META - vtable detection for C++, ObjectiveC, Dlang and Swift binaries

[pinkflawd]

• [ ] C++ structures parsing for VC++ generated binaries https://github.com/REhints/HexRaysCodeXplorer & http://www.openrce.org/articles/full_view/23
• [ ] C++ structures parsing for OS X clang C++ generated binaries https://github.com/cocoahuke/maclook4ref
• [ ] C++ structures parsing for *nix GCC C++ generated binaries
• [ ] COM classes parsing for Windows binaries https://github.com/nektra/vtbl-ida-pro-plugin + http://blog.nektra.com/main/2013/03/27/how-to-identify-virtual-table-functions-with-the-vtbl-ida-pro-plugin/

What should be done (in C, as part of radare2):

• [x] Parsing vtables
• [x] Parsing RTTI
• [x] av commands to view that data
• [x] Parsing SEH
• [x] Parsing .eh_frame
• [ ] Connecting classes with their methods
• [ ] Class inheritance - nesting data structs
• [ ] Constructors and destructors autorecognition
• [ ] try/catch/finally recognition and marking
• [ ] arguments recognition
• [x] ASCII/graphviz graph of class inheritance/structure inheritance
• [ ] Tests with sources for C++, ObjC and Swift, for radare2-regressions

See code at

• libr/anal/vtable.c
• libr/anal/rtti.c
• libr/anal/rtti_msvc.c

Examples of similar features in another programs:

• https://github.com/astrelsky/Ghidra-Cpp-Class-Analyzer

---

Attached binary is malware written in C++, lots of vtables, not detected with av command. password is infected

banito.zip password: "infected" 2018-asplos.pdf

[Maijin]

Current code is here https://github.com/radare/radare2/blob/master/libr/anal/vtable.c

[Maijin]

See implementation here https://github.com/REhints/HexRaysCodeXplorer

[pinkflawd]

This blog describes how MS VC++ works quite well http://www.openrce.org/articles/full_view/23

The problem with MS VC++ binaries is, that they don't necessarily come with information on their class structure, there is just something called RTTI, which, at least for malware, is almost always stripped. Finding vtables within the binary is done either sweeping the code section for .. well things that look like vtable structures, or, as done by CodeExplorer, starting from the code and searching for constructors and hoping to find a vtable offset within the arguments. Neat would be, trying to recover not only vtables, but entire object structures. This would require lots of constructor detection, parsing, and I think guessing, though.

I'm sure there are more thorough ways of doing this, will think about it and update this thread.

[XVilka]

I'm renaming this issue in the [META] for all vtables and C++ metainformation.

[XVilka]

@codeuchiha for your reference

[PankajKataria]

Thank you @XVilka @pinkflawd @Maijin for providing resources, however I am stuck at parsing RTTI for GCC it will very helpful if some one can point out resources for that too. @pinkflawd yes RTTI (runtime type infromations) structures are present in both cases(MVSC or GCC), it's a way of storing class information and it's inheritance hierarchy by the compiler. I have described the approach we used to find virtual tables for elf files here : https://goo.gl/CDDEI5

[pinkflawd]

Cool, thanks for the link! As for GCC RTTI or RTTI in general I know this presentation http://www.hexblog.com/wp-content/uploads/2012/06/Recon-2012-Skochinsky-Compiler-Internals.pdf - contains some info. A note though, not sure how it is with benign binaries, but malware doesn't usually come with RTTI information.

[PankajKataria]

@pinkflawd I totally agree that the binary doesn't always comes with RTTI structures, but we are first aiming to develop for the case where RTTI is present and then will keep improving including different scenarios and Thank you for the link.

[pinkflawd]

sure sure :)

[XVilka]

Also a scripts from our lovely Binary Ninja https://github.com/trailofbits/binjascripts/tree/master/vtable-navigator

[XVilka]

Adding one more for vtables/C++ metainfo parsing - https://github.com/igogo-x86/HexRaysPyTools

[awhawks]

This from REcon 2011 look useful as well - Practical C++ Decompilation

[XVilka]

See also https://llvm.org/docs/HowToSetUpLLVMStyleRTTI.html

[XVilka]

Those are for Swift:

• https://mikeash.com/pyblog/friday-qa-2014-07-18-exploring-swift-memory-layout.html
• https://www.raizlabs.com/dev/2016/12/swift-method-dispatch/

[XVilka]

This one is for ObjectiveC http://cocoasamurai.blogspot.com/2010/01/understanding-objective-c-runtime.html

[XVilka]

New plugin by NCC Group https://github.com/nccgroup/PythonClassInformer https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/october/python-class-informer-an-idapython-plugin-for-viewing-run-time-type-information-rtti/

[XVilka]

See also vtables/RTTI parsing from RetDec https://github.com/avast-tl/retdec/tree/master/src/bin2llvmir/optimizations/vtable

[radare]

See https://github.com/bazad/memctl

[XVilka]

Also https://github.com/cocoahuke/maclook4ref

[XVilka]

See also https://github.com/RUB-SysSec/Marx thanks to @radare Paper is here https://www.syssec.rub.de/media/emma/veroeffentlichungen/2016/12/22/marx_ndss2017.pdf

[Maijin]

https://github.com/whitequark/binja_itanium_cxx_abi

[XVilka]

Future implementers - note, that current code in libr/core/anal_vt.c is flawed since it targets x86 only. The detection should be crossplatform.

[XVilka]

See also https://alschwalm.com/blog/static/2016/12/17/reversing-c-virtual-functions/ + https://alschwalm.com/blog/static/2017/01/24/reversing-c-virtual-functions-part-2-2/

[XVilka]

See also more in https://www.blackhat.com/presentations/bh-dc-07/Sabanal_Yason/Paper/bh-dc-07-Sabanal_Yason-WP.pdf

[XVilka]

And also http://blog.httrack.com/blog/2014/05/09/a-basic-glance-at-the-virtual-table/ for GCC

[thestr4ng3r]

I will try to do msvc soon.

[Maijin]

@thestr4ng3r @XVilka @r00tus3r can you check the boxes in the initial post of the issue so we know what is remaining to do here?

[XVilka]

@sivaramaaa I think along with types information loading from PDB and DWARF we can load C++ classes as structures at first. Assigning you to think about how it can be done the fastest/easiest way.

@Maijin done, we need to add more tests into r2r for this.

[XVilka]

Added this paper https://www.cs.tau.ac.il/~maon/pubs/2018-asplos.pdf

[XVilka]

See also https://github.com/0xgalz/Virtuailor tool for creating automatic C++ virtual tables in IDA Pro based on the runtime information.

[XVilka]

See also (Pharos) https://edmcman.github.io/papers/ccs18.pdf + https://edmcman.github.io/pres/ccs18.pdf

https://github.com/cmu-sei/pharos

[XVilka]

DeClassifier: Class-Inheritance InferenceEngine for Optimized C++ Binaries 1901.10073.pdf

[XVilka]

One more implementation: https://github.com/astrelsky/Ghidra-Cpp-Class-Analyzer

[HoundThe]

I guess I can tick, ASCII inheritance graph with this PR https://github.com/radareorg/radare2/pull/17362

[XVilka]

See also these for extracting C++ classes information from kernelcache:

• https://github.com/0x36/ghidra_kernelcache
• https://github.com/bazad/ida_kernelcache