Recall from Chapter 8 that C++ programs may include information that can assist you in recovering class names and class hierarchies. This embedded information is designed to support C++ Runtime Type Identification (RTTI). The C++ Class Informer plug-in by Sirmabus is designed to assist in the process of reverse engineering C++ code that was compiled using Microsoft Visual Studio. Class Informer automates much of the process described by Igor Skochinsky in his OpenRCE article on reversing Microsoft Visual C++[212] by identifying virtual function tables (vtables or vftables) and RTTI information and then extracting related class name and inheritance information.
Name | Class Informer |
Author | Sirmabus |
Distribution | Binary only |
Price | Free |
Description | MSVC C++ class identifier |
Download | http://www.macromonkey.com/downloads/IDAPlugIns/Class_Informer102.zip |
Upon activation, Class Informer displays the options dialog shown in Figure 23-4, allowing the user to dictate where within the binary Class Informer should scan for vtables and permitting the user to control the verbosity of Class Informer’s output.
Once the user clicks Continue, Class Informer begins its scan, which may take some time depending on the size of the binary and the number of virtual function tables that Class Informer encounters. When complete, Class Informer opens a new tabbed window within IDA in order to summarize its findings. A partial listing, representative of Class Informer’s output, is shown here.
Vftable
Method count
Class & structure info 0041A298 0003 ChildClass; [MI] 0041A2A8 0003 ChildClass: SuperClass1, SuperClass2; [MI] 0041A2B8 0003 SuperClass1; [SI] 0041A2C8 0003 SuperClass2; [SI] 0041A2D8 0004 BaseClass; [SI] 0041A2EC 0005 SubClass: BaseClass; [SI]
For each virtual function table discovered, Class Informer displays the address of the vtable , the method count (equal to the number of function pointers contained in the vtable), and summary information about each class derived from embedded RTTI information. Recovered class information includes the name of the class, the name of any superclasses, and an indication of whether the class inherits from a single base class ([SI]) or multiple base classes ([MI]). For each vtable discovered, Class Informer also applies structure templates to all of the RTTI-related data structures associated with the class as well as naming each structure and the class’s vtable in accordance with Microsoft’s name-mangling scheme. This results in a substantial time saving for anyone who may be reverse engineering Visual C++ code of any complexity.