v1.7

Automatic virtual function table identification Improved type REconstruction Bug fixes
REhints · May 27, 2015 · 6e5d5ca · 6e5d5ca
1 parent ea75b4f
commit 6e5d5ca
Show file tree

Hide file tree

Showing 9 changed files with 222 additions and 127 deletions.
diff --git a/README.md b/README.md
@@ -29,6 +29,10 @@ __Here are the main features of the plugin:__
 Also CodeXplorer plugin supports auto REconstruction type into IDA local types storage.
 
 ![6](img/6.png)
+
+* ***Virtual function table identification***  - automatically identifies references to virtual function tables during type reconstruction. When a reference to a virtual function table is identified the plugin generates a corresponding C-structure. As shown below during reconstructing `struct_local_data_storage` two virtual function tables were identified and, as a result, two corresponding structures were generated: `struct_local_data_storage_VTABLE_0` and `struct_local_data_storage_VTABLE_4`.
+
+![12](img/12.png)
 
 * ***C-tree graph visualization*** – a special tree-like structure representing a decompiled routine in citem_t terms (hexrays.hpp). Useful feature for understanding how the decompiler works. The highlighted graph node corresponds to the current cursor position in the HexRays Pseudocode window:
 

diff --git a/bin/v1.7 [NSEC15 Edition]/HexRaysCodeXplorer.p64 b/bin/v1.7 [NSEC15 Edition]/HexRaysCodeXplorer.p64
diff --git a/bin/v1.7 [NSEC15 Edition]/HexRaysCodeXplorer.plw b/bin/v1.7 [NSEC15 Edition]/HexRaysCodeXplorer.plw
diff --git a/img/12.png b/img/12.png
diff --git a/src/HexRaysCodeXplorer.sln b/src/HexRaysCodeXplorer.sln
@@ -19,8 +19,8 @@ Global
 		{F7E6B557-41F3-444A-BCA4-3527547DD665}.Debug|Win32.Build.0 = Debug|Win32
 		{F7E6B557-41F3-444A-BCA4-3527547DD665}.Release x64|Win32.ActiveCfg = Release x64|Win32
 		{F7E6B557-41F3-444A-BCA4-3527547DD665}.Release x64|Win32.Build.0 = Release x64|Win32
-		{F7E6B557-41F3-444A-BCA4-3527547DD665}.Release|Win32.ActiveCfg = Release x64|Win32
-		{F7E6B557-41F3-444A-BCA4-3527547DD665}.Release|Win32.Build.0 = Release x64|Win32
+		{F7E6B557-41F3-444A-BCA4-3527547DD665}.Release|Win32.ActiveCfg = Release|Win32
+		{F7E6B557-41F3-444A-BCA4-3527547DD665}.Release|Win32.Build.0 = Release|Win32
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

diff --git a/src/HexRaysCodeXplorer/CodeXplorer.cpp b/src/HexRaysCodeXplorer/CodeXplorer.cpp
@@ -304,10 +304,12 @@ static bool idaapi decompile_func(vdui_t &vu)
 		  while((proc_name > tmp) && (*(proc_name - 1) != '>'))
 			  proc_name --;
 
-		  func_t * func = get_func_by_name(proc_name);
-		  if(func != NULL)
-		  {
-			  vdui_t * decompiled_window = open_pseudocode(func->startEA, -1);
+		  if (proc_name != tmp) {
+			  func_t * func = get_func_by_name(proc_name);
+			  if(func != NULL)
+			  {
+				  vdui_t * decompiled_window = open_pseudocode(func->startEA, -1);
+			  }
 		  }
 	  }
   }

diff --git a/src/HexRaysCodeXplorer/ObjectExplorer.cpp b/src/HexRaysCodeXplorer/ObjectExplorer.cpp
@@ -135,6 +135,7 @@ BOOL get_vtbl_info(ea_t ea_address, VTBL_info_t &vtbl_info)
 }
 
 
+
 qvector <VTBL_info_t> vtbl_t_list;
 qvector <qstring> vtbl_list; // list of vtables for ObjectExplrer view
 static BOOL process_vtbl(ea_t &ea_sect)
@@ -153,7 +154,7 @@ static BOOL process_vtbl(ea_t &ea_sect)
 				vftable_info_t.vtbl_name = get_short_name(vftable_info_t.ea_begin);
 
 				qstring vtbl_info_str;
-				vtbl_info_str.cat_sprnt(" 0x%x - 0x%x:  %s  methods count: %u", vftable_info_t.ea_begin, vftable_info_t.ea_end, vftable_info_t.vtbl_name, vftable_info_t.methods);
+				vtbl_info_str.cat_sprnt(" 0x%x - 0x%x:  %s  methods count: %d", vftable_info_t.ea_begin, vftable_info_t.ea_end, vftable_info_t.vtbl_name.c_str(), vftable_info_t.methods);
 				vtbl_list.push_back(vtbl_info_str);
 
 				vtbl_t_list.push_back(vftable_info_t);
@@ -169,8 +170,26 @@ static BOOL process_vtbl(ea_t &ea_sect)
 	return(FALSE);
 }
 
+bool get_vbtbl_by_ea(ea_t vtbl_addr, VTBL_info_t &vtbl) {
+	bool result = false;
+
+	search_objects(false);
+
+	qvector <VTBL_info_t>::iterator vtbl_iter;
+
+	for (vtbl_iter = vtbl_t_list.begin(); vtbl_iter != vtbl_t_list.end(); vtbl_iter++) {
+		if ((*vtbl_iter).ea_begin == vtbl_addr) {
+			vtbl =  *vtbl_iter;
+			result = true;
+			break;
+		}
+	}
+
+	return result;
+}
+
 
-tid_t create_vtbl_struct(ea_t vtbl_addr, char* vtbl_name, uval_t idx, unsigned int* vtbl_len = NULL)
+tid_t create_vtbl_struct(ea_t vtbl_addr, ea_t vtbl_addr_end, char* vtbl_name, uval_t idx, unsigned int* vtbl_len)
 {
 	qstring struc_name = vtbl_name;
 	tid_t id = add_struc(BADADDR, struc_name.c_str());
@@ -188,7 +207,7 @@ tid_t create_vtbl_struct(ea_t vtbl_addr, char* vtbl_name, uval_t idx, unsigned i
 
 	ea_t ea = vtbl_addr;
 	int offset = 0;
-	while (TRUE)
+	while (ea < vtbl_addr_end)
 	{
 		offset = ea - vtbl_addr;
 		qstring method_name;
@@ -201,7 +220,8 @@ tid_t create_vtbl_struct(ea_t vtbl_addr, char* vtbl_name, uval_t idx, unsigned i
 		char* struc_member_name = NULL;
 		if (isFunc(method_flags))
 		{
-			if ((method_name = get_short_name(method_ea)) != NULL)
+			method_name = get_short_name(method_ea);
+			if (method_name.length() != 0)
 				struc_member_name = (char*)method_name.c_str();
 		}
 
@@ -277,26 +297,33 @@ void process_rtti()
 //---------------------------------------------------------------------------
 // Handle VTBL & RTTI 
 //---------------------------------------------------------------------------
-void search_objects()
+
+bool bScaned = false;
+
+void search_objects(bool bForce)
 {
-	segment_t *text_seg = get_segm_by_name(".text");
+	if(!bScaned || bForce) {
+		segment_t *text_seg = get_segm_by_name(".text");
 
-	if (text_seg != NULL)
-	{
-		ea_t ea_text = text_seg->startEA;
-		while (ea_text <= text_seg->endEA)
-			process_vtbl(ea_text);
-	}
+		if (text_seg != NULL)
+		{
+			ea_t ea_text = text_seg->startEA;
+			while (ea_text <= text_seg->endEA)
+				process_vtbl(ea_text);
+		}
 
-	segment_t *rdata_seg = get_segm_by_name(".rdata");
-	if (rdata_seg != NULL)
-	{
-		ea_t ea_rdata = rdata_seg->startEA;
-		while (ea_rdata <= rdata_seg->endEA)
-			process_vtbl(ea_rdata);
-	}
+		segment_t *rdata_seg = get_segm_by_name(".rdata");
+		if (rdata_seg != NULL)
+		{
+			ea_t ea_rdata = rdata_seg->startEA;
+			while (ea_rdata <= rdata_seg->endEA)
+				process_vtbl(ea_rdata);
+		}
 
-	process_rtti();
+		process_rtti();
+
+		bScaned = true;
+	}
 }
 
 
@@ -311,7 +338,7 @@ static bool idaapi make_vtbl_struct_cb(void *ud)
 	VTBL_info_t vtbl_t = vtbl_t_list[current_line_pos];
 	tid_t id = add_struc(BADADDR, vtbl_t.vtbl_name.c_str());
 
-	create_vtbl_struct(vtbl_t.ea_begin, (char*)vtbl_t.vtbl_name.c_str(), id);
+	create_vtbl_struct(vtbl_t.ea_begin, vtbl_t.ea_end, (char*)vtbl_t.vtbl_name.c_str(), id);
 
 	return true;
 }

diff --git a/src/HexRaysCodeXplorer/ObjectExplorer.h b/src/HexRaysCodeXplorer/ObjectExplorer.h
@@ -63,7 +63,7 @@ BOOL get_vtbl_info(ea_t ea_address, VTBL_info_t &vtbl_info);
 inline BOOL is_valid_name(LPCSTR name){ return(*((PDWORD) name) == 0x375F3F3F /*"??_7"*/); }
 void parse_vft_members(LPCTSTR name, ea_t ea_start, ea_t ea_end);
 
-void search_objects();
+void search_objects(bool bForce = true);
 
 
 template <class T> BOOL verify_32_t(ea_t ea_ptr, T &rvalue)
@@ -135,4 +135,8 @@ ea_t find_RTTI(ea_t start_ea, ea_t end_ea);
 char* get_demangle_name(ea_t class_addr);
 void process_rtti();
 
-LPCTSTR get_text_disasm(ea_t ea);
+LPCTSTR get_text_disasm(ea_t ea);
+
+bool get_vbtbl_by_ea(ea_t vtbl_addr, VTBL_info_t &vtbl);
+
+tid_t create_vtbl_struct(ea_t vtbl_addr, ea_t vtbl_addr_end, char* vtbl_name, uval_t idx, unsigned int* vtbl_len = NULL);