Want to Join Us ?

you'll be able to discuss, share and send private messages.

Virtuailor - IDAPython tool for C++ vtables reconstruction

Discussion in 'Plugins' started by m4n0w4r, Jan 21, 2019.

Share This Page

  1. m4n0w4r

    Well-Known Member

    Virtuailor is an IDAPython tool that reconstructs vtables for C++ code written for intel architecture and both 32bit and 64bit code. The tool constructed from 2 parts, static and dynamic.
    The first is the static part, contains the following capabilities:
    • Detects indirect calls.
    • Hooks the value assignment of the indirect calls using conditional breakpoints (the hook code).

    The second is the dynamic part, contains the following capabilities:
    • Creates vtable structures.
    • Rename functions and vtables addresses.
    • Add structure offset to the assembly indirect calls.
    • Add xref from indirect calls to their virtual functions(multiple xrefs).
    [​IMG]

    Output and General Functions
    vtables structures
    The structures Virtuailor creates from the vtable used in virtual call that were hit. The vtable functions are extracted from the memory based on the relevant register that was used in the BP opcode.

    [​IMG]

    More info and download here:
    https://github.com/0xgalz/Virtuailor

    Regards
     
Top