Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vtable assignment #34

Open
Trass3r opened this issue Sep 18, 2019 · 5 comments
Open

vtable assignment #34

Trass3r opened this issue Sep 18, 2019 · 5 comments

Comments

@Trass3r
Copy link
Contributor

Trass3r commented Sep 18, 2019

With the #33 patch it's possible to lift a simple C++ program involving vtables.

// clang++ -fno-exceptions -fno-rtti -Os -mno-sse vtable.cpp -o vtable
#include <stdint.h>
struct Base
{
	virtual ~Base() = default;
	__attribute__((noinline))
	int publicfoo(uint64_t a, uint64_t b, uint64_t c)
	{
		int d = 5; //foo(a, b);
		return d + 5;
	}
private:
	virtual int foo(uint64_t a, uint64_t b) { return 0; }
	int a;
};

int main()
{
	Base b;
	return 3 + b.publicfoo(1,2,3);
}
lea    rdi,[rsp+0x8]
mov    QWORD PTR [rdi],0x402018
mov    esi,0x1
mov    edx,0x2
mov    ecx,0x3
call   Base::publicfoo
  %0 = alloca i64, i32 2, align 8
  %1 = ptrtoint i64* %0 to i64
  %2 = inttoptr i64 %1 to i32*
  store i32 4202520, i32* %2, align 8
  1. It gets the assignment wrong, storing 32bit instead of 64 according to QWORD PTR.
  2. It does not recognize the link to the .rodata section.
  3. (minor) It does not recognize the publicfoo parameters correctly (would require inspecting the callsite according to the calling convention).

But other than that it works fine and produces nice output, kudos!
@bharadwajy
Copy link
Contributor

bharadwajy commented Sep 18, 2019
edited

Thanks again for testing the tool and providing the encouragement.

We will look at the issues you pointed out - unless you or someone else can beat us by providing a patch to address these issues :-)

@Trass3r
Copy link
Contributor Author

Trass3r commented Sep 18, 2019

Btw, of course the actual virtual call to foo does not work yet. But that's probably known.

@bharadwajy
Copy link
Contributor

Yes, you are right. There are a host of extremely interesting C++ idioms to be abstracted (raised) to LLVM IR level once we get a chance to focus on raising C++ binaries.

@Trass3r
Copy link
Contributor Author

Trass3r commented Sep 30, 2019

PoC: Trass3r@47e61ec

@_ZTV4Base = weak dso_local global [5 x i64] [i64 0, i64 0, i64 4198742, i64 4198744, i64 4198750]

  %1 = getelementptr inbounds [5 x i64], [5 x i64]* @_ZTV4Base, i32 0, i32 2
  %2 = inttoptr i64 %RDI to i64**
  store i64* %1, i64** %2, align 8

Basically works but would require something more sophisticated to avoid false positives and the table entries would have to be converted into actual function pointers.

@Trass3r
Copy link
Contributor Author

Trass3r commented Dec 26, 2019

Related: 6f71623

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Trass3r @bharadwajy