Log in

View Full Version : Class Informer IDA Plug-in

Sirmabus
January 22nd, 2009, 05:13
Something I've been playing around with after I tried Igorsk's scripts from his excellent article.
http://www.openrce.org/articles/full_view/23 ("http://www.openrce.org/articles/full_view/23")


------------------------------------------------------------
Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type data.
Places structure defs, names, labels, and comments to make more sense of class vftables ("Virtual Function Table" and make them read
easier as an aid to reverse engineering.
Creates a list window with found vftables for browsing.

RTTI ("Run-Time Type Identification":
http://en.wikipedia.org/wiki/RTTI

RTCI ("Run Time Class Information" the MFC forerunner to "RTTI":
http://msdn.microsoft.com/en-us/library/fych0hw6(VS.80).aspx
------------------------------------------------------------

Example vftable output list:

http://img518.imageshack.us/img518/7774/listshot1zj0.jpg


Example vftable info set by plug-in:

http://img217.imageshack.us/img217/5951/vftabkeshot1ri2.jpg

P.S. Why are my links F'ed up?
OHPen
January 23rd, 2009, 10:54
This is really a cool plugin. I used it and it is a good help reverse engineer c/c++ apps

thx.
dELTA
January 23rd, 2009, 16:04
Nice stuff.

CRCETL:
http://www.woodmann.com/collaborative/tools/Class_Informer
Kayaker
January 23rd, 2009, 17:59
Quote:
[Originally Posted by Sirmabus;78850]
P.S. Why are my links F'ed up?


Sorry Sirmabus, only internal woodmann.com links are "clickable". External and embedded links are not. That's a policy we've had in place for years. Perhaps we should review that idea.

The exception is the Blogs forum, where you'll notice your imported OpenRCE blog on the same topic has the "normal" linkages.

Another nice plugin by you btw, thanks.

Kayaker
Sirmabus
April 2nd, 2009, 15:26
-- [Changes] ------------------------------------------

1.01 -
1) No longer pops up an error and exits IDA when an incompatible IDB is loaded!
Just displays a "not loaded" log message now.
2) Fixed IDA tab page update issue.
3) Now built with IDA SDK 5.4, and tested with IDA 5.4.
4) Fixed incorrect string placement in the RTTI type info struct.
Now the structures are right which make a cleaner DB.
This was a major bottleneck that caused the structure placement to be about 36x slower, now only about 1x.
5) Fixed some misspellings.