search

ReClassNET / ReClass.NET

More than a ReClass port to the .NET platform.
MIT License
1.82k stars 371 forks source link

Getting RTTI after Xigncode3 loads #156

Open darrendlin opened 4 years ago

darrendlin commented 4 years ago

I want to pretext this by noting that I believe this issue is related to https://github.com/ReClassNET/ReClass.NET/issues/68 .

I'm trying to attach ReClass to a target application protected with Xigncode3 (XC3). If I attach before XC3 loads, I can view the process memory fine for the most part. However, I noticed that class names/inheritances data parsed from RTTI isn't visible (yes, the checkbox is enabled in settings). This is weird because ReClassEx seems to display the data extracted from RTTI just fine for the same application.

Without digging into the source code of either applications, I suspect that the RTTI data is retrieved and parsed on process attach in ReClassEx, and this is only done on request in ReClassNet.

If that's the case, would it be possible to make it an option to grab RTTI (and other things that XC3 seems to have stripped) on process attach and display whatever is necessary from the prefetched data rather than fetching and displaying on demand?

If that's not the case, then am I doing something wrong with being able to view class inheritances and other such information?

Thanks!

KN4CK3R commented 4 years ago

ReClassEx reads RTTI info on demand on every update: https://github.com/ajkhoury/ReClassEx/blob/aa53ba5650096552950562e16849d79bbb01f631/ReClass/CNodeBase.cpp#L470 ReClass.NET reads RTTI info on demand too: https://github.com/ReClassNET/ReClass.NET/blob/b89bbfd97bc431d12dc2b8897478c98e09797f09/ReClass.NET/Nodes/BaseHexCommentNode.cs#L44 I have added a cache for RTTI data: https://github.com/ReClassNET/ReClass.NET/blob/b89bbfd97bc431d12dc2b8897478c98e09797f09/ReClass.NET/Memory/RemoteProcess.cs#L346-L358 So at the moment I would assume ReClassEx should show less informations.

I don't know if I could cache the RTTI data on attach. ReClass could search all ".?AV" blocks and extract the data and addresses. Then there could be an address lookup to get the info for a class.

darrendlin commented 4 years ago

So at the moment I would assume ReClassEx should show less informations.

Is this related to why when I try to dig through in-memory function code that I get hit with "Error reading memory" on ReClassEx? I am able to properly look at function code on ReClassNet (verified when looking through IDA) but not class name/inheritance information.

If this isn't an issue of when RTTI is being read and processed (since you pointed out both ReClassEx and ReClassNet do it the same way), what could be causing the ReClassNet not displaying what ReClassEx displays and maybe vice versa?

Let me know if screenshots comparing the 2 would help.

KN4CK3R commented 4 years ago

I can't really help you with ReClassEx. Screenshots and/or memory dump of the target would help.

darrendlin commented 4 years ago

This is a side by side comparison of the same memory region viewed in ReClassEx (top) and ReClassNet (bottom). The top shows the RTTI data that I'm interested in seeing in ReClassNet.

Mx7XtrB

It might be useful to note that while I am able to see module information in ReClassEx, I am not able to do so in ReClassNet.

KN4CK3R commented 4 years ago

It might be useful to note that while I am able to see module information in ReClassEx, I am not able to do so in ReClassNet.

I think that's the reason. Without module informations this check fails: https://github.com/ReClassNET/ReClass.NET/blob/b89bbfd97bc431d12dc2b8897478c98e09797f09/ReClass.NET/Nodes/BaseHexCommentNode.cs#L33-L34 And then all extra info logic is skipped. Could you try if #135 fixes your problem?

darrendlin commented 4 years ago

Hey I just checked back and saw that #135 has been merged. I went ahead and built the merged changes on my machine but I'm still hitting the same issue where RTTI stuff disappears the moment XC3 finishes doing its thing.

Is there something I'm still missing?