Class Informer 2.0 from macromonkey
IDA Pro Win32 class vftable finder, namer, fixer, viewer plug-in.
Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type data.
Places structure defs, names, labels, and comments to make more sense of class vftables ("Virtual Function Table").
Creates a handy list window with found vftables for browsing.
Puts more context on class/structure related things to aid in reverse engineering.
RTTI ("Run-Time Type Identification")
RTCI ("Run Time Class Information") the MFC forerunner to RTTI
Based off of the article and materials by Igor Skochinsky:
Reversing Microsoft Visual C++ Part II: Classes, Methods and RTTI
The plug-in dialog:
Example vftable info set by plug-in:
Example vftable output list:
In this executable that was largely C++ with RTTI, this plug-in added a lot of contextual class data.
Plus in this case added a good amount of clean-up as the result of properly identifying and placing various RTTI data structures.
Typically when IDA sees previously unknown data now defined it will automatically reanalyze associated areas that can result in yet more data references and previously unknown functions being found. Removes more of the "unknown".
Version 1.06
Quote:
1.06 - 1) Added persistent vftable list storage.
2) Removed the many unnecessary "autoWait()" calls that caused a bit of a slow down.
3) Fixed broken and updated some custom UI elements.
4) Fixed the multi-segment select feature for the non-QT version and
added a working setup for the QT version too. For QT, after desired
segments are selected right click on the list and do "Select"
followed by the "Okay" button.
5) Added the ".data" segment to the default data search since vftables
are often located there (in addition to ".rdata").
1.05 - 1) The problem with the plug-in not being ready on invocation was fixed
by returning PLUGIN_KEEP on init to stay resident.
2) The fix in 1.04 didn't quite do it for structure placement problems.
In particular there remains a run on problem in IDA when marking some
areas "unknown"; these "do_unknown()" calls have been removed and
each structure element is individually placed one by one before
attempting to place the actual assorted structures.
1.04 - 1) Now ensures RTTI type name strings are set.
1.03 - 1) Added check and warning message for invalid start and end addresses
with "_initterm" type static/global ctor & dtor tables.
Would cause a negative count run-on condition that could trample over
a large data area.
2) UI customizations auto-disabled when using IDA Qt version.
3) Current IDA view is refreshed on completion to show changes.
4) Fixed a stall that could result from repeated failed attempts at an
RTTI type placement. Plus fixed the pattern for these so they could
be properly placed.
1.02 - 1) Added user code and data segment selector.
Allows user to select multiple data and code segments instead of the
default of ".text" and ".rdata" by name.
For those rare executable targets that have multiple code sections,
and, or, unpacked executables with mixed segments, etc.
2) Added config option for verbose output to the debugger channel.
3) Improved overall processing speed.
4) Since there can multiple instances of the same class or structure,
and IDA names must be unique all duplicate names are now serialized.
More things labeled, and no more "duplicate name" warning spam.
Note: Effects only label names, commented names are not altered
5) Updated to IDA SDK 5.5
6) Added links to Sirmabus IDA plug-ins support forum.
1.01 - 1) No longer pops up an error and exits IDA when an incompatible IDB is
loaded. Just displays a "not loaded" log message now.
2) Fixed IDA tab page update issue.
3) Now built with IDA SDK 5.4, and tested with IDA 5.4.
4) Fixed incorrect string placement in the RTTI type info struct.
Now the structures are right which make a cleaner DB.
This was a major bottleneck that caused the structure placement to be
about 36x slower, now only about 1x.
5) Fixed some misspellings.
http://sourceforge.net/projects/classinformer/
IDA Pro Win32 class vftable finder, namer, fixer, viewer plug-in.
Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type data.
Places structure defs, names, labels, and comments to make more sense of class vftables ("Virtual Function Table").
Creates a handy list window with found vftables for browsing.
Puts more context on class/structure related things to aid in reverse engineering.
RTTI ("Run-Time Type Identification")
RTCI ("Run Time Class Information") the MFC forerunner to RTTI
Based off of the article and materials by Igor Skochinsky:
Reversing Microsoft Visual C++ Part II: Classes, Methods and RTTI
The plug-in dialog:
Example vftable info set by plug-in:
Example vftable output list:
In this executable that was largely C++ with RTTI, this plug-in added a lot of contextual class data.
Plus in this case added a good amount of clean-up as the result of properly identifying and placing various RTTI data structures.
Typically when IDA sees previously unknown data now defined it will automatically reanalyze associated areas that can result in yet more data references and previously unknown functions being found. Removes more of the "unknown".
Version 1.06
Quote:
1.06 - 1) Added persistent vftable list storage.
2) Removed the many unnecessary "autoWait()" calls that caused a bit of a slow down.
3) Fixed broken and updated some custom UI elements.
4) Fixed the multi-segment select feature for the non-QT version and
added a working setup for the QT version too. For QT, after desired
segments are selected right click on the list and do "Select"
followed by the "Okay" button.
5) Added the ".data" segment to the default data search since vftables
are often located there (in addition to ".rdata").
1.05 - 1) The problem with the plug-in not being ready on invocation was fixed
by returning PLUGIN_KEEP on init to stay resident.
2) The fix in 1.04 didn't quite do it for structure placement problems.
In particular there remains a run on problem in IDA when marking some
areas "unknown"; these "do_unknown()" calls have been removed and
each structure element is individually placed one by one before
attempting to place the actual assorted structures.
1.04 - 1) Now ensures RTTI type name strings are set.
1.03 - 1) Added check and warning message for invalid start and end addresses
with "_initterm" type static/global ctor & dtor tables.
Would cause a negative count run-on condition that could trample over
a large data area.
2) UI customizations auto-disabled when using IDA Qt version.
3) Current IDA view is refreshed on completion to show changes.
4) Fixed a stall that could result from repeated failed attempts at an
RTTI type placement. Plus fixed the pattern for these so they could
be properly placed.
1.02 - 1) Added user code and data segment selector.
Allows user to select multiple data and code segments instead of the
default of ".text" and ".rdata" by name.
For those rare executable targets that have multiple code sections,
and, or, unpacked executables with mixed segments, etc.
2) Added config option for verbose output to the debugger channel.
3) Improved overall processing speed.
4) Since there can multiple instances of the same class or structure,
and IDA names must be unique all duplicate names are now serialized.
More things labeled, and no more "duplicate name" warning spam.
Note: Effects only label names, commented names are not altered
5) Updated to IDA SDK 5.5
6) Added links to Sirmabus IDA plug-ins support forum.
1.01 - 1) No longer pops up an error and exits IDA when an incompatible IDB is
loaded. Just displays a "not loaded" log message now.
2) Fixed IDA tab page update issue.
3) Now built with IDA SDK 5.4, and tested with IDA 5.4.
4) Fixed incorrect string placement in the RTTI type info struct.
Now the structures are right which make a cleaner DB.
This was a major bottleneck that caused the structure placement to be
about 36x slower, now only about 1x.
5) Fixed some misspellings.
http://sourceforge.net/projects/classinformer/
Last edited:
