Recon 2012: Compiler Internals

This year I again was lucky to present at Recon in Montreal. There were many great talks as usual. I combined the topic of my last year’s talk on C++ reversing and my OpenRCE article on Visual C++ internals. New material was implementation of exceptions and RTTI in MSVC x64 and GCC (including Apple’s iOS).

The videos are not up yet but here are the slides of my presentation and a few demo scripts I made for it to parse GCC’s RTTI structures and exception tables. I also added my old scripts from OpenRCE which I amended slightly for the current IDA versions (mostly changed hotkeys).

Slides
Scripts

This entry was posted in IDA Pro, Programming, Uncategorized. Bookmark the permalink.

6 Responses to Recon 2012: Compiler Internals

  1. Roman Pekhov says:

    Thank you

  2. Eugene Sukhodolin says:

    Awesome job, Igor!

    I tried your gcc_rtti.py script but got the following error unfortunately:

    ———————————————————————————————
    Python 2.6.5 (r265:79096, Mar 19 2010, 21:48:26) [MSC v.1500 32 bit (Intel)]
    IDAPython 64-bit v1.5.3 final (serial 0) (c) The IDAPython Team
    ———————————————————————————————
    Looking for standard type info classes
    searching for St9type_info
    searching for N10__cxxabiv117__class_type_infoE
    searching for N10__cxxabiv120__si_class_type_infoE
    searching for N10__cxxabiv121__vmi_class_type_infoE
    Looking for simple classes
    Looking for refs to vtable 022DDB30
    found _ZTVN10__cxxabiv117__class_type_infoE at 01A5CF30
    get_fixup expected 2 arguments, got 1
    Traceback (most recent call last):
    File “[...]pythonidaapi.py”, line 498, in IDAPython_ExecScript
    execfile(script, g)
    File “[...]/gcc_rtti.py”, line 358, in
    main()
    File “[...]/gcc_rtti.py”, line 351, in main
    handle_classes(TI_CTINFO, format_type_info)
    File “[...]/gcc_rtti.py”, line 274, in handle_classes
    ea2 = formatter(x)
    File “[...]/gcc_rtti.py”, line 190, in format_type_info
    ea2 = format_struct(ea, “vp”)
    File “[...]/gcc_rtti.py”, line 130, in format_struct
    ForcePtr(ea, delta)
    File “[...]/gcc_rtti.py”, line 106, in ForcePtr
    ForceQword(ea)
    File “[...]/gcc_rtti.py”, line 100, in ForceQword
    if isOff0(GetFlags(ea)) and GetFixupTgtType(ea) == -1:
    File “[...]pythonidc.py”, line 4461, in GetFixupTgtType
    fd = idaapi.get_fixup(ea)
    File “[...]pythonidaapi.py”, line 19328, in get_fixup
    return _idaapi.get_fixup(*args)
    TypeError: get_fixup expected 2 arguments, got 1

    Looks like I’m hitting this issue: http://code.google.com/p/idapython/issues/detail?id=79

    Is it a known issue? Should I just need to update from v6.2 to v6.3 and the issue will go away?

    • Igor Skochinsky says:

      Yes, it’s been fixed in the latest build of 6.3.

      • Eugene Sukhodolin says:

        Thank you, Igor!

        Shorty after I posted about this error, I realized that it’s fairly easy to fix it myself, so I did it.

        Now the script works seemingly fine for a huge binary I tried it with, but it seems it finds additional RTTI structures each time I run it. Is it expected that subsequent runs can yield additional results for the same binary (after it was processed at least once)?

        Overall, it looks extremely useful, please keep up your great work!

        • Igor Skochinsky says:

          That’s quite possible, it’s mostly proof-of-concept and hasn’t been tested much.

  3. Darmawan says:

    Your articles over at OpenRCE is a gem. A handy reference. Thanks for that article :-)