SlideShare una empresa de Scribd logo

HexRaysCodeXplorer: make object-oriented RE easier

Alex Matrosov
Alex Matrosov

HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin: - Automatic type REconstruction for C++ objects. - C-tree graph visualization – a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works. - Navigation through virtual function calls in HexRays Pseudocode window. - Object Explorer – useful interface for navigation through virtual tables (VTBL) structures. In this presentation authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (ZeroNigths edition) will be released with new features developed specially for ZeroNights conference. New features will be committed GitHub from the stage

Tecnología
1 de 27
Descargar para leer sin conexión
HexRaysCodeXplorer: make object-oriented RE easier Aleksandr MatrosovEugene Rodionov @matrosov @vxradius
C++ Code Reconstruction Problems  Object identification  Type reconstruction  Class layout reconstruction     Identify constructors/destructors Identify class members Local/global type reconstruction Associate object with exact method calls  RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction
C++ Code Reconstruction: the truth is out there
An overview of the Flamer Framework Vector<Command Executor> Vector<Consumer> DB_Query ClanCmd FileCollect Driller GetConfig Munch FileFinder Mobile Consumer Cmd Consumer Vector<Task> IDLER CmdExec Sniffer Lua Consumer Vector<DelayedTasks> Media Consumer Euphoria Share Supplier LSS Sender Frog Beetlejuice
An overview of the Flamer Framework Vector<Command Executor> Vector<Consumer> DB_Query ClanCmd FileCollect Driller GetConfig Munch FileFinder Mobile Consumer Cmd Consumer Vector<Task> IDLER CmdExec Sniffer Lua Consumer Vector<DelayedTasks> Media Consumer Euphoria Share Supplier LSS Sender Frog Beetlejuice
An overview of the Flamer Framework Vector<Command Executor> Vector<Consumer> DB_Query ClanCmd FileCollect Driller GetConfig Munch FileFinder Mobile Consumer Cmd Consumer Vector<Task> IDLER CmdExec Sniffer Lua Consumer Vector<DelayedTasks> Media Consumer Euphoria Share Supplier LSS Sender Frog Beetlejuice
HexRaysCodeXplorer
HexRaysCodeXplorer Features  Hex-Rays decompiler plugin  The plugin was designed to facilitate static analysis of:  object oriented code  position independent code  The plugin allows to:  navigate through decompiled virtual methods  partially reconstruct object type
Hex-Rays Decompiler Plugin SDK  At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure
Hex-Rays Decompiler Plugin SDK  At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure
Hex-Rays Decompiler Plugin SDK  Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type citem_t cexpr_t cinsn_t  Expressions have attached type information  Statements include:  block, if, for, while, do, switch, return, goto, asm  Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t
Hex-Rays Decompiler Plugin SDK  Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type citem_t cexpr_t cinsn_t  Expressions have attached type information  Statements include:  block, if, for, while, do, switch, return, goto, asm  Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t
HexRaysCodeXplorer: Gapz Position Independent Code
HexRaysCodeXplorer: Virtual Methods  The IDA’s “Local Types” is used to represent object type
HexRaysCodeXplorer: Virtual Methods  Hex-Rays decompiler plugin is used to navigate through the virtual methods
HexRaysCodeXplorer: Virtual Methods  Hex-Rays decompiler plugin is used to navigate through the virtual methods
HexRaysCodeXplorer: Object Type REconstruction  Hex-Rays’s ctree structure may be used to partially reconstruct object type based on its initialization routine (constructor)  Input:  pointer to the object instance  object initialization routine entry point  Output:  C structure-like object representation
HexRaysCodeXplorer: Object Type REconstruction  Hex-Rays’s ctree structure may be used to partially reconstruct object type based on its initialization routine (constructor)  Input:  pointer to the object instance  object initialization routine entry point  Output:  C structure-like object representation
HexRaysCodeXplorer: Object Type REconstruction  citem_t objects to monitor:  memptr  call (LOBYTE, etc.)  idx  memref
HexRaysCodeXplorer: Object Type REconstruction // reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
HexRaysCodeXplorer: Object Type REconstruction // reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
HexRaysCodeXplorer 1.1 [ZeroNights Edition]  Type Reconstruction:  reconstruct type into IDA local types  bugfixes =)  ObjectExplorer:  Auto structures for VTBL  Click on VTBL and jump to code  ObjectExplorer hints for VTBL
NO TIME for DEMO
Thank you for your attention! Eugene Rodionov Aleksandr Matrosov @vxradius @matrosov

Recomendados

Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
 
The Rust Programming Language: an Overview
The Rust Programming Language: an OverviewThe Rust Programming Language: an Overview
The Rust Programming Language: an Overview
Roberto Casadei
 
Why rust?
Why rust?Why rust?
Why rust?
Mats Kindahl
 
Rust vs C++
Rust vs C++Rust vs C++
Rust vs C++
corehard_by
 
Start Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeStart Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New Rope
Yung-Yu Chen
 
An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...
Claudio Capobianco
 
Native code in Android applications
Native code in Android applicationsNative code in Android applications
Native code in Android applications
Dmitry Matyukhin
 
Python Objects
Python ObjectsPython Objects
Python Objects
Quintagroup
 

Recomendados

Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
 
The Rust Programming Language: an Overview
The Rust Programming Language: an OverviewThe Rust Programming Language: an Overview
The Rust Programming Language: an Overview
Roberto Casadei
 
Why rust?
Why rust?Why rust?
Why rust?
Mats Kindahl
 
Rust vs C++
Rust vs C++Rust vs C++
Rust vs C++
corehard_by
 
Start Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeStart Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New Rope
Yung-Yu Chen
 
An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...
Claudio Capobianco
 
Native code in Android applications
Native code in Android applicationsNative code in Android applications
Native code in Android applications
Dmitry Matyukhin
 
Python Objects
Python ObjectsPython Objects
Python Objects
Quintagroup
 
Rust Workshop - NITC FOSSMEET 2017
Rust Workshop - NITC FOSSMEET 2017 Rust Workshop - NITC FOSSMEET 2017
Rust Workshop - NITC FOSSMEET 2017
pramode_ce
 
Google Dart
Google DartGoogle Dart
Google Dart
Eberhard Wolff
 
Android JNI
Android JNIAndroid JNI
Android JNI
Siva Ramakrishna kv
 
Getting started with C# Programming
Getting started with C# ProgrammingGetting started with C# Programming
Getting started with C# Programming
Bhushan Mulmule
 
Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)
nikomatsakis
 
Ts archiving
Ts archivingTs archiving
Ts archiving
Confiz
 
Guaranteeing Memory Safety in Rust
Guaranteeing Memory Safety in RustGuaranteeing Memory Safety in Rust
Guaranteeing Memory Safety in Rust
nikomatsakis
 
Intro to Rust from Applicative / NY Meetup
Intro to Rust from Applicative / NY MeetupIntro to Rust from Applicative / NY Meetup
Intro to Rust from Applicative / NY Meetup
nikomatsakis
 
Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22
nikomatsakis
 
Python GC
Python GCPython GC
Python GC
delimitry
 
Rust "Hot or Not" at Sioux
Rust "Hot or Not" at SiouxRust "Hot or Not" at Sioux
Rust "Hot or Not" at Sioux
nikomatsakis
 
Book
BookBook
Book
luis_lmro
 
From C++ to Objective-C
From C++ to Objective-CFrom C++ to Objective-C
From C++ to Objective-C
corehard_by
 
Fun with Lambdas: C++14 Style (part 2)
Fun with Lambdas: C++14 Style (part 2)Fun with Lambdas: C++14 Style (part 2)
Fun with Lambdas: C++14 Style (part 2)
Sumant Tambe
 
Java 7
Java 7Java 7
Java 7
Bipul Sinha
 
Node.js extensions in C++
Node.js extensions in C++Node.js extensions in C++
Node.js extensions in C++
Kenneth Geisshirt
 
Collections forceawakens
Collections forceawakensCollections forceawakens
Collections forceawakens
RichardWarburton
 
Reversing JavaScript
Reversing JavaScriptReversing JavaScript
Reversing JavaScript
Roberto Suggi Liverani
 
Objective-C Blocks and Grand Central Dispatch
Objective-C Blocks and Grand Central DispatchObjective-C Blocks and Grand Central Dispatch
Objective-C Blocks and Grand Central Dispatch
Matteo Battaglio
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 

Más contenido relacionado

La actualidad más candente

Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)
nikomatsakis
 
Ts archiving
Ts archivingTs archiving
Ts archiving
Confiz
 
Collections forceawakens
Collections forceawakensCollections forceawakens
Collections forceawakens
RichardWarburton
 

La actualidad más candente (19)

Rust Workshop - NITC FOSSMEET 2017
Rust Workshop - NITC FOSSMEET 2017 Rust Workshop - NITC FOSSMEET 2017
Rust Workshop - NITC FOSSMEET 2017
 
Google Dart
Google DartGoogle Dart
Google Dart
 
Android JNI
Android JNIAndroid JNI
Android JNI
 
Getting started with C# Programming
Getting started with C# ProgrammingGetting started with C# Programming
Getting started with C# Programming
 
Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)
 
Ts archiving
Ts archivingTs archiving
Ts archiving
 
Guaranteeing Memory Safety in Rust
Guaranteeing Memory Safety in RustGuaranteeing Memory Safety in Rust
Guaranteeing Memory Safety in Rust
 
Intro to Rust from Applicative / NY Meetup
Intro to Rust from Applicative / NY MeetupIntro to Rust from Applicative / NY Meetup
Intro to Rust from Applicative / NY Meetup
 
Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22
 
Python GC
Python GCPython GC
Python GC
 
Rust "Hot or Not" at Sioux
Rust "Hot or Not" at SiouxRust "Hot or Not" at Sioux
Rust "Hot or Not" at Sioux
 
Book
BookBook
Book
 
From C++ to Objective-C
From C++ to Objective-CFrom C++ to Objective-C
From C++ to Objective-C
 
Fun with Lambdas: C++14 Style (part 2)
Fun with Lambdas: C++14 Style (part 2)Fun with Lambdas: C++14 Style (part 2)
Fun with Lambdas: C++14 Style (part 2)
 
Java 7
Java 7Java 7
Java 7
 
Node.js extensions in C++
Node.js extensions in C++Node.js extensions in C++
Node.js extensions in C++
 
Collections forceawakens
Collections forceawakensCollections forceawakens
Collections forceawakens
 
Reversing JavaScript
Reversing JavaScriptReversing JavaScript
Reversing JavaScript
 
Objective-C Blocks and Grand Central Dispatch
Objective-C Blocks and Grand Central DispatchObjective-C Blocks and Grand Central Dispatch
Objective-C Blocks and Grand Central Dispatch
 

Destacado

Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Alex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
Alex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
CODE BLUE
 

Destacado (20)

Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
42054960
4205496042054960
42054960
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 

Similar a HexRaysCodeXplorer: make object-oriented RE easier

Manipulating object-behavior-at-runtime
Manipulating object-behavior-at-runtimeManipulating object-behavior-at-runtime
Manipulating object-behavior-at-runtime
Andrei Ursan
 
Whats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPontoWhats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPonto
Paulo Morgado
 
Developing your first application using FIWARE
Developing your first application using FIWAREDeveloping your first application using FIWARE
Developing your first application using FIWARE
FIWARE
 
Understanding Reflection
Understanding ReflectionUnderstanding Reflection
Understanding Reflection
Tamir Khason
 
Introduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamicIntroduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamic
Gieno Miao
 
Whidbey old
Whidbey old Whidbey old
Whidbey old
grenaud
 
Introduction To Dojo
Introduction To DojoIntroduction To Dojo
Introduction To Dojo
yoavrubin
 
Dynamic Language Performance
Dynamic Language PerformanceDynamic Language Performance
Dynamic Language Performance
Kevin Hazzard
 

Similar a HexRaysCodeXplorer: make object-oriented RE easier (20)

Manipulating object-behavior-at-runtime
Manipulating object-behavior-at-runtimeManipulating object-behavior-at-runtime
Manipulating object-behavior-at-runtime
 
Visual C++ project model
Visual C++ project modelVisual C++ project model
Visual C++ project model
 
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
 
.Net Framework Introduction
.Net Framework Introduction.Net Framework Introduction
.Net Framework Introduction
 
Introduction to c_plus_plus
Introduction to c_plus_plusIntroduction to c_plus_plus
Introduction to c_plus_plus
 
Introduction to c_plus_plus (6)
Introduction to c_plus_plus (6)Introduction to c_plus_plus (6)
Introduction to c_plus_plus (6)
 
Whats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPontoWhats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPonto
 
PDC Video on C# 4.0 Futures
PDC Video on C# 4.0 FuturesPDC Video on C# 4.0 Futures
PDC Video on C# 4.0 Futures
 
Constructors in C++.pptx
Constructors in C++.pptxConstructors in C++.pptx
Constructors in C++.pptx
 
Framework engineering JCO 2011
Framework engineering JCO 2011Framework engineering JCO 2011
Framework engineering JCO 2011
 
Developing your first application using FIWARE
Developing your first application using FIWAREDeveloping your first application using FIWARE
Developing your first application using FIWARE
 
7.-Download_CS201-Solved-Subjective-with-Reference-by-Aqib.doc
7.-Download_CS201-Solved-Subjective-with-Reference-by-Aqib.doc7.-Download_CS201-Solved-Subjective-with-Reference-by-Aqib.doc
7.-Download_CS201-Solved-Subjective-with-Reference-by-Aqib.doc
 
Understanding Reflection
Understanding ReflectionUnderstanding Reflection
Understanding Reflection
 
1204csharp
1204csharp1204csharp
1204csharp
 
Introduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamicIntroduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamic
 
Whidbey old
Whidbey old Whidbey old
Whidbey old
 
Modern C++
Modern C++Modern C++
Modern C++
 
Introduction To Dojo
Introduction To DojoIntroduction To Dojo
Introduction To Dojo
 
Proxy design pattern (Class Ambassador)
Proxy design pattern (Class Ambassador)Proxy design pattern (Class Ambassador)
Proxy design pattern (Class Ambassador)
 
Dynamic Language Performance
Dynamic Language PerformanceDynamic Language Performance
Dynamic Language Performance
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 

Último (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

HexRaysCodeXplorer: make object-oriented RE easier

  • 1. HexRaysCodeXplorer: make object-oriented RE easier Aleksandr MatrosovEugene Rodionov @matrosov @vxradius
  • 2. C++ Code Reconstruction Problems  Object identification  Type reconstruction  Class layout reconstruction     Identify constructors/destructors Identify class members Local/global type reconstruction Associate object with exact method calls  RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction
  • 3. C++ Code Reconstruction: the truth is out there
  • 4. An overview of the Flamer Framework Vector<Command Executor> Vector<Consumer> DB_Query ClanCmd FileCollect Driller GetConfig Munch FileFinder Mobile Consumer Cmd Consumer Vector<Task> IDLER CmdExec Sniffer Lua Consumer Vector<DelayedTasks> Media Consumer Euphoria Share Supplier LSS Sender Frog Beetlejuice
  • 5. An overview of the Flamer Framework Vector<Command Executor> Vector<Consumer> DB_Query ClanCmd FileCollect Driller GetConfig Munch FileFinder Mobile Consumer Cmd Consumer Vector<Task> IDLER CmdExec Sniffer Lua Consumer Vector<DelayedTasks> Media Consumer Euphoria Share Supplier LSS Sender Frog Beetlejuice
  • 6. An overview of the Flamer Framework Vector<Command Executor> Vector<Consumer> DB_Query ClanCmd FileCollect Driller GetConfig Munch FileFinder Mobile Consumer Cmd Consumer Vector<Task> IDLER CmdExec Sniffer Lua Consumer Vector<DelayedTasks> Media Consumer Euphoria Share Supplier LSS Sender Frog Beetlejuice
  • 8.
  • 9. HexRaysCodeXplorer Features  Hex-Rays decompiler plugin  The plugin was designed to facilitate static analysis of:  object oriented code  position independent code  The plugin allows to:  navigate through decompiled virtual methods  partially reconstruct object type
  • 10. Hex-Rays Decompiler Plugin SDK  At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure
  • 11. Hex-Rays Decompiler Plugin SDK  At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure
  • 12. Hex-Rays Decompiler Plugin SDK  Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type citem_t cexpr_t cinsn_t  Expressions have attached type information  Statements include:  block, if, for, while, do, switch, return, goto, asm  Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t
  • 13. Hex-Rays Decompiler Plugin SDK  Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type citem_t cexpr_t cinsn_t  Expressions have attached type information  Statements include:  block, if, for, while, do, switch, return, goto, asm  Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t
  • 15. HexRaysCodeXplorer: Virtual Methods  The IDA’s “Local Types” is used to represent object type
  • 16. HexRaysCodeXplorer: Virtual Methods  Hex-Rays decompiler plugin is used to navigate through the virtual methods
  • 17. HexRaysCodeXplorer: Virtual Methods  Hex-Rays decompiler plugin is used to navigate through the virtual methods
  • 18. HexRaysCodeXplorer: Object Type REconstruction  Hex-Rays’s ctree structure may be used to partially reconstruct object type based on its initialization routine (constructor)  Input:  pointer to the object instance  object initialization routine entry point  Output:  C structure-like object representation
  • 19. HexRaysCodeXplorer: Object Type REconstruction  Hex-Rays’s ctree structure may be used to partially reconstruct object type based on its initialization routine (constructor)  Input:  pointer to the object instance  object initialization routine entry point  Output:  C structure-like object representation
  • 20. HexRaysCodeXplorer: Object Type REconstruction  citem_t objects to monitor:  memptr  call (LOBYTE, etc.)  idx  memref
  • 21. HexRaysCodeXplorer: Object Type REconstruction // reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
  • 22. HexRaysCodeXplorer: Object Type REconstruction // reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
  • 23. HexRaysCodeXplorer 1.1 [ZeroNights Edition]  Type Reconstruction:  reconstruct type into IDA local types  bugfixes =)  ObjectExplorer:  Auto structures for VTBL  Click on VTBL and jump to code  ObjectExplorer hints for VTBL
  • 24. NO TIME for DEMO
  • 25.
  • 26.
  • 27. Thank you for your attention! Eugene Rodionov Aleksandr Matrosov @vxradius @matrosov