In Chapter 8 we discussed C++ Runtime Type Identification (RTTI) and the fact that no standard exists for the manner in which RTTI is implemented by a compiler. Automatic recognition of RTTI-related constructs within a binary is another area in which IDA’s capabilities vary across compilers. Not surprisingly, IDA’s capabilities in this area are strongest with binaries compiled using Borland compilers. Readers interested in automated recognition of Microsoft RTTI data structures may want to try Igor Skochinsky’s IDC script available at The IDA Palace^[142] or the Class Informer plug-in by Sirmabus,^[143] which will be discussed further in Chapter 23.

A simple strategy for understanding how a specific compiler embeds type information for C++ classes is to write a basic program that makes use of classes containing virtual functions. After compiling the program, you can load the resulting executable into IDA and search for instances of strings that contain the names of classes used in the program. Regardless of the compiler used to build a binary, one thing that RTTI data structures have in common is that they all contain a pointer to a string containing the name of the class that they represent. Using data cross-references, it should be possible to locate a pointer to one such string, thus locating candidate RTTI data structures. The last step is to link a candidate RTTI structure back to the associated class’s vtable, which is best accomplished by following data cross-references backward from a candidate RTTI structure until a table of function pointers (the vtable) is reached.