def set_struct(name):
if idaapi.get_struc_id(str(name)) != idaapi.BADADDR:
idaapi.del_struc(idaapi.get_struc(idaapi.get_struc_id(name)))
ok = idc.add_struc(-1, str(name), 0)
if not ok:
print("Could not add struct {name}".format(name=name))
class RTTIBaseClassDescriptor(RTTIStruc):
msid = get_struc_id("PMD")
if msid != BADADDR:
del_struc(msid)
msid = add_struc(0xFFFFFFFF, "PMD", False)
add_struc_member(msid, "mdisp", BADADDR, FF_DATA | FF_DWRD, -1, 4)
add_struc_member(msid, "pdisp", BADADDR, FF_DATA | FF_DWRD, -1, 4)
add_struc_member(msid, "vdisp", BADADDR, FF_DATA | FF_DWRD, -1, 4)
pmdid = msid
pmdstruc = get_struc(pmdid)
pmdsize = get_struc_size(pmdid)
msid = get_struc_id("RTTIBaseClassDescriptor")
if msid != BADADDR:
del_struc(msid)
msid = add_struc(0xFFFFFFFF, "RTTIBaseClassDescriptor", False)
add_struc_member(msid, "pTypeDescriptor", BADADDR,
FF_DATA | FF_DWRD | FF_0OFF, 00000000, 4)
add_struc_member(msid, "numContainerBases", BADADDR, FF_DWRD | FF_DATA, -1,
4)
add_struc_member(msid, "PMD", BADADDR, FF_DATA | FF_DWRD | FF_STRU, pmdid,
pmdsize)
add_struc_member(msid, "attributes", BADADDR, FF_DWRD | FF_DATA, -1, 4)
tid = msid
struc = get_struc(tid)
size = get_struc_size(tid)
print "Completed Registering RTTIBaseClassDescriptor"
class RTTICompleteObjectLocator(RTTIStruc):
# Init class statics
msid = get_struc_id("RTTICompleteObjectLocator")
if msid != BADADDR:
del_struc(get_struc(msid))
msid = add_struc(0xFFFFFFFF, "RTTICompleteObjectLocator", False)
add_struc_member(get_struc(msid), "signature", BADADDR, FF_DATA | FF_DWRD,
None, 4)
add_struc_member(get_struc(msid), "offset", BADADDR, FF_DATA | FF_DWRD,
None, 4)
add_struc_member(get_struc(msid), "cdOffset", BADADDR, FF_DATA | FF_DWRD,
None, 4)
add_struc_member(get_struc(msid), "pTypeDescriptor", BADADDR,
FF_DATA | FF_DWRD | FF_0OFF, u.mt_rva(), 4)
add_struc_member(get_struc(msid), "pClassDescriptor", BADADDR,
FF_DATA | FF_DWRD | FF_0OFF, u.mt_rva(), 4)
if u.x64:
add_struc_member(get_struc(msid), "pSelf", BADADDR,
FF_DATA | FF_DWRD | FF_0OFF, u.mt_rva(), 4)
tid = msid
struc = get_struc(tid)
size = get_struc_size(tid)
print "Completed Registering RTTICompleteObjectLocator"
def __init__(self, ea, vtable):
filepath = GetIdbPath()[:-4]
fp = open(r"{filepath}.txt".format(filepath=filepath), 'a')
# fp.write(filepath)
print "Create file"
do_unknown_range(ea, self.size, DOUNK_DELNAMES)
if doStruct(ea, self.size, self.tid):
# Get adress of type descriptor from CompleteLocator
# print "Complete Object Locator at: 0x%x" % ea
offset = get_member_by_name(self.struc, "pTypeDescriptor").soff
typeDescriptor = get_32bit(ea + offset) + u.x64_imagebase()
# print "Looking for type Descriptor at: 0x%x" % typeDescriptor
rtd = RTTITypeDescriptor(typeDescriptor)
if rtd.class_name:
# print "Type Descriptor at: 0x%x" % typeDescriptor
offset = get_member_by_name(self.struc,
"pClassDescriptor").soff
classHierarchyDes = get_32bit(ea + offset) + u.x64_imagebase()
rchd = RTTIClassHierarchyDescriptor(classHierarchyDes)
# filter out None entries
rchd.bases = filter(lambda x: x, rchd.bases)
classes[strip(rtd.class_name)] = [strip(b) for b in rchd.bases]
MakeNameEx(vtable, "vtable__" + strip(rtd.class_name),
SN_NOWARN)
tempStr = hex(vtable).rstrip('L') + '\t' + strip(
rtd.class_name) + '\t' + str(GuessType(
Dword(vtable + 4))) + '\n'
if ('std' not in tempStr[:15] and 'ATL' not in tempStr[:15]):
fp.write(tempStr)
else:
# if the RTTITypeDescriptor doesn't have a valid name for us to
# read, then this wasn't a valid RTTICompleteObjectLocator
MakeUnknown(ea, self.size, DOUNK_SIMPLE)
fp.close()
class RTTICompleteObjectLocator(RTTIStruc):
# Init class statics
msid = get_struc_id("RTTICompleteObjectLocator")
if msid != BADADDR:
del_struc(get_struc(msid))
msid = add_struc(0xFFFFFFFF, "RTTICompleteObjectLocator", False)
add_struc_member(get_struc(msid), "signature", BADADDR, FF_DATA | FF_DWRD,
None, 4)
add_struc_member(get_struc(msid), "offset", BADADDR, FF_DATA | FF_DWRD,
None, 4)
add_struc_member(get_struc(msid), "cdOffset", BADADDR, FF_DATA | FF_DWRD,
None, 4)
add_struc_member(get_struc(msid), "pTypeDescriptor", BADADDR,
FF_DATA | FF_DWRD | FF_0OFF, u.mt_rva(), 4)
add_struc_member(get_struc(msid), "pClassDescriptor", BADADDR,
FF_DATA | FF_DWRD | FF_0OFF, u.mt_rva(), 4)
if u.x64:
add_struc_member(get_struc(msid), "pSelf", BADADDR,
FF_DATA | FF_DWRD | FF_0OFF, u.mt_rva(), 4)
tid = msid
struc = get_struc(tid)
size = get_struc_size(tid)
print "Completed Registering RTTICompleteObjectLocator"
def __init__(self, ea, vtable):
do_unknown_range(ea, self.size, DOUNK_DELNAMES)
if doStruct(ea, self.size, self.tid):
# Get adress of type descriptor from CompleteLocator
print "Complete Object Locator at: 0x%x" % ea
offset = get_member_by_name(self.struc, "pTypeDescriptor").soff
typeDescriptor = get_32bit(ea + offset) + u.x64_imagebase()
print "Looking for type Descriptor at: 0x%x" % typeDescriptor
rtd = RTTITypeDescriptor(typeDescriptor)
if rtd.class_name:
print "Type Descriptor at: 0x%x" % typeDescriptor
offset = get_member_by_name(self.struc,
"pClassDescriptor").soff
classHierarchyDes = get_32bit(ea + offset) + u.x64_imagebase()
rchd = RTTIClassHierarchyDescriptor(classHierarchyDes)
# filter out None entries
rchd.bases = filter(lambda x: x, rchd.bases)
classes[strip(rtd.class_name)] = [strip(b) for b in rchd.bases]
MakeNameEx(vtable, "vtable__" + strip(rtd.class_name),
SN_NOWARN)
else:
# if the RTTITypeDescriptor doesn't have a valid name for us to
# read, then this wasn't a valid RTTICompleteObjectLocator
MakeUnknown(ea, self.size, DOUNK_SIMPLE)
class RTTIBaseClassDescriptor(RTTIStruc):
msid = get_struc_id("RTTIBaseClassDescriptor")
if msid != BADADDR:
del_struc(msid)
msid = add_struc(0xFFFFFFFF, "RTTIBaseClassDescriptor", False)
add_struc_member(msid, "pTypeDescriptor", BADADDR,
FF_DATA | FF_DWORD | FF_0OFF,
u.mt_rva().tid, 4)
add_struc_member(msid, "numContainerBases", BADADDR, FF_DWORD | FF_DATA,
-1, 4)
add_struc_member(msid, "PMD", BADADDR, FF_DATA | FF_DWORD | FF_0OFF,
u.mt_rva().tid, 4)
add_struc_member(msid, "attributes", BADADDR, FF_DWORD | FF_DATA, -1, 4)
tid = msid
struc = get_struc(tid)
size = get_struc_size(tid)
print("Completed Registering RTTIBaseClassDescriptor")
class RTTIClassHierarchyDescriptor(RTTIStruc):
bases = None
msid = get_struc_id("RTTIClassHierarchyDescriptor")
if msid != BADADDR:
del_struc(get_struc(msid))
msid = add_struc(0xFFFFFFFF, "RTTIClassHierarchyDescriptor", False)
add_struc_member(get_struc(msid), "signature", BADADDR, FF_DWRD | FF_DATA,
None, 4)
add_struc_member(get_struc(msid), "attribute", BADADDR, FF_DWRD | FF_DATA,
None, 4)
add_struc_member(get_struc(msid), "numBaseClasses", BADADDR,
FF_DWRD | FF_DATA, None, 4)
add_struc_member(get_struc(msid), "pBaseClassArray", BADADDR,
FF_DATA | FF_DWRD | FF_0OFF, u.mt_rva(), 4)
tid = msid
struc = get_struc(tid)
print "Completed Registering RTTIClassHierarchyDescriptor"
def __init__(self, ea):
print "Processing Class Hierarchy Descriptor at 0x%x" % ea
do_unknown_range(ea, get_struc_size(self.tid), DOUNK_DELNAMES)
if doStruct(ea, get_struc_size(self.tid), self.tid):
baseClasses = get_32bit(
ea + get_member_by_name(get_struc(
self.tid), "pBaseClassArray").soff) + u.x64_imagebase()
nb_classes = get_32bit(
ea +
get_member_by_name(get_struc(self.tid), "numBaseClasses").soff)
print "Baseclasses array at 0x%x" % baseClasses
# Skip the first base class as it is itself (could check)
self.bases = []
for i in range(1, nb_classes):
baseClass = get_32bit(baseClasses + i * 4) + u.x64_imagebase()
print "base class 0x%x" % baseClass
doDwrd(baseClasses + i * 4, 4)
op_offset(baseClasses + i * 4, -1, u.REF_OFF | REFINFO_RVA, -1,
0, 0)
doStruct(baseClass, RTTIBaseClassDescriptor.size,
RTTIBaseClassDescriptor.tid)
typeDescriptor = get_32bit(baseClass) + u.x64_imagebase()
self.bases.append(
RTTITypeDescriptor(typeDescriptor).class_name)
class RTTITypeDescriptor(RTTIStruc):
class_name = None
msid = get_struc_id("RTTITypeDescriptor")
if msid != BADADDR:
del_struc(get_struc(msid))
msid = add_struc(0xFFFFFFFF, "RTTITypeDescriptor", False)
add_struc_member(get_struc(msid),
"pVFTable", BADADDR, FF_DATA | u.PTR_TYPE | FF_0OFF,
u.mt_address(), u.PTR_SIZE)
add_struc_member(get_struc(msid), "spare", BADADDR, FF_DATA | u.PTR_TYPE,
None, u.PTR_SIZE)
add_struc_member(get_struc(msid), "name", BADADDR, FF_DATA | FF_ASCI,
u.mt_ascii(), 0)
tid = msid
struc = get_struc(tid)
size = get_struc_size(tid)
print "Completed Registering RTTITypeDescriptor"
def __init__(self, ea):
name = ea + get_member_by_name(get_struc(self.tid), "name").soff
strlen = u.get_strlen(name)
if strlen is None:
# not a real vtable
return
self.size = self.size + strlen
mangled = get_ascii_contents(name, strlen, 0)
if mangled is None:
# not a real function name
return
# print "Mangled: " + mangled
demangled = demangle_name('??_R0' + mangled[1:], 0)
if demangled:
do_unknown_range(ea, self.size, DOUNK_DELNAMES)
if doStruct(ea, self.size, self.tid):
# print " Made td at 0x%x: %s" % (ea, demangled)
self.class_name = demangled
return
print " FAIL :("
return
def destroy(self):
return idaapi.del_struc(self.ptr)
def destroy(self):
return idaapi.del_struc(self.ptr)
def destroy(self):
'''Remove the structure from the database.'''
return idaapi.del_struc(self.ptr)
