herosi
diff --git a/‎README.md‎
Lines changed: 85 additions & 17 deletions b/‎README.md‎
Lines changed: 85 additions & 17 deletions
diff --git a/‎images/result.png‎
16.4 KB b/‎images/result.png‎
16.4 KB
diff --git a/‎pyclassinformer/pci_chooser.py‎
Lines changed: 34 additions & 23 deletions b/‎pyclassinformer/pci_chooser.py‎
Lines changed: 34 additions & 23 deletions
diff --git a/‎pyclassinformer/pci_icon.png‎
100644100755 b/‎pyclassinformer/pci_icon.png‎
100644100755
diff --git a/‎pyclassinformer/pci_utils.py‎
Lines changed: 45 additions & 49 deletions b/‎pyclassinformer/pci_utils.py‎
Lines changed: 45 additions & 49 deletions
@@ -1,45 +1,113 @@
-# PyClassInformer #
-#### Yet Another RTTI Parsing IDA plugin ####
+# PyClassInformer
+## Yet Another RTTI Parsing IDA plugin
 ![PyClassInformer Icon](/pyclassinformer/pci_icon.png)
 
 PyClassInformer is an RTTI parser. Although there are several RTTI parsers such as Class Informer and SusanRTTI, and even IDA can also parse RTTI, I created this tool. It is because they cannot be used as libraries for parsing RTTI. IDA cannot easily manage class hierarchies such as checking them as a list and filtering the information, either.
 
-**PyClassInformer can parse RTTI on binaries compiled by MSVC++ on x86 and x64**. Since it is written in IDAPython, you can run it on IDA for Mac OS and Linux as well as Windows. You can also use results of parsing RTTI in your python code by importing this tool as a library.
+**PyClassInformer can parse RTTI on PE formatted binaries compiled by MSVC++ for x86, x64, ARM and ARM64**. Since it is written in IDAPython, you can run it on IDA for Mac OS and Linux as well as Windows. You can also use results of parsing RTTI in your python code by importing this tool as a library.
 
-### Usage ###
+## Usage
 Launch it by pressing Alt+Shift+L. Or navigate to Edit -> Plugins -> PyClassInformer.
+Then, select the options. In most cases, the default options should remain unchanged.
 
-### Installation ###
+## Installation
 Put "pyclassinformer_plugin.py" and "pyclassinformer" folder including the files under it into the "plugins" folder of IDA's user directory ($IDAUSR).
 
 See the URL if you don't know about "$IDAUSR".  
 [https://hex-rays.com/blog/igors-tip-of-the-week-33-idas-user-directory-idausr/](https://hex-rays.com/blog/igors-tip-of-the-week-33-idas-user-directory-idausr/)  
 [https://www.hex-rays.com/products/ida/support/idadoc/1375.shtml](https://www.hex-rays.com/products/ida/support/idadoc/1375.shtml)
 
-### Requirements ###
-- IDA Pro 7.4 or later (I tested on 7.4 SP1, 7.5 SP3, 8.0, 9.0 SP1 and 9.1)
+## Requirements
+- IDA Pro 7.4 or later (I tested on 7.4 SP1 to 9.1)
 - Python 3.x (I tested on Python 3.8 and 3.10)
 
-You will need at least IDA Pro 7.4 or later because of the APIs that I use.
+You will need at least IDA Pro 7.4 or later because of the APIs that I use. If you want to use full features, use IDA 8.3 or later. Otherwise, some features will be limited to use or skipped.
 
-### Example Results ###
+## Features (short)
+- Display class names, vftables and class hierarchies as a list
+- Display RTTI parsed results on the Output window
+- Display vftables, class names, virtual methods, possilbe constructors and destructors, and class hierarchies as a dir tree (IDA 7.7 or later)
+- Create directories for classes and move virtual methods to them in Functions and Names subviews (IDA 7.7 or later)
+- Move functions refer vftables to "possible ctors or dtors" folder under each class directory in Functions and Names subviews (IDA 7.7 or later)
+- Rename virtual methods by appending class names to them
+- Add the FUNC_LIB flag to methods that known classes own
+- Rename possible constructors and destructors
+- Coloring known class names and their methods on the list and the tree widgets
+
+## Features in detail
+### Default output
 ![PyClassInformer Result](/images/result.png)
-The figure above is an example of PyClassInformer result. And the figure below is an example of the original Class Informer result.  
-As you see, almost all columns are matched with the original ones.   
+The image above is an example of PyClassInformer result. And the image below is an example of the original Class Informer result.  
+  
+![Original ClassInformer Result](/images/orig_class_informer.png)  
+  
+As you see, almost all columns match the original ones.   
 
 In addition, PyClassInformer has two more columns. One is "offset", which shows the offset of a vftable in a class layout.  
 
-Another one named "Hierarchy Order" shows class hierarchy information related to a vftable of a line. The column shows the order of  inheritance from the class to the top-most super class.  
+Another one named "Hierarchy Order" shows class hierarchy information related to a vftable of a line. The column shows the order of inheritance from the class to the top-most super class.  
 
-These are useful for grasping class layouts and class hierarchies. Double-clicking a line navigates to its vftable address as weiil.
-
-![Original ClassInformer Result](/images/orig_class_informer.png)
-If you check the Output subview, you will also see parsed RTTI information such as Complete Object Locator as COL, Class Hierarchy Descriptor as CHD and Base Class Descriptor as BCD with their addresses. They are useful for checking more details and debugging.
+These are useful for grasping class layouts and class hierarchies. Double-clicking a line navigates to its vftable address as well.
 
+### RTTI parsed results
+If you check the Output window, you will also see parsed RTTI information such as Complete Object Locator as COL, Class Hierarchy Descriptor as CHD and Base Class Descriptor as BCD with their addresses. They are useful for checking more details and debugging.  
+  
 ![Class Hierarchy](/images/class_hierarchy.png)  
+
 You will also see class hierarchies by checking indents of BCDs. For example, CMFCComObject, which is the class for the vftable at 0x530fcc, inherits ATL::CAccessibleProxy. And ATL::CAccessibleProxy inherits three super classes, ATL::CComObjectRootEx, ATL::IAccessibleProxyImpl and IOleWindow. Like this, you can get class hierarchy information as a form of a tree.
 
-### Note ###
+### Automatic renaming
+PyClassInformer can automatically append class names to their virtual method names. Therefore, you can easily find them by filtering the class name. The image below is a result appending a class name "CDC" to its methods.  
+
+![automatically renaming virtual methods](/images/auto_renmaing.png)  
+  
+PyClassInformer can also rename functions that refer to vftables to "class name" + "_possible_ctor_or_dtor". The image below is a result. Although some false positives will occur due to inlined ctors and dtors, and dynamic initializers, this feature is still useful to find them.  
+  
+![automatically renaming possible ctors and dtors](/images/auto_renmaing2.png)  
+
+### Virtual method classification (<= IDA 7.7)
+The detected methods are moved to each class folder in Functions and Names subviews.  
+> [!NOTE]
+> This is only available IDA 7.7 or later. 
+  
+![method classifications](/images/classification.png)  
+  
+PyClassInformer also displays a new widget named "Method Classifier". It lists all detected classes, vftables, virtual methods and possible constructors and destructors, and class herarchies at once as a form of a tree.  
+
+![method classifier](/images/method_classifier.png)  
+
+> [!TIP]
+> Class hierarchies are represented as directories in Method Classifier.
+> Unfortunaltely, IDA's quick filter feature cannot filter directory contents.
+> To search them, use text search feture (Ctrl+T (find first text) and Alt+T (Find next text)).
+> For example, input a class name, a single space, and a parenthesis like "CWinApp (".
+
+> [!NOTE]
+> This is only available IDA 7.7 or later. 
+
+### Known classes detection (<= IDA 8.3)
+PyClassInformer can color known class names for easily finding user-defined classes.
+The image below is an example of a coloring result.  
+You can easily find CSimpleTestApp, CSimpleTestDoc, CSimpleTestView and CSimpleTestCtrlItem are user-defined classes. So you can forcus on checking them.  
+  
+![Class coloring](/images/coloring.png)  
+
+The coloring is also applied to Method Classifier widget. Therefore, you can easily find overridden virtual methods like the image below.
+![Methods coloring](/images/overridden_methods.png)  
+  
+> [!NOTE]
+> The coloring feature is only available IDA 8.3 or later. 
+  
+Known class names are defined in "lib_classes.json". I added many patterns related to STL, which starts with "std::", and several versions of MFC Application with MFC Application Wizard.  
+If you find some additional legitimate classes, you can add them to it.  
+
+PyClassInformer also adds the FUNC_LIB flag to the methods that match the list. Therefore, you can recognize they are a part of static linked libraries.  
+The following images are before and after PyClassInformer execution. Many known class methods are found and IDA can recognize them a part of static linked libraries.  
+  
+![Methods coloring](/images/before_libflag_applied.png)  
+![Methods coloring](/images/after_libflag_applied.png)  
+
+## Note
 - I **WILL NOT** support parsing GCC's RTTI. **DO NOT** open an issue about it.
 - I **WILL NOT** support beta versions of IDA. **DO NOT** open an issue about it.
 - Some code is from SusanRTTI and the output table is similar to Class Informer.  
 
@@ -7,64 +7,67 @@
 
 class pci_chooser_t(ida_kernwin.Choose):
 
-    def __init__(self, title, data, icon=-1):
+    def __init__(self, title, data, icon=-1, libcolor=0xffffffe9, defcolor=0xffffffff):
         ida_kernwin.Choose.__init__(
             self,
             title,
             [
-                ["Vftable",   10 | ida_kernwin.Choose.CHCOL_HEX],
+                ["Vftable",   10 | ida_kernwin.Choose.CHCOL_EA],
                 ["Methods",   4  | ida_kernwin.Choose.CHCOL_DEC],
                 ["Flags",     4  | ida_kernwin.Choose.CHCOL_PLAIN],
                 ["Type",      30 | ida_kernwin.Choose.CHCOL_PLAIN],
                 ["Hierarchy", 50 | ida_kernwin.Choose.CHCOL_PLAIN],
                 ["Offset",    4  | ida_kernwin.Choose.CHCOL_HEX],
                 ["Hierarchy Order", 50  | ida_kernwin.Choose.CHCOL_PLAIN],
             ],
-            flags=ida_kernwin.CH_MULTI,
+            flags=ida_kernwin.CH_MULTI|ida_kernwin.CH_ATTRS,
             icon=icon
         )
         self.items = [
             [
                 hex(vftable_ea),
-                "{}".format(len([x for x in pci_utils.get_vtbl_methods(vftable_ea)])),
+                "{}".format(len(data[vftable_ea].vfeas)),
                 data[vftable_ea].chd.flags,
                 data[vftable_ea].name,
                 self.get_hierarychy(data, vftable_ea),
                 hex(data[vftable_ea].offset),
                 self.get_hierarychy_order(data, vftable_ea),
+                data[vftable_ea].libflag,
                 vftable_ea
             ] for vftable_ea in data
         ]
+        self.libcolor = libcolor
+        self.defcolor = defcolor
+        self.libflag = data[next(iter(data))].LIBLIB
 
     def get_hierarychy(self, data, vftable_ea):
         col = data[vftable_ea]
-        col_offs, curr_off = u.get_col_offs(col, data)
+        # get the actual base classes mainly for multiple inheritance
+        bases = u.get_mdisp_bases(col, data)
+        
         result = "{}: ".format(col.name)
-        if len(col.chd.bca.bases) > 0:
-            idx = 0
-            if col.chd.bca.bases[0].name == col.name:
-                idx = 1
+        if len(bases) > 0:
+            # replace the class name with the first BCD's class name if they are different from each other.
+            # it occurs when the class is multiple inheritance with multiple vftables
+            i = 1
+            if bases[0].name != col.name:
+                result = "{}: ".format(bases[0].name)
+                #i = 0
+
             # get the result related to the offset of the COL
-            result += ", ".join([x.name for x in col.chd.bca.bases[idx:] if u.does_bcd_append(col_offs, x, curr_off)]) + ";" if len(col.chd.bca.bases) > 1 else ""
+            result += ", ".join([x.name for x in bases][i:]) + ";" if len(bases) > 1 else ""
         return result
 
     def get_hierarychy_order(self, data, vftable_ea):
         col = data[vftable_ea]
-        col_offs, curr_off = u.get_col_offs(col, data)
         result = []
         if len(col.chd.bca.bases) > 0:
             for off in col.chd.bca.paths:
-                target_off = off
-                if off not in col_offs:
-                    # sometimes, mdisp is not included in COLs.
-                    # in those cases, get the least offset in COLs and it is treated as the offset.
-                    target_off = 0
-                    if len(col_offs) > 0:
-                        target_off = sorted(col_offs)[0]
+                # output each path
                 for p in col.chd.bca.paths[off]:
-                    #if curr_off == target_off or col.chd.flags.find("V") >= 0 or len(list(filter(lambda x: x.pdisp >= 0, p))) > 0:
-                    if curr_off == target_off:
-                        result.append("{:#x}: ".format(off) + " -> ".join([x.name + " ({},{},{})".format(x.mdisp, x.pdisp, x.vdisp) for x in p]))
+                    # get only the target COL related result
+                    if col.offset == off:
+                        result.append(" -> ".join([x.name + " ({},{},{})".format(x.mdisp, x.pdisp, x.vdisp) for x in p]))
 
         return ", ".join(result)
 
@@ -93,8 +96,16 @@ def OnGetEA(self, n):
             n = n[0]
         return self.items[n][-1]
 
+    def OnGetLineAttr(self, n):
+        # change the line color if a class is a part of static linked libraries
+        vftable_ea = self.items[n][-1]
+        color = self.defcolor
+        if self.items[n][-2] == self.libflag:
+            color = self.libcolor
+        return (color, 0)
+
 
-def show_pci_chooser_t(data, icon=-1, modal=False):
-    c = pci_chooser_t("[PyClassInformer]", data, icon)
+def show_pci_chooser_t(data, icon=-1, modal=False, libcolor=0xffffffe9, defcolor=0xffffffff):
+    c = pci_chooser_t("[PyClassInformer]", data, icon, libcolor, defcolor)
     c.Show(modal=modal)
 
@@ -49,10 +49,15 @@ def __init__(self):
         self.data = ida_segment.get_segm_by_name(".data")
         self.rdata = ida_segment.get_segm_by_name(".rdata")
         # try to use rdata if there actually is an rdata segment, otherwise just use data
-        if self.rdata is not None:
+        if self.rdata is not None and self.data is not None:
             self.valid_ranges = [(self.rdata.start_ea, self.rdata.end_ea), (self.data.start_ea, self.data.end_ea)]
+        # fail safe for renaming segment names
         else:
-            self.valid_ranges = [(self.data.start_ea, self.data.end_ea)]
+            self.valid_ranges = []
+            for n in range(ida_segment.get_segm_qty()):
+                seg = ida_segment.getnseg(n)
+                if seg and ida_segment.get_segm_class(seg) == "DATA" and seg and not seg.is_header_segm():
+                    self.valid_ranges.append((seg.start_ea, seg.end_ea))
 
         self.x64 = (ida_segment.getnseg(0).bitness == 2)
         if self.x64:
@@ -65,6 +70,18 @@ def __init__(self):
             self.REF_OFF = ida_nalt.REF_OFF32
             self.PTR_SIZE = 4
             self.get_ptr = ida_bytes.get_32bit
+            
+    @staticmethod
+    def get_data_segments():
+        for n in range(ida_segment.get_segm_qty()):
+            seg = ida_segment.getnseg(n)
+            if seg and ida_segment.get_segm_class(seg) == "DATA" and seg and not seg.is_header_segm():
+                yield seg
+            
+    def update_valid_ranges(self):
+        self.valid_ranges = []
+        for seg in utils.get_data_segments():
+            self.valid_ranges.append((seg.start_ea, seg.end_ea))
 
     # for 32-bit binaries, the RTTI structs contain absolute addresses, but for
     # 64-bit binaries, they're offsets from the image base.
@@ -73,31 +90,7 @@ def x64_imagebase(self):
             return ida_nalt.get_imagebase()
         else:
             return 0
-
-    def mt_rva(self):
-        ri = ida_nalt.refinfo_t()
-        ri.flags = self.REF_OFF|ida_nalt.REFINFO_RVAOFF
-        ri.target = 0
-        mt = ida_nalt.opinfo_t()
-        mt.ri = ri
-        return mt
-
-    def mt_address(self):
-        ri = ida_nalt.refinfo_t()
-        ri.flags = self.REF_OFF
-        ri.target = 0
-        mt = ida_nalt.opinfo_t()
-        mt.ri = ri
-        return mt
-
-    def mt_ascii(self):
-        ri = ida_nalt.refinfo_t()
-        ri.flags = ida_nalt.STRTYPE_C
-        ri.target = -1
-        mt = ida_nalt.opinfo_t()
-        mt.ri = ri
-        return mt
-
+        
     def get_strlen(self, addr, max_len=500):
         # 50 is sometimes too short. I increased a number here.
         strlen = 0
@@ -165,9 +158,8 @@ def set_ptr_or_rva_member(self, sid, mname, mtype_name, array=False, idx=-1):
             tif = ida_typeinf.tinfo_t()
             tif.get_named_type(None, sname)
             udt = ida_typeinf.udt_type_data_t()
-            if tif.get_udt_details(udt):
-                tif.set_udm_type(idx, mtif, 0, r)
-                tif.get_udt_details(udt)
+            tif.set_udm_type(idx, mtif, 0, r)
+            tif.get_udt_details(udt)
         else:
             s = ida_struct.get_struc(sid)
             ida_struct.set_member_tinfo(s, s.get_member(idx), 0, mtif, 0)
@@ -181,23 +173,7 @@ def get_moff_by_name(struc, name):
             # for ida 9.0
             offset = get_member_by_name(struc, name).offset // 8
         return offset
-        
-    @staticmethod
-    def does_bcd_append(col_offs, bcd, curr_off):
-        append = False
-        # for single inheritance
-        if len(col_offs) <= 1:
-            append = True
-        # for multiple inheritance
-        elif bcd.mdisp in col_offs:
-            if bcd.mdisp == curr_off:
-                append = True
-        # for items that are not matched with COL offsets
-        # they are treated as a part of COL offset 0
-        elif curr_off == 0:
-            append = True
-        return append
-        
+    
     @staticmethod
     def get_col_offs(col, vftables):
         # get offsets in COLs by finding xrefs for multiple inheritance
@@ -209,8 +185,27 @@ def get_col_offs(col, vftables):
         cols = list(filter(lambda x: x.ea in coleas, vftables.values()))
         # get the offsets in COLs
         col_offs = [ida_bytes.get_32bit(x.ea+utils.get_moff_by_name(x.struc, "offset")) for x in cols]
-        curr_off = col.offset
-        return col_offs, curr_off
+        return col_offs
+
+    @staticmethod
+    def get_mdisp_bases(col, vftables):
+        # for checking if a class has multiple vftables or not
+        col_offs = utils.get_col_offs(col, vftables)
+        
+        bases = []
+        for path in col.chd.bca.paths[col.offset]:
+            append = False
+            for bcd in path:
+                # for SI and MI but there is only a vftable
+                if len(col_offs) < 2:
+                    append = True
+                # for MI and there are multiple vftables
+                elif bcd.mdisp == col.offset:
+                    append = True
+                # if append flag is enabled, append it and subsequent BCDs after it
+                if append and bcd not in bases:
+                    bases.append(bcd)
+        return bases
 
 
 def add_struc_by_name_and_def(name, struc_def):
@@ -237,6 +232,7 @@ def build_udm(name, msize=0, mtype=ida_typeinf.BTF_INT, moffset=-1, vrepr=None):
 
     return udm
 
+
 def add_struc(name):
     tif = ida_typeinf.tinfo_t()
     udt = ida_typeinf.udt_type_data_t()