was using that deprecated type (RTTI1DataType) and therefore the old structure is now never bult. 2) The new type is too large and if used would overwrite other data. 3) The deprecated structure would have been built in /Features Base/src/main/java/ghidra/app/util/datatype/microsoft/RTTI1DataType.java.

[ghidra007]

@ghidra007 I can either copy or create (which I did) my own structure and use that. What I found sad (and surprising) was that the old structure was there, but unusable (from the GUI at least) and that Ghidra had failed to even notice the use of RTTI in my app when I imported and performed the built-in analysis initially! FYI, my current version of Ghidra is based upon commit dec414e with all sorts of mods from PASCAL style (left-to-right) parameter stacking through to 16-bit far pointer (partial) support and a myriad of other little bits and pieces!

Can you describe why the old structure was unusable? Are you saying that you can't create a data type of that type in the Listing? Can you share the path and name in the data type manager of the structure you are referring to? Thanks.

1. None of the Java code is/was using that deprecated type (RTTI1DataType) and therefore the old structure is now never bult.
2. The new type is too large and if used would overwrite other data.
3. The deprecated structure would have been built in /Features Base/src/main/java/ghidra/app/util/datatype/microsoft/RTTI1DataType.java.

I misunderstood what you meant and thought you meant that we removed an old data type that we used to have. We never supported this old way, as far as I know. The ticket I referenced above was asking us to support this old style so is the same request you have. I marked this internal since this request is already on our list meaning we were aware of this issue already.