maskelihileci
commented
2 years ago 
Closed maskelihileci closed 2 years ago
maskelihileci
commented
2 years ago
astrelsky
commented
2 years ago Is there run time type information present?
maskelihileci
commented
2 years ago https://sourceforge.net/projects/classinformer/
I can extract the RTTI information with the plugin here.
astrelsky
commented
2 years ago https://sourceforge.net/projects/classinformer/
I can extract the RTTI information with the plugin here.
- When I go to the same address of one of those information in the picture, I see that it is not resolved.
I see. Unfortunately for visual studio compiled programs my plugin piggybacks off of the rtti detected by the WindowsRttiAnalyzer that comes with Ghidra. If rtti is present but it isn't being found then it is most likely an issue with that analyzer and not the plugin.
I can take a quick look at the Ghidra log file to check for any indication of a problem for either analyzer if you'd like. Just be advised that the program name and information you are covering will be present in the logs. I have no problem with it if you redact that information.
The log file is located at something like C:\User\{user}\.ghidra\.ghidra_{version}\application.log for windows and ~/.ghidra/.ghidra_{version}/application.log for linux.
maskelihileci
commented
2 years ago Thanks for the help, I hope we can fix the error.
astrelsky
commented
2 years ago Thanks for the help, I hope we can fix the error.
There are some really strange things going on here. For example multiple Ghidra installation files from 9.1.2 on the G drive are being used with Ghidra 10.1.3 which makes 0 sense. I doubt that is the causes of the problem here but figured I'd point it out anyway.
I do see indications that my analyzers have processed some classes but I'm not sure which session or program was the problematic one.
maskelihileci
commented
2 years ago I was updating by copying file on top of previous ghidra version
I reset it now and it still doesn't work. But the interesting thing is that when I analyze another application it works, only this application does not work.
maskelihileci
commented
2 years ago 
I think I got the point, your plugin lists the analyzed RTTI partition. The reason for not being analyzed is that the "Windows x86 PE RTTI Analyzer" plug-in is not working properly.
This is because the app I'm trying to analyze was unpacked from a themida It cannot analyze well because the PE section is not smooth. I guess so. The analysis method of the ghidra and the analysis method of the class information application are different.
astrelsky
commented
2 years ago
I think I got the point, your plugin lists the analyzed RTTI partition. The reason for not being analyzed is that the "Windows x86 PE RTTI Analyzer" plug-in is not working properly.
This is because the app I'm trying to analyze was unpacked from a themida It cannot analyze well because the PE section is not smooth. I guess so. The analysis method of the ghidra and the analysis method of the class information application are different.
I can see how a unpacked program that is using themida could be problematic. May you tell me the names of the sections in the unpacked program? We may be able to hack around it by temporarily modifying a memory block.
maskelihileci
commented
2 years ago I noticed that it gives an error because the segment names are different. But the main problem is that the RTTI part is in the .text segment, I'm looking for a way to split the segments.
maskelihileci
commented
2 years ago 
maskelihileci
commented
2 years ago After making the .text segment .data, the analysis was successful, but I wonder if this will do any harm to the analysis in ghidra software?
astrelsky
commented
2 years ago After making the .text segment .data, the analysis was successful, but I wonder if this will do any harm to the analysis in ghidra software?
You don't need to modify the PE itself. You can freely add/edit/delete memory blocks in Ghidra as you wish. Clicking this icon will bring up the menu where you can do that.
If I remember correctly the analyzer built in to Ghidra looks for .data and/or .rodata or maybe .rdata. Either way you can make the changes you patched into your PE in Ghidra itself without altering the underlying file.
Ghidra should be able to handle the hacked up PE just fine.
maskelihileci
commented
2 years ago After making the .text segment .data, the analysis was successful, but I wonder if this will do any harm to the analysis in ghidra software?
You don't need to modify the PE itself. You can freely add/edit/delete memory blocks in Ghidra as you wish. Clicking this icon will bring up the menu where you can do that.
If I remember correctly the analyzer built in to Ghidra looks for .data and/or .rodata or maybe .rdata. Either way you can make the changes you patched into your PE in Ghidra itself without altering the underlying file.
Ghidra should be able to handle the hacked up PE just fine.
I tried that, it didn't work, that's the thing that surprised me. I guess the Ghidra software does not take into account the later edited segment names.
As you can see in the picture above, I fixed it later, but it still didn't work. I have to fix the segment names before I send the file to the ghidra.
The picture below is an example of IDA Pro
As you can see in the pictures, everything is normal, but there is no result.