Several improvements

- Added BCA as array
- set member types to pointers/RVAs to BCA, COL, TD and BCD

Author: herosi

README.md

@@ -2,7 +2,7 @@
 #### Yet Another RTTI Parsing IDA plugin ####
 ![PyClassInformer Icon](/pyclassinformer/pci_icon.png)
 
-PyClassInformer is an RTTI parser. Although there are several RTTI parsers such as Class Informer and SusanRTTI, and even IDA can also parse RTTI, I created this tool. It is because they cannot be used as libraries for parsing RTTI. IDA cannot show class hierarchies, either.
+PyClassInformer is an RTTI parser. Although there are several RTTI parsers such as Class Informer and SusanRTTI, and even IDA can also parse RTTI, I created this tool. It is because they cannot be used as libraries for parsing RTTI. IDA cannot easily manage class hierarchies such as checking them as a list and filtering the information, either.
 
 PyClassInformer can parse RTTI for Windows on x86 and x64. Since it is written in IDAPython, you can run it on IDA for Mac OS and Linux as well as Windows. You can also use results of parsing RTTI in your python code by importing this tool as a library.
 

pyclassinformer/pci_chooser.py

@@ -40,28 +40,28 @@ def get_hierarychy(self, data, vftable_ea):
         col = data[vftable_ea]
         col_offs, curr_off = u.get_col_offs(col, data)
         result = "{}: ".format(col.name)
-        if len(col.chd.bases) > 0:
+        if len(col.chd.bca.bases) > 0:
             idx = 0
-            if col.chd.bases[0].name == col.name:
+            if col.chd.bca.bases[0].name == col.name:
                 idx = 1
             # get the result related to the offset of the COL
-            result += ", ".join([x.name for x in col.chd.bases[idx:] if u.does_bcd_append(col_offs, x, curr_off)]) + ";" if len(col.chd.bases) > 1 else ""
+            result += ", ".join([x.name for x in col.chd.bca.bases[idx:] if u.does_bcd_append(col_offs, x, curr_off)]) + ";" if len(col.chd.bca.bases) > 1 else ""
         return result
 
     def get_hierarychy_order(self, data, vftable_ea):
         col = data[vftable_ea]
         col_offs, curr_off = u.get_col_offs(col, data)
         result = []
-        if len(col.chd.bases) > 0:
-            for off in col.chd.paths:
+        if len(col.chd.bca.bases) > 0:
+            for off in col.chd.bca.paths:
                 target_off = off
                 if off not in col_offs:
                     # sometimes, mdisp is not included in COLs.
                     # in those cases, get the least offset in COLs and it is treated as the offset.
                     target_off = 0
                     if len(col_offs) > 0:
                         target_off = sorted(col_offs)[0]
-                for p in col.chd.paths[off]:
+                for p in col.chd.bca.paths[off]:
                     #if curr_off == target_off or col.chd.flags.find("V") >= 0 or len(list(filter(lambda x: x.pdisp >= 0, p))) > 0:
                     if curr_off == target_off:
                         result.append("{:#x}: ".format(off) + " -> ".join([x.name + " ({},{},{})".format(x.mdisp, x.pdisp, x.vdisp) for x in p]))

pyclassinformer/pci_utils.py

@@ -13,10 +13,13 @@
 import ida_name
 import ida_ida
 
+ida_9_or_later = False
 try:
+    import ida_struct
     from ida_struct import get_member_by_name
 except ModuleNotFoundError:
     # for IDA 9.0
+    ida_9_or_later = True
     def get_member_by_name(tif, name):
         if not tif.is_struct():
             return None
@@ -131,11 +134,44 @@ def get_refs_to_by_type_name(name):
             for xref in utils.get_refs_to(tif.get_tid()):
                 yield xref
 
-    def add_ptr_or_rva_member(self, sid, name):
+    def add_ptr_or_rva_member(self, sid, mname, mtype_name, array=False, idx=-1):
+        sname = idc.get_struc_name(sid)
+        
+        # if idx is not specified, insert the member at the end of the structure
+        if idx < 0:
+            idx = idc.get_member_qty(sid)
+            
+        idc.add_struc_member(sid, mname, ida_idaapi.BADADDR, ida_bytes.FF_DATA|ida_bytes.FF_DWORD|ida_bytes.FF_0OFF, -1, 4)
+        self.set_ptr_or_rva_member(sid, mname, mtype_name, array, idx)
+        
+    def set_ptr_or_rva_member(self, sid, mname, mtype_name, array=False, idx=-1):
+        sname = idc.get_struc_name(sid)
+        
+        # if idx is not specified, modifie the last member
+        if idx < 0:
+            idx = idc.get_member_qty(sid) - 1
+            
+        r = None
         if self.x64:
-            idc.add_struc_member(sid, name, ida_idaapi.BADADDR, ida_bytes.FF_DATA|ida_bytes.FF_DWORD|ida_bytes.FF_0OFF, self.mt_rva().tid, 4, reftype=ida_nalt.REFINFO_RVAOFF|self.REF_OFF)
+            reftype = ida_nalt.REFINFO_RVAOFF|self.REF_OFF
+            mtif = get_ptr_type(mtype_name, ptr_size=ida_typeinf.TAPTR_PTR32, array=array)
+            if ida_9_or_later:
+                r = get_val_repr(ida_typeinf.FRB_OFFSET, reftype)
         else:
-            idc.add_struc_member(sid, name, ida_idaapi.BADADDR, ida_bytes.FF_DATA|ida_bytes.FF_DWORD|ida_bytes.FF_0OFF, self.mt_address().tid, 4)
+            reftype = self.REF_OFF
+            mtif = get_ptr_type(mtype_name, ptr_size=0, array=array)
+            
+        if ida_9_or_later:
+            tif = ida_typeinf.tinfo_t()
+            tif.get_named_type(None, sname)
+            udt = ida_typeinf.udt_type_data_t()
+            if tif.get_udt_details(udt):
+                tif.set_udm_type(idx, mtif, 0, r)
+                tif.get_udt_details(udt)
+        else:
+            s = ida_struct.get_struc(sid)
+            ida_struct.set_member_tinfo(s, s.get_member(idx), 0, mtif, 0)
+            idc.set_member_type(sid, idc.get_member_offset(sid, mname), ida_bytes.FF_DATA|ida_bytes.FF_DWORD|ida_bytes.FF_0OFF, -1, 1, reftype=reftype)
 
     @staticmethod
     def get_moff_by_name(struc, name):
@@ -227,10 +263,21 @@ def create_ptr_attr(data_type=ida_typeinf.BTF_INT, attr=ida_typeinf.TAPTR_PTR32)
     return mtif
 
 
-def get_ptr_type(type_name, ptr_size=ida_typeinf.TAPTR_PTR32):
+def get_ptr_type(type_name, ptr_size=ida_typeinf.TAPTR_PTR32, array=False):
     mtif = ida_typeinf.tinfo_t()
     if mtif.get_named_type(None, type_name):
-        mtif = create_ptr_attr(ida_typeinf.BTF_INT, ptr_size)
+        # for 64-bit, the member stores an RVA.
+        # create "*__ptr32" here.
+        if ptr_size:
+            mtif = create_ptr_attr(mtif, ptr_size)
+        # for 32-bit, the member stores a pointer.
+        # just create a pointer
+        else:
+            mtif.create_ptr(mtif)
+            
+        # for BCA
+        if array:
+            mtif.create_array(mtif)
         return mtif
     return None
 

pyclassinformer/pyclassinformer.py

@@ -44,6 +44,7 @@ def strip(name):
 
 
 class RTTITypeDescriptor(RTTIStruc):
+    
     # create structure
     msid = idc.get_struc_id("RTTITypeDescriptor")
     if msid != ida_idaapi.BADADDR:
@@ -98,7 +99,61 @@ def __init__(self, ea):
         return
 
 
+class RTTIClassHierarchyDescriptor(RTTIStruc):
+    
+    CHD_MULTINH   = 0x01 # Multiple inheritance
+    CHD_VIRTINH   = 0x02 # Virtual inheritance
+    CHD_AMBIGUOUS = 0x04 # Ambiguous inheritance
+    
+    # create structure
+    msid = idc.get_struc_id("RTTIClassHierarchyDescriptor")
+    if msid != ida_idaapi.BADADDR:
+        idc.del_struc(msid)
+    msid = idc.add_struc(0xFFFFFFFF, "RTTIClassHierarchyDescriptor", False)
+
+    # add members
+    idc.add_struc_member(msid, "signature", ida_idaapi.BADADDR, ida_bytes.FF_DWORD|ida_bytes.FF_DATA, -1, 4)
+    idc.add_struc_member(msid, "attribute", ida_idaapi.BADADDR, ida_bytes.FF_DWORD|ida_bytes.FF_DATA, -1, 4)
+    idc.add_struc_member(msid, "numBaseClasses", ida_idaapi.BADADDR, ida_bytes.FF_DWORD|ida_bytes.FF_DATA, -1, 4)
+    idc.add_struc_member(msid, "pBaseClassArray", ida_idaapi.BADADDR, ida_bytes.FF_DWORD|ida_bytes.FF_DATA, -1, 4) # for dummy. the correct type will be applied when the BCA class is created.
+    
+    # get structure related info
+    tid = msid
+    struc = get_struc(tid)
+    size = idc.get_struc_size(tid)
+    print("Completed Registering RTTIClassHierarchyDescriptor")
+
+    def __init__(self, ea):
+        self.ea = ea
+        self.sig = 0
+        self.bcaea = ida_idaapi.BADADDR
+        self.nb_classes = 0
+        self.flags = ""
+        self.bca = None
+        
+        # apply structure type to bytes
+        ida_bytes.del_items(ea, ida_bytes.DELIT_DELNAMES, self.size)
+        if ida_bytes.create_struct(ea, self.size, self.tid):
+            # Get members of CHD
+            self.sig = ida_bytes.get_32bit(ea+u.get_moff_by_name(self.struc, "signature"))
+            self.bcaea = ida_bytes.get_32bit(ea+u.get_moff_by_name(self.struc, "pBaseClassArray")) + u.x64_imagebase()
+            self.nb_classes = ida_bytes.get_32bit(ea+u.get_moff_by_name(self.struc, "numBaseClasses"))
+            self.attribute = ida_bytes.get_32bit(ea+u.get_moff_by_name(self.struc, "attribute"))
+            
+            self.bca = RTTIBaseClassArray(self.bcaea, self.nb_classes)
+            
+            # parse flags
+            if self.attribute & self.CHD_MULTINH:
+                self.flags += "M"
+            if self.attribute & self.CHD_VIRTINH:
+                self.flags += "V"
+            if self.attribute & self.CHD_AMBIGUOUS:
+                self.flags += "A"
+            #self.flags += " {:#x}".format(self.attribute)
+        
+
 class RTTIBaseClassDescriptor(RTTIStruc):
+    
     BCD_NOTVISIBLE = 0x00000001
     BCD_AMBIGUOUS = 0x00000002
     BCD_PRIVORPROTBASE = 0x00000004
@@ -114,13 +169,13 @@ class RTTIBaseClassDescriptor(RTTIStruc):
     msid = idc.add_struc(0xFFFFFFFF, "RTTIBaseClassDescriptor", False)
 
     # add members
-    u.add_ptr_or_rva_member(msid, "pTypeDescriptor")
+    u.add_ptr_or_rva_member(msid, "pTypeDescriptor", "RTTITypeDescriptor")
     idc.add_struc_member(msid, "numContainerBases", ida_idaapi.BADADDR, ida_bytes.FF_DWORD|ida_bytes.FF_DATA, -1, 4)
     idc.add_struc_member(msid, "mdisp", ida_idaapi.BADADDR, ida_bytes.FF_DATA|ida_bytes.FF_DWORD, -1, 4) # 00 PMD Vftable displacement inside class layout
     idc.add_struc_member(msid, "pdisp", ida_idaapi.BADADDR, ida_bytes.FF_DATA|ida_bytes.FF_DWORD, -1, 4) # 04 PMD Vbtable displacement
     idc.add_struc_member(msid, "vdisp", ida_idaapi.BADADDR, ida_bytes.FF_DATA|ida_bytes.FF_DWORD, -1, 4) # 08 PMD Vftable displacement inside vbtable
     idc.add_struc_member(msid, "attributes", ida_idaapi.BADADDR, ida_bytes.FF_DWORD|ida_bytes.FF_DATA, -1, 4)
-    u.add_ptr_or_rva_member(msid, "pClassDescriptor")
+    u.add_ptr_or_rva_member(msid, "pClassDescriptor", "RTTIClassHierarchyDescriptor")
 
     # get structure related info
     tid = msid
@@ -140,74 +195,57 @@ def __init__(self, ea):
             self.pdisp = u.to_signed32(ida_bytes.get_32bit(ea+u.get_moff_by_name(self.struc, "pdisp")))
             self.vdisp = u.to_signed32(ida_bytes.get_32bit(ea+u.get_moff_by_name(self.struc, "vdisp")))
             self.attributes = ida_bytes.get_32bit(ea+u.get_moff_by_name(self.struc, "attributes"))
-            self.rcd = ida_bytes.get_32bit(ea+u.get_moff_by_name(self.struc, "pClassDescriptor"))
+            self.chdea = ida_bytes.get_32bit(ea+u.get_moff_by_name(self.struc, "pClassDescriptor")) + u.x64_imagebase()
 
 
-class RTTIClassHierarchyDescriptor(RTTIStruc):
-    bases = None
-    CHD_MULTINH   = 0x01 # Multiple inheritance
-    CHD_VIRTINH   = 0x02 # Virtual inheritance
-    CHD_AMBIGUOUS = 0x04 # Ambiguous inheritance
+class RTTIBaseClassArray(RTTIStruc):
 
     # create structure
-    msid = idc.get_struc_id("RTTIClassHierarchyDescriptor")
+    msid = idc.get_struc_id("RTTIBaseClassArray")
     if msid != ida_idaapi.BADADDR:
         idc.del_struc(msid)
-    msid = idc.add_struc(0xFFFFFFFF, "RTTIClassHierarchyDescriptor", False)
+    msid = idc.add_struc(0xFFFFFFFF, "RTTIBaseClassArray", False)
 
     # add members
-    idc.add_struc_member(msid, "signature", ida_idaapi.BADADDR, ida_bytes.FF_DWORD|ida_bytes.FF_DATA, -1, 4)
-    idc.add_struc_member(msid, "attribute", ida_idaapi.BADADDR, ida_bytes.FF_DWORD|ida_bytes.FF_DATA, -1, 4)
-    idc.add_struc_member(msid, "numBaseClasses", ida_idaapi.BADADDR, ida_bytes.FF_DWORD|ida_bytes.FF_DATA, -1, 4)
-    u.add_ptr_or_rva_member(msid, "pBaseClassArray")
+    u.add_ptr_or_rva_member(msid, "arrayOfBaseClassDescriptors", "RTTIBaseClassDescriptor", array=True)
 
     # get structure related info
     tid = msid
     struc = get_struc(tid)
     size = idc.get_struc_size(tid)
-    print("Completed Registering RTTIClassHierarchyDescriptor")
+    
+    # correct BCA's pBaseClassArray member type here.
+    u.set_ptr_or_rva_member(RTTIClassHierarchyDescriptor.tid, "pBaseClassArray", "RTTIBaseClassArray")
+    
+    print("Completed Registering RTTIBaseClassArray")
 
-    def __init__(self, ea):
+    def __init__(self, ea, nb_classes):
         self.ea = ea
-        self.sig = 0
-        self.bcaea = ida_idaapi.BADADDR
-        self.nb_classes = 0
-        self.flags = ""
+        # fix the size with the actual size by using nb_classes from CHD since the size depends on each BCA
+        self.size = 4 * nb_classes
+
         self.bases = []
         self.paths = {}
         self.depth = 0
 
         # apply structure type to bytes
         ida_bytes.del_items(ea, ida_bytes.DELIT_DELNAMES, self.size)
         if ida_bytes.create_struct(ea, self.size, self.tid):
-            # Get members of CHD
-            self.sig = ida_bytes.get_32bit(ea+u.get_moff_by_name(self.struc, "signature"))
-            self.bcaea = ida_bytes.get_32bit(ea+u.get_moff_by_name(self.struc, "pBaseClassArray")) + u.x64_imagebase()
-            self.nb_classes = ida_bytes.get_32bit(ea+u.get_moff_by_name(self.struc, "numBaseClasses"))
-            self.attribute = ida_bytes.get_32bit(ea+u.get_moff_by_name(self.struc, "attribute"))
-            
-            # parse flags
-            if self.attribute & self.CHD_MULTINH:
-                self.flags += "M"
-            if self.attribute & self.CHD_VIRTINH:
-                self.flags += "V"
-            if self.attribute & self.CHD_AMBIGUOUS:
-                self.flags += "A"
-            #self.flags += " {:#x}".format(self.attribute)
-            
-    def parse_bca(self, ea):
+            pass
+        
+    def parse_bca(self, ea, nb_classes):
         result_paths = {}
         curr_path = []
         n_processed = {}
-        for i in range(0, self.nb_classes):
-            bcdoff = self.bcaea+i*4
+        for i in range(0, nb_classes):
+            bcdoff = ea+i*4
 
             # apply data type to items in BCA
-            ida_bytes.create_dword(bcdoff, 4)
-            if u.x64:
-                ida_offset.op_offset(bcdoff, ida_bytes.OPND_MASK, u.REF_OFF|ida_nalt.REFINFO_RVAOFF, -1, 0, 0)
-            else:
-                ida_offset.op_offset(bcdoff, ida_bytes.OPND_MASK, u.REF_OFF, -1, 0, 0)
+            #ida_bytes.create_dword(bcdoff, 4)
+            #if u.x64:
+            #    ida_offset.op_offset(bcdoff, ida_bytes.OPND_MASK, u.REF_OFF|ida_nalt.REFINFO_RVAOFF, -1, 0, 0)
+            #else:
+            #    ida_offset.op_offset(bcdoff, ida_bytes.OPND_MASK, u.REF_OFF, -1, 0, 0)
 
             # get relevant structures
             bcdea = ida_bytes.get_32bit(bcdoff) + u.x64_imagebase()
@@ -258,7 +296,7 @@ def parse_bca(self, ea):
 
         #print({x:[[z.name for z in y] for y in result_paths[x]] for x in result_paths})
         self.paths = result_paths
-        
+
 
 class RTTICompleteObjectLocator(RTTIStruc):
 
@@ -272,10 +310,11 @@ class RTTICompleteObjectLocator(RTTIStruc):
     idc.add_struc_member(msid, "signature", ida_idaapi.BADADDR, ida_bytes.FF_DATA|ida_bytes.FF_DWORD, -1, 4)
     idc.add_struc_member(msid, "offset", ida_idaapi.BADADDR, ida_bytes.FF_DATA|ida_bytes.FF_DWORD, -1, 4)
     idc.add_struc_member(msid, "cdOffset", ida_idaapi.BADADDR, ida_bytes.FF_DATA|ida_bytes.FF_DWORD, -1, 4)
-    u.add_ptr_or_rva_member(msid, "pTypeDescriptor")
-    u.add_ptr_or_rva_member(msid, "pClassDescriptor")
+    u.add_ptr_or_rva_member(msid, "pTypeDescriptor", "RTTITypeDescriptor")
+    u.add_ptr_or_rva_member(msid, "pClassDescriptor", "RTTIClassHierarchyDescriptor")
     if u.x64:
-        idc.add_struc_member(msid, "pSelf", ida_idaapi.BADADDR, ida_bytes.FF_DATA|ida_bytes.FF_DWORD|ida_bytes.FF_0OFF, u.mt_rva().tid, 4, reftype=ida_nalt.REFINFO_RVAOFF|u.REF_OFF)
+        u.add_ptr_or_rva_member(msid, "pSelf", "RTTICompleteObjectLocator")
+        
 
     # get structure related info
     tid = msid
@@ -353,7 +392,7 @@ def parse_msvc_vftable():
     if len([xrea for xrea in u.get_refs_to(RTTIClassHierarchyDescriptor.tid)]) == 0:
         [ida_bytes.create_struct(result[x].chd.ea, RTTIClassHierarchyDescriptor.size, RTTIClassHierarchyDescriptor.tid, True) for x in result]
     if len([xrea for xrea in u.get_refs_to(RTTITypeDescriptor.tid)]) == 0:
-        [ida_bytes.create_struct(result[x].td.ea, RTTITypeDescriptor.size, RTTITypeDescriptor.tid, True) for x in result]
+        [ida_bytes.create_struct(result[x].td.ea, result[x].td.size, RTTITypeDescriptor.tid, True) for x in result]
 
     # for refreshing xrefs to get xrefs from COLs to TDs
     ida_auto.auto_wait()
@@ -363,8 +402,16 @@ def parse_msvc_vftable():
         col = result[vtable]
 
         # get BCDs
-        for bcd, depth in col.chd.parse_bca(col.chd.bcaea):
+        for bcd, depth in col.chd.bca.parse_bca(col.chd.bca.ea, col.chd.nb_classes):
             pass
+        
+    # may be this is a bug on IDA.
+    # ida fails to apply a structure type to bytes under some conditions, although create_struct returns True.
+    # to avoid that, apply them again.
+    ida_auto.auto_wait()
+    if len([xrea for xrea in u.get_refs_to(RTTIBaseClassArray.tid)]) == 0:
+        [ida_bytes.create_struct(result[x].chd.bca.ea, result[x].chd.bca.size, RTTIBaseClassArray.tid, True) for x in result]
+    ida_auto.auto_wait()
 
     return result
 
@@ -377,8 +424,8 @@ def display_result(result):
         print("  CHD at {:#x}:".format(col.chd.ea), hex(col.chd.sig), hex(col.chd.bcaea), col.chd.nb_classes, col.chd.flags)
 
         # get BCDs
-        for bcd in col.chd.bases:
-            print("    {}BCD at {:#x}:".format(" " *bcd.depth*2, bcd.ea), bcd.name, bcd.nb_cbs, bcd.mdisp, bcd.pdisp, bcd.vdisp, bcd.attributes)
+        for bcd in col.chd.bca.bases:
+            print("    {}BCD at {:#x}:".format(" " *bcd.depth*2, bcd.ea), bcd.name, bcd.nb_cbs, bcd.mdisp, bcd.pdisp, bcd.vdisp, bcd.attributes, hex(bcd.chdea))
 
 
 def run_pci(icon=-1):