Want to Join Us ?

you'll be able to discuss, share and send private messages.

Class Informer By Sirmabus

Discussion in 'Plugins' started by storm shadow, Feb 8, 2013.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    Class Informer 2.0 from macromonkey





    IDA Pro Win32 class vftable finder, namer, fixer, viewer plug-in.

    Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type data.
    Places structure defs, names, labels, and comments to make more sense of class vftables ("Virtual Function Table").
    Creates a handy list window with found vftables for browsing.

    Puts more context on class/structure related things to aid in reverse engineering.

    RTTI ("Run-Time Type Identification")
    RTCI ("Run Time Class Information") the MFC forerunner to RTTI

    Based off of the article and materials by Igor Skochinsky:
    Reversing Microsoft Visual C++ Part II: Classes, Methods and RTTI


    The plug-in dialog:

    [​IMG]



    Example vftable info set by plug-in:
    [​IMG]

    Example vftable output list:
    [​IMG]

    In this executable that was largely C++ with RTTI, this plug-in added a lot of contextual class data.
    Plus in this case added a good amount of clean-up as the result of properly identifying and placing various RTTI data structures.
    Typically when IDA sees previously unknown data now defined it will automatically reanalyze associated areas that can result in yet more data references and previously unknown functions being found. Removes more of the "unknown".

    Version 1.06
    Quote:
    1.06 - 1) Added persistent vftable list storage.
    2) Removed the many unnecessary "autoWait()" calls that caused a bit of a slow down.
    3) Fixed broken and updated some custom UI elements.
    4) Fixed the multi-segment select feature for the non-QT version and
    added a working setup for the QT version too. For QT, after desired
    segments are selected right click on the list and do "Select"
    followed by the "Okay" button.
    5) Added the ".data" segment to the default data search since vftables
    are often located there (in addition to ".rdata").

    1.05 - 1) The problem with the plug-in not being ready on invocation was fixed
    by returning PLUGIN_KEEP on init to stay resident.
    2) The fix in 1.04 didn't quite do it for structure placement problems.
    In particular there remains a run on problem in IDA when marking some
    areas "unknown"; these "do_unknown()" calls have been removed and
    each structure element is individually placed one by one before
    attempting to place the actual assorted structures.

    1.04 - 1) Now ensures RTTI type name strings are set.

    1.03 - 1) Added check and warning message for invalid start and end addresses
    with "_initterm" type static/global ctor & dtor tables.
    Would cause a negative count run-on condition that could trample over
    a large data area.
    2) UI customizations auto-disabled when using IDA Qt version.
    3) Current IDA view is refreshed on completion to show changes.
    4) Fixed a stall that could result from repeated failed attempts at an
    RTTI type placement. Plus fixed the pattern for these so they could
    be properly placed.

    1.02 - 1) Added user code and data segment selector.
    Allows user to select multiple data and code segments instead of the
    default of ".text" and ".rdata" by name.
    For those rare executable targets that have multiple code sections,
    and, or, unpacked executables with mixed segments, etc.
    2) Added config option for verbose output to the debugger channel.
    3) Improved overall processing speed.
    4) Since there can multiple instances of the same class or structure,
    and IDA names must be unique all duplicate names are now serialized.
    More things labeled, and no more "duplicate name" warning spam.
    Note: Effects only label names, commented names are not altered
    5) Updated to IDA SDK 5.5
    6) Added links to Sirmabus IDA plug-ins support forum.

    1.01 - 1) No longer pops up an error and exits IDA when an incompatible IDB is
    loaded. Just displays a "not loaded" log message now.
    2) Fixed IDA tab page update issue.
    3) Now built with IDA SDK 5.4, and tested with IDA 5.4.
    4) Fixed incorrect string placement in the RTTI type info struct.
    Now the structures are right which make a cleaner DB.
    This was a major bottleneck that caused the structure placement to be
    about 36x slower, now only about 1x.
    5) Fixed some misspellings.


    http://sourceforge.net/projects/classinformer/
     
    Last edited: Jul 11, 2015
    Rip Cord likes this.
  2. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    new version out

     

    Attached Files:

    Nopers, roocoon and Rip Cord like this.
  3. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    Very nice to see that @Sirmabus started to developed with Qt.
    Apps looks much more vibrant, and with much nicer colors.Good reminder what we can do with Qt.
     
  4. sendersu

    Active Member

    v2 of the plugin is definitely a huge improvement

    minor comment:

    could we have a 1 method at a line?
    current approach of ClassInformer that class methods like array vars
    is not very readable.....
    eg: http://prntscr.com/7cqr0v
    would be nice to have 1 method per row
    or make such an option (checkbox) to the end user...

    thanks.
     
  5. Sirmabus

    Member Ida Pro Expert

    Thanks much.

    I'm sure it's easier to do from Python since it's sort of abstracted away from a lot of the binary details, but it's not all that difficult for C++ still.
    See: http://www.macromonkey.com/qt-4-8-4-on-windows-for-ida-pro-cc-plug-in-development-part-1/

    Took me a second there to see what you were saying..
    That's strange, I havn't seen IDA make vftables into an array like that before.
    Anyone else have methods like this convert to an array?
    The only way I could duplcate the effect was to manually select a method, right click and do "array" with a count.

    The plug-in doesn't call any "make array" function.
    It's probably something to do with either your IDA "General Options" or one of your "kernel" options.
     
    Last edited: Jun 7, 2015
    Rip Cord likes this.
  6. sendersu

    Active Member

    Hi
    thanks for the answer
    you are right...... thats not the plugin making the array of 3 items per row
    thats IDA doing that strange things..
    Having hundreds of vtables inside the DB is it a really PITA to do it by hands..... :)

    I"ve followed your hint but
    I did not find any options (General, Kernel 1 or 2) that might influence the default array creation mode.
    Does it make any sense to put the *normalizing* of vtable outline to a normal, readable 1 item per row?

    Would really appreciate that!
    Thanks
     
  7. Sirmabus

    Member Ida Pro Expert

    You could probably make a Python script to fix them.
     
    storm shadow likes this.
  8. sendersu

    Active Member

    Hi
    I've analyzed once again the options IDA provide before any binary (win pe32 in my case)
    goal: try to find the reason of auto-arrays for vtables

    Kernel1 otions
    [​IMG]

    Here I've another question about j_xx marking
    would it be possible to mark the below sample as a j_j_fread?

    [​IMG]

    Kernel option 2
    [​IMG]

    Processor options
    [​IMG]
    here maybe RTTI checkboxes somehow influcencing the default array cration, I"ll try to check that

    OK, tried, same arrays, 3 items per row by default.....

    [​IMG]

    Now, returning back to your idea,
    could you make some hint here regarding Python script, whats the general idea to find these vtables arrays,
    does IDA understand that these are not just arrays, but vtable types>.....?
     
    Last edited: Jun 9, 2015
  9. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    have you tried

    Struct: Alt+Q
    Array: Numeric keypad *
     
    Rip Cord likes this.
  10. sendersu

    Active Member

    sure, that works fine, but having hundreds of vtables thats a real PITA work......
    my goals are: understand why IDA does the array by default
    try to convince the author of this great plugin to do improvements :)
    cheers
     
    storm shadow likes this.
  11. _newbytes_

    New Member

    Is Class Informer 1.04 still available somewhere? I'm having a fair bit of trouble getting 1.06 to work. My IDA Pro (6.5) freezes directly after clicking 'Continue'.
     
  12. sendersu

    Active Member

    sure thing

    "Class Informer"
    =========================================================
    IDA Pro Win32 class vftable finder, namer, fixer, lister plug-in.
    Version 1.04, October 2011
    By Sirmabus

    Uploaded here - https://www.sendspace.com/file/q08p47


    have you tried the brand new v2.0?
     
    _newbytes_ likes this.
  13. sendersu

    Active Member

    hi all!
    could anyone hint me where to start w/this challenging task?
    thanks!
     
  14. duganx

    New Member

    Hi all,

    I am getting the following error when loading IDA Pro

    LoadLibrary(C:\Program Files\IDA 6.7\plugins\IDA_ClassInformer_PlugIn.P64) error: The specified procedure could not be found.
    C:\Program Files\IDA 6.7\plugins\IDA_ClassInformer_PlugIn.P64: can't load file

    I don't see IDA_ClassInformer_PlugIn in Edit>Plugins menu. Any idea how can I fix this?

    Thanks!
     
  15. sendersu

    Active Member

    Before you go to fix it, try to understand the root cause of the issue
    1) check the export from your copy of .p64 file
    2) check the run of IDA using procmon - check how the library being LoadLibrary-ied, etc
    3) try to sniff the API flow using some API Sniffer/tracer

    check the manula if IDA67 is inthe supported list
     
    storm shadow likes this.
  16. duganx

    New Member

    Ended up debugging IDA 6.7, apparently ClassInformer v2.0 works on atleast Windows 7.


    Thanks!
     
  17. sendersu

    Active Member

    OK
    looks like summer time, everybody swimming in the sea/ocean :)
     
    storm shadow likes this.
  18. sendersu

    Active Member

    Is it only me not seeing the lovely pictures on the front side?

    [​IMG]
     
  19. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    It's because the pictures from Sirmabus site have been deleted
     
  20. sendersu

    Active Member

    yeah, logical explanation
    but we have to PR the product for the newcomers nad googles all over the world!
    they might be upset not seeing the grahical materials......
     
    storm shadow likes this.
Top