Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

197 lines (147 sloc) 5.29 KB

NAME

OOAnalyzer IDA Plugin - IDA plugin to present OOAnalyzer results.

SYNOPSIS

Select "OOAnalyzer" from the IDA Pro plugins menu or press the F3 (Function-3) key.

DESCRIPTION

The OOAnalyzer IDA Pro Plugin allows users to apply OOAnalyzer results to an IDA Pro database. The plugin is a standard IDA Pro Plugin written in IDAPython. When executed the plugin will prompt the analyst to load the JSON output file produced by OOAnalyzer for the MSVC executable file under analysis. Once loaded the JSON is parsed the results are presented to the analyst. The OOAnalyzer Plugin reports how many class structures, virtual function calls, and class usagees found in the executable. Basic statistics about classes is shown in the IDA messages window, for example:

    OOAnalyzer Plugin version 2.0 loaded
    Opened JSON file output.json
    Parsing JSON structures ...
    Found class Base
    ...
    Parsing 1 vftables for class Base ...
      - Adding vtable 406140 at offset 0
    
    Vritual function table name Base_vftable
    Vftables parsed
    Parsing 4 members for class Base ...
      - Found member 'vfptr_0' @ offset 0x0
      - Found member 'mbr_4' @ offset 0x4
      - Found member 'mbr_8' @ offset 0x8
      - Found member 'mbr_c' @ offset 0xc
    Members parsed
    Parsing 1 methods for class Base ...
      - Method ctor_401000 parsed
    All methods parsed
    ...
    
    Completed Parsing JSON structures file: 6 classes found
    Parsing 1 virtual function calls ...
    Parsed virtual function call: Call 4010d4 -> Target(s): 4010a0
    Completed Parsing JSON class usages
    ================================================
    Applying virtual function call 4010d4 -> 4010a0
    ================================================
    Apply some results
    OOAnalyzer Plugin version 2.0 done

The analyst can then decide which C++ data structures to apply. Once the plugin completes, the OOAnalyzer Class Viewer is displayed: to enable users to navigate and edit C++ data structures.

OPTIONS

Apply structures

The OOAanalyzer Plugin will automatically generate IDA Pro structures for reocvered C++ classes and virtual function tables. First the plugin reports the C++ structures, object usages, and virtual function calls found. If the analysts decides to apply all structures found, the constructs are applied to the disassembly listing. Otherwise, they will need to be applied one at a time through the IDA Pro user interface.

INSTALLATION

The OOAnalyzer IDA Pro Plugin is a standard IDA Pro plugin. Refer to the standard IDA Pro guidance (https://www.hex-rays.com/products/ida) for additional information.

EXAMPLES

The OOAnalyzer IDA Pro Plugin uses IDA structures to model C++ classes. For example, the following IDA structures:

    ; Base virtual function table
    Derived_Base_vftable struc ; (sizeof=0xC)
    virt_meth_401020 dd ?
    virt_meth_401040 dd ?
    virt_meth_4010a0 dd ?
    Derived_Base_vftable ends
    
    ; Original mangled name: .?AVDerived@@
    Derived         struc ; (sizeof=0x14)
    parent_0        Base ?
    mbr_10          dd ?
    Derived         ends
    
    ; Base virtual function table
    Base_vftable    struc ; (sizeof=0x8)
    virt_meth_401020 dd ?
    virt_meth_401040 dd ?
    Base_vftable    ends
    
    ; Original mangled name: .?AVBase@@
    Base            struc ; (sizeof=0x10)
    vfptr_0         dd ?
    mbr_4           dd ?
    mbr_8           db ?
                    db ? ; undefined
                    db ? ; undefined
                    db ? ; undefined
    mbr_c           dd ?
    Base            ends

Approximately represents this class definition:

    class Derived : Base {
      int mbr_10;
      Derived();
      virtual int meth_401020(...);
      virtual int meth_401040(...);
      virtual int meth_4010a0(...);
    };
    
    class Base  {
     int mbr_4;
     char mbr_8;
     int mbr_c;
     Base();
     virtual int meth_401020(...);
     virtual int meth_401040(...);
    };

The approximation caveat is becuase some information such as public/private scope, variable names, etc. is lost during compilation. The class name (Derived and Base) was recovered from the RTTI information in the executable file.

Virutal function tables are modeled as separate structures to make them easier to apply to an IDA database (IDB). For example a call to

    Base *b = new Derived();
    b->virt_meth_4010a0();

Will result in the following disassembly with IDA structures applied:

    mov     eax, [esi+Derived.parent_0.vfptr_0] ; Original mangled name: .?AVDerived@@
    mov     edx, [eax+Derived_Base_vftable.virt_meth_4010a0] ; 4010a0
    mov     ecx, esi
    call    edx             ; 4010a0

Note that in IDA, the address comments include XREFs.

In keeping with the interactive nature of IDA Pro, the recovered classes can be edited through the OOAnalyzer Class Viewer. The class viewer allows users to rename and apply structures as needed. Changing relationships between classes, adding, and, removing classes should be done through the IDA structures window.

AUTHOR

Written by the Software Engineering Institute at Carnegie Mellon University. The primary author was Jeffrey Gennari.

COPYRIGHT

Copyright 2018 Carnegie Mellon University. All rights reserved. This software is licensed under a "BSD" license. Please see LICENSE.txt for details.

SEE ALSO

The input JSON files are generated by the Pharos tool "ooanalyzer".

You can’t perform that action at this time.