VFT functions missing in arm64 PE binaries

Vector35 / binaryninja-api

Public API, examples, documentation and issues for Binary Ninja

https://binary.ninja/

MIT License

908 stars 207 forks source link

VFT functions missing in arm64 PE binaries #4963

Open op2786 opened 8 months ago

op2786 commented 8 months ago

Version and Platform (required):

Binary Ninja Version: 3.6.4790-dev, 10b89271
OS: macos
OS Version: 14.3
CPU Architecture: arm64

Steps To Reproduce:

Load the attached binary into Binary Ninja.
Navigate to address 1400033e8 where vft definitions are located.
See the bug

Screenshots: Without debug symbols:

Debug symbols loaded:

IDA without debug symbols:

Additional Information:

class_test_arm64.zip

plafosse commented 8 months ago

I believe this is just an example of us missing RTTI analysis: https://github.com/Vector35/binaryninja-api/issues/3930 closing as a duplicate. There are a couple of plugins that support parsing and applying this info

op2786 commented 8 months ago

The same binary for x64 or x86 contains data at the address I highlighted in the screenshot. This issue only arises with ARM64 binaries. I can observe that the address indeed holds values in the HxD editor; however, for some reason, BN interprets them all as zeros. Even if BN does not perform RTTI analysis, shouldn't it still display the data present there? @plafosse

plafosse commented 8 months ago

interesting ok guess we need to look into this. Current guess is that we're getting relocations wrong.