Giters

SpadesA99 / better-rtti-parser

IDA script to parse RTTI information in executable.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

RTTI parser

Parses RTTI information from executable.

Example

HexRays decompiler view

Before:

decompiler view before

After:

decompiler view after

Functions window

Before:

functions window before

After:

functions window after

Structs window

structs windows

Install & Run

  1. git clone https://github.com/MlsDmitry/better-rtti-parser
  2. Click on "IDA > File > Script file" and choose rtti_parse.py
  3. Happy RE time!

Why another RTTI parser ?

Known tools didn't have functionality to rename functions based on typeinfo ( e.g. sub_4B5A to BaseClass::AnotherClass::sub_4B5A ). So, I decided to spend few more hours to rewrite code, learn how to write IDA plugins. Finally, it works pretty fast, I really liked it, so I'll continue to update it.

Known issues

No Code refs found for _ZNTV...

Problem:

I didn't find a way to get address of first character of string that matched at some position. If know/found solution just add answer in #1 issue

Steps to resolve:

Find full symbol name for __class_type_info, __si_class_type_info or __vmi_class_type_info by searching in IDA and replace old ones in TiClassKind in rtti_parse.py.

Can't rename byte at 'xxx' because the name is already used in the program.

Problem:

It's a bug that will be fixed in later commits. Probably, will add number prefix to names as IDA does for functions.

Steps to resolve

Click on ignore for this database and continue.

Current cover

  • GNU g++ 64-bit
  • IDA Pro 7.4-7.6
  • Rename functions to BaseClass::AnotherClass::sub_4B5A format
  • Create structures for vtables
  • Fix: some functions are only renamed, but retyping fails
  • Fix: place "v" at the end of symbol only if there are no parameters for function
  • Beta support for ARM 32-bit
  • Find destructors ( Not really sure how accurate it will be )
  • Make class graph
  • IDA Pro 7.0-7.3 support
  • GNU G++ 32-bit
  • MSVC 64-bit
  • MSVC 32-bit

Test environment

  • Windows 10 2021 H1
  • IDA Pro 7.6
  • Python 3.10 ( I'm surprised this python version works well )
  • x64 GNU g++ binary

Examples

Check out example folder. There are .elf files for you to test.

Example output ->

an image should be here

Credits

  1. @IgorSkochinsky for http://www.hexblog.com/wp-content/uploads/2012/06/Recon-2012-Skochinsky-Compiler-Internals.pdf ( plugin algo entirely based on his research )
  2. @layle_ctf made my life easier with IDA remote script execution and debugging https://github.com/ioncodes/idacode

About

IDA script to parse RTTI information in executable.

Languages

Language:Python 100.0%