IDA c++分析c++类结构辅助插件ida

2023-10-08 04:45| 来源: 网络整理| 查看: 265

1.下载插件

IDA_medigate

2.将medigate_cpp_plugin.py放到 ida的plugin文件夹中 plugins/ida-referee/referee.py 放置到plugin中 3.将下载的 ida_medigate 放到IDA 内置的python38的Lib\site-packages\目录下如:D:\IDA_Pro_7.7\python38\Lib\site-packages 4.配置插件搜索路径

在 IDA中输入

import idaapi idaapi.get_user_idadir()

得到路径 ‘C:\Users\XXX\AppData\Roaming\Hex-Rays\IDA Pro’

在路径下新建一个 idapythonrc.py

添加代码

import ida_idaapi idaapi.require(‘ida_medigate’) 5.报错 D:\IDA_Pro_7.7\plugins\medigate_cpp_plugin.py: [Errno 2] No such file or directory: 'D:\\tmp\\cpp_plugin.log' Traceback (most recent call last): File "D:\IDA_Pro_7.7\python\3\ida_idaapi.py", line 580, in IDAPython_ExecScript exec(code, g) File "D:/IDA_Pro_7.7/plugins/medigate_cpp_plugin.py", line 2, in from ida_medigate.cpp_plugin.plugin import CPPPlugin File "D:\IDA_Pro_7.7\python38\lib\site-packages\ida_medigate\cpp_plugin\plugin.py", line 4, in from .hooks import CPPHooks, CPPUIHooks, HexRaysHooks File "D:\IDA_Pro_7.7\python38\lib\site-packages\ida_medigate\cpp_plugin\hooks.py", line 16, in logging.basicConfig( File "logging\__init__.py", line 1988, in basicConfig File "logging\__init__.py", line 1147, in __init__ File "logging\__init__.py", line 1176, in _open FileNotFoundError: [Errno 2] No such file or directory: 'D:\\tmp\\cpp_plugin.log'

新建 D:\tmp\cpp_plugin.log

6.使用

作者提供的demo

using namespace std; class A { public: int x_a; virtual int f_a()=0; }; class B : public A{ public: int x_b; int f_a(){x_a = 0;} virtual int f_b(){this->f_a();} }; class Z { public: virtual int f_z1(){cout f_z1(); c->f_z2(); return 0; } 7.自动构建类层次

IDA 命令窗口输入

from ida_medigate.rtti_parser import GccRTTIParser GccRTTIParser.init_parser() GccRTTIParser.build_all()

查看 D:\tmp\cpp_plugin.log 查看日志信息

2023-07-03 15:23:00,589 - DEBUG - Starting :12344 0x3038 2023-07-03 15:23:00,590 - INFO - C: Parsed typeinfo 2023-07-03 15:23:00,590 - INFO - B: Parsed typeinfo 2023-07-03 15:23:00,590 - INFO - A: Parsed typeinfo 2023-07-03 15:23:00,590 - DEBUG - A: Finish setup parents 2023-07-03 15:23:00,590 - DEBUG - create_vtable_struct(A, 0) 2023-07-03 15:23:00,590 - DEBUG - Couldn't found parent vtable A 0 2023-07-03 15:23:00,591 - ERROR - Couldn't decompile 0x3034 Traceback (most recent call last): File "D:\IDA_Pro_7.7\python38\lib\site-packages\ida_medigate\cpp_utils.py", line 293, in update_func_this func_details = utils.get_func_details(func_ea) File "D:\IDA_Pro_7.7\python38\lib\site-packages\ida_medigate\utils.py", line 101, in get_func_details xfunc = ida_hexrays.decompile(func_ea) File "D:\IDA_Pro_7.7\python\3\ida_hexrays.py", line 25850, in decompile raise DecompilationFailure(hf) ida_hexrays.DecompilationFailure: Decompilation failed: 3034: special segments cannot be decompiled 2023-07-03 15:23:00,596 - DEBUG - B: Finish setup parents 2023-07-03 15:23:00,597 - DEBUG - Is struct! 2023-07-03 15:23:00,597 - DEBUG - Is struct: A/4278190317 2023-07-03 15:23:00,597 - DEBUG - create_vtable_struct(B, 0) 2023-07-03 15:23:00,597 - DEBUG - Found parent vtable B 0 2023-07-03 15:23:00,597 - DEBUG - add_child_vtable (A, B, 4278190323) 2023-07-03 15:23:00,598 - DEBUG - pointed_struct: 2023-07-03 15:23:00,598 - DEBUG - A vtable isn't union -> unionize it! 2023-07-03 15:23:00,598 - DEBUG - install_vtables_union(A, , A_vtbl *) 2023-07-03 15:23:00,598 - DEBUG - Is struct! 2023-07-03 15:23:00,598 - DEBUG - Is struct: A_vtbl_orig/4278190318 2023-07-03 15:23:00,599 - DEBUG - add_to_struct 4278190324 B_vtbl 2023-07-03 15:23:00,599 - DEBUG - Is struct! 2023-07-03 15:23:00,599 - DEBUG - Is struct: B_vtbl/4278190323 2023-07-03 15:23:00,602 - DEBUG - analyzing function at 0x98E 2023-07-03 15:23:00,602 - DEBUG - Cleared 0 xrefs 2023-07-03 15:23:00,603 - DEBUG - Overwriting! 2023-07-03 15:23:00,607 - DEBUG - analyzing function at 0x9A8 2023-07-03 15:23:00,607 - DEBUG - Cleared 0 xrefs 2023-07-03 15:23:00,609 - INFO - Z: Parsed typeinfo 2023-07-03 15:23:00,609 - DEBUG - Z: Finish setup parents 2023-07-03 15:23:00,609 - DEBUG - create_vtable_struct(Z, 0) 2023-07-03 15:23:00,609 - DEBUG - Couldn't found parent vtable Z 0 2023-07-03 15:23:00,618 - DEBUG - analyzing function at 0x9CE 2023-07-03 15:23:00,618 - DEBUG - Cleared 0 xrefs 2023-07-03 15:23:00,623 - DEBUG - analyzing function at 0xA00 2023-07-03 15:23:00,623 - DEBUG - Cleared 0 xrefs 2023-07-03 15:23:00,624 - DEBUG - C: Finish setup parents 2023-07-03 15:23:00,624 - DEBUG - Is struct! 2023-07-03 15:23:00,624 - DEBUG - Is struct: B/4278190321 2023-07-03 15:23:00,625 - DEBUG - Expanding struc B 0x4 -> 0xc 2023-07-03 15:23:00,625 - DEBUG - Delete member (0x4dfe0000-0x4dfe000b) 2023-07-03 15:23:00,625 - DEBUG - Now fix args: 2023-07-03 15:23:00,625 - DEBUG - [4278190334, 'baseclass_0', 0, 1610613760, 4278190321, 12] = -2 2023-07-03 15:23:00,625 - DEBUG - Is struct! 2023-07-03 15:23:00,626 - DEBUG - Is struct: Z/4278190329 2023-07-03 15:23:00,626 - DEBUG - create_vtable_struct(C, 0) 2023-07-03 15:23:00,626 - DEBUG - Found parent vtable C 0 2023-07-03 15:23:00,626 - DEBUG - add_child_vtable (B, C, 4278190338) 2023-07-03 15:23:00,626 - DEBUG - pointed_struct: 2023-07-03 15:23:00,626 - DEBUG - Not a struct vtable: A 2023-07-03 15:23:00,626 - DEBUG - B vtable isn't union -> unionize it! 2023-07-03 15:23:00,627 - DEBUG - install_vtables_union(B, None, A) 2023-07-03 15:23:00,627 - DEBUG - Is struct! 2023-07-03 15:23:00,627 - DEBUG - Is struct: B_vtbl_orig/4278190323 2023-07-03 15:23:00,627 - DEBUG - add_to_struct 4278190339 C_vtbl 2023-07-03 15:23:00,627 - DEBUG - Is struct! 2023-07-03 15:23:00,627 - DEBUG - Is struct: C_vtbl/4278190338 2023-07-03 15:23:00,628 - DEBUG - add_child_vtable (A, C, 4278190338) 2023-07-03 15:23:00,628 - DEBUG - pointed_struct: 2023-07-03 15:23:00,628 - DEBUG - add_to_struct 4278190324 C_vtbl 2023-07-03 15:23:00,628 - DEBUG - Is struct! 2023-07-03 15:23:00,628 - DEBUG - Is struct: C_vtbl/4278190338 2023-07-03 15:23:00,631 - DEBUG - analyzing function at 0xA32 2023-07-03 15:23:00,631 - DEBUG - Cleared 0 xrefs 2023-07-03 15:23:00,632 - DEBUG - Overwriting! 2023-07-03 15:23:00,635 - DEBUG - analyzing function at 0x9A8 2023-07-03 15:23:00,635 - DEBUG - Loaded 0 xrefs 2023-07-03 15:23:00,635 - DEBUG - Cleared 0 xrefs 2023-07-03 15:23:00,635 - DEBUG - 0x9BD struct B_vtbl_orig dr_R | XREF_USER 2023-07-03 15:23:00,635 - DEBUG - 0x9BD member B_vtbl_orig.B__sub_98E dr_R | XREF_USER 2023-07-03 15:23:00,635 - DEBUG - 0x9BD struct B_vtbl dr_R | XREF_USER 2023-07-03 15:23:00,636 - DEBUG - 0x9BD member B_vtbl.B dr_R | XREF_USER 2023-07-03 15:23:00,636 - DEBUG - 0x9BD struct B dr_R | XREF_USER 2023-07-03 15:23:00,636 - DEBUG - 0x9BD member B.baseclass_0 dr_R | XREF_USER 2023-07-03 15:23:00,639 - DEBUG - analyzing function at 0x9A8 2023-07-03 15:23:00,639 - DEBUG - Loaded 6 xrefs 2023-07-03 15:23:00,639 - DEBUG - Cleared 6 xrefs 2023-07-03 15:23:00,639 - DEBUG - 0x9BD struct B_vtbl_orig dr_R | XREF_USER 2023-07-03 15:23:00,639 - DEBUG - 0x9BD member B_vtbl_orig.B__sub_98E dr_R | XREF_USER 2023-07-03 15:23:00,640 - DEBUG - 0x9BD struct B_vtbl dr_R | XREF_USER 2023-07-03 15:23:00,640 - DEBUG - 0x9BD member B_vtbl.B dr_R | XREF_USER 2023-07-03 15:23:00,640 - DEBUG - 0x9BD struct B dr_R | XREF_USER 2023-07-03 15:23:00,640 - DEBUG - 0x9BD member B.baseclass_0 dr_R | XREF_USER 2023-07-03 15:23:00,644 - DEBUG - analyzing function at 0xA4C 2023-07-03 15:23:00,645 - DEBUG - Cleared 0 xrefs 2023-07-03 15:23:00,646 - DEBUG - create_vtable_struct(C, 12) 2023-07-03 15:23:00,646 - DEBUG - Found parent vtable C 12 2023-07-03 15:23:00,647 - DEBUG - add_child_vtable (Z, C, 4278190346) 2023-07-03 15:23:00,647 - DEBUG - pointed_struct: 2023-07-03 15:23:00,647 - DEBUG - Z vtable isn't union -> unionize it! 2023-07-03 15:23:00,647 - DEBUG - install_vtables_union(Z, , Z_vtbl *) 2023-07-03 15:23:00,647 - DEBUG - Is struct! 2023-07-03 15:23:00,647 - DEBUG - Is struct: Z_vtbl_orig/4278190330 2023-07-03 15:23:00,648 - DEBUG - add_to_struct 4278190347 C_000C_vtbl 2023-07-03 15:23:00,648 - DEBUG - Is struct! 2023-07-03 15:23:00,648 - DEBUG - Is struct: C_000C_vtbl/4278190346 2023-07-03 15:23:00,650 - DEBUG - analyzing function at 0xA7E 2023-07-03 15:23:00,650 - DEBUG - Cleared 0 xrefs 2023-07-03 15:23:00,651 - DEBUG - Overwriting! 2023-07-03 15:23:00,654 - DEBUG - analyzing function at 0xA00 2023-07-03 15:23:00,654 - DEBUG - Loaded 0 xrefs 2023-07-03 15:23:00,654 - DEBUG - Cleared 0 xrefs 2023-07-03 15:23:00,658 - DEBUG - analyzing function at 0xA00 2023-07-03 15:23:00,658 - DEBUG - Loaded 0 xrefs 2023-07-03 15:23:00,658 - DEBUG - Cleared 0 xrefs 2023-07-03 15:23:00,659 - INFO - Done 12344 2023-07-03 15:23:00,659 - DEBUG - Starting :12336 0x3030 2023-07-03 15:23:00,659 - INFO - Done 12336 2023-07-03 15:23:00,659 - DEBUG - Starting :12320 0x3020 2023-07-03 15:23:00,659 - INFO - Done 12320

查看IDA 结构体新建了结构体类型

查找 sub_84A函数快捷键Y 将v0类型改成C 在这里插入图片描述类和虚函数的类型基本都能识别清楚

8.手动构建类层次

需要手动选择虚函数表然后在命名行窗口输入指令

from ida_medigate import cpp_utils cpp_utils.make_vtable("B")

在这里插入图片描述

9.设置继承 cpp_utils.add_baseclass("C", "B") 10.总结

插件使用手动设置类有时候会导致IDA崩溃没法恢复成跟作者demo一模一样的情况对于分析cpp的程序这个插件是非常有帮助的

【本文地址】

公司简介

联系我们