Not working on Ghidra windows

[happydpc]

As the images showed, the TypeInfo datatype not showed in the BuiltInTypes datatype manager.

[astrelsky]

The types are in alphabetical order so it would be further down the list. If it isn't showing in the the list may you enter the following in Ghidra's python to see if it imports successfully? from ghidra.app.cmd.data.rtti.gcc.factory import TypeInfoFactoryDataType

You could also check for the existence of the Windows C++ Class Analyzer since it is a windows dll. That portion of the readme was written before the analyzer came into existence.

[happydpc]

1."from ghidra.app.cmd.data.rtti.gcc.factory import TypeInfoFactoryDataType" is gcc factory. Now on windows , this is the error:

Traceback (most recent call last): File "python", line 1, in ImportError: No module named gcc

2.Could you please make a video about this how to use? It's confusing to use. Thank you.

[astrelsky]

1."from ghidra.app.cmd.data.rtti.gcc.factory import TypeInfoFactoryDataType" is gcc factory. Now on windows , this is the error:

Traceback (most recent call last): File "python", line 1, in ImportError: No module named gcc

2.Could you please make a video about this how to use? It's confusing to use. Thank you.

It appears that there is indeed something wrong. May you attach the ghidra application log? Please be aware that it will reveal the filenames of files you have analyzed. You are free to edit them out of course.

Are you using a pre built release or did you build it yourself?

I can make a video if it's necessary. It is as simple as loading ghidra and running analysis as usual though. The analyzers are enabled by default.

If you're using a release it may be due to recent changes in ghidra. If this is the case I just need to put out another release.

[happydpc]

Thanks, looking forward to your tutorial video and next release. I am going to dive into it.

[astrelsky]

@happydpc I'm attaching the current build of the analyzer to this comment. I am using it on ghidra 9.2 2267d896256b961324fea82f917983005e81fecf. May you confirm this works for you?

Ghidra-Cpp-Class-Analyzer.zip

[happydpc]

Yes, it shows the TypeInfo. But how to use this, and what's the GccRtti analyzer , the ghidra scripts directory doesn't contains that.

[astrelsky]

When a binary compiled with clang, gcc or mingw is open the GccRttiAnalyzer and GccC++ClassAnalyzer will appear among the standard analyzers. For binaries compiled with Visual studio the WindowsC++ClassAnalyzer will appear. They should be enabled by default.

It may be a few weeks or longer until I can get a video up. I'll put out a new release tomorrow in the meantime.

[happydpc]

Thank you for all your work.

[happydpc]

Another question is where's the json db file ? a bit confusing.

[astrelsky]

Another question is where's the json db file ? a bit confusing.

From the ghidra installation it should be located at Ghidra\Extensions\Ghidra-Cpp-Class-Analyzer\data. I'll see if I can make it open there when asking for a file the first time. I just noticed that the ghidra scripts were not included in the attachment I provided above as I had removed them in my own installation to prevent naming conflicts during debugging.

[happydpc]

There's no data directory. And after click the windows C++ class analyzer, it shows this

[astrelsky]

There's no data directory. And after click the windows C++ class analyzer, it shows this -snip-

Your binary contains control flow guard. When cfg is present some of the vftable entries point to the control flow guard functions instead of the classes virtual functions and I currently do not know how to retrieve the correct address. I found it appropriate to notify the user of this any not do any vftable related analysis instead of risking incorrectly marking functions.

If anyone has any information on how the correct virtual function address can be obtained from the vftable address and table index that information would be appreciated.

[happydpc]

There's no data directory. And after click the windows C++ class analyzer, it shows this -snip-

Your binary contains control flow guard. When cfg is present some of the vftable entries point to the control flow guard functions instead of the classes virtual functions and I currently do not know how to retrieve the correct address. I found it appropriate to notify the user of this any not do any vftable related analysis instead of risking incorrectly marking functions.

If anyone has any information on how the correct virtual function address can be obtained from the vftable address and table index that information would be appreciated.

Yes, that's the problem, maybe we can offer a easy option to just create vtables from meta data.

[astrelsky]

Yes, that's the problem, maybe we can offer a easy option to just create vtables from meta data.

Ghidra has a built in analyzer for rtti in visual studio binaries. It is responsible for locating and marking up the data.

When cfg is present some things are still performed. I don't remember the full list of the top of my head, but a reconstruction class structures based on their class inheritance should still be performed. Unfortunately there is less checking that can be performed and classes which are not inherited cannot be added as members in the structure. This is because the real addresses of the virtual functions are not known.

I would like to be able to perform complete analysis even when cfg is present. Unfortunately there seems to be a lack of accurate information regarding how cfg is performed for virtual functions. This leaves me to do a lot of research on my own. While doing my own research is both not a problem and something I love I don't currently have the free time to do so. Research into the gcc rtti, vtables and how to accurately reconstruct the class structures took me roughly 3 months of continuous work. Approximately 14+ hours a day 7 days a week for 3 months went into it. I do consider the results to be well worth it.

@happydpc sorry for editing your comment. It was an accident, I'm on my phone and thought I was editing my response.

[happydpc]

Yes, that's the problem, maybe we can offer a easy option to just create vtables from meta data.

Ghidra has a built in analyzer for rtti in visual studio binaries. It is responsible for locating and marking up the data.

When cfg is present some things are still performed. I don't remember the full list of the top of my head, but a reconstruction class structures based on their class inheritance should still be performed. Unfortunately there is less checking that can be performed and classes which are not inherited cannot be added as members in the structure. This is because the real addresses of the virtual functions are not known.

I would like to be able to perform complete analysis even when cfg is present. Unfortunately there seems to be a lack of accurate information regarding how cfg is performed for virtual functions. This leaves me to do a lot of research on my own. While doing my own research is both not a problem and something I love I don't currently have the free time to do so. Research into the gcc rtti, vtables and how to accurately reconstruct the class structures took me roughly 3 months of continuous work. Approximately 14+ hours a day 7 days a week for 3 months went into it. I do consider the results to be well worth it.

@happydpc sorry for editing your comment. It was an accident, I'm on my phone and thought I was editing my response.

That's ok, I will try to make a easy handy creator tool from your code. And I also have tested the OOAnalyzer tool on https://github.com/cmu-sei/pharos , it's cool and amazing. But it cost too much time on some big binary.