Log in

View Full Version : C++ Object editor


halvar
December 30th, 2004, 06:10
Hey all,

we all see lots of OOP/C++ code nowadays, and I have had an idea
spooking around in my head for the last few years, but never time
or motivation to actually tackle it:

A C++ object editor. This would work via interfacing with a disassembler
(IDA?) to identify vtables, and then to search for pointers to the vtable
in a process address space. By doing so, all instances of a particular object
could be found. If fed with a prototype for the class, one could build a
run-time object viewer/editor where all fields of the object could be view/
editable.

Very useful for hijacking/monitoring method calls, too.

Cheers,
Halvar

Silver
December 30th, 2004, 08:21
That would be handy. I recall a discussion about this before (somewhere other than this forum). I think one of the major sticking points was inheritance, it became extremely difficult to infer inheritance and heirarchy from the asm. Technically you wouldn't need to give it the class prototype, it "should" be able to infer it from code. Where things will really fall down is with non-contiguous prototypes, for example members included in the prototype but not used in the code. That would really screw any pointer work...

I'd need to have a proper think about it, but I have that feeling that tells me there are some pretty important obstacles we'd need to figure out first. I came across pdf of a book about OO asm once, fairly old but very in depth. Perhaps that may be of use for ideas.

halvar
December 30th, 2004, 10:22
Telling inheritance can be done by examining constructors -- a constructor
that calls another constructor of a class A w/o changing the this pointer is either a
constructor of a class derived from A or has A as first member. The class prototype
is tricky -- we can't necessarily tell type from the constructor alone (but we should
be able to infer member boundaries from it).

I am not sure wether we need to tell inheritance -- if the RE can provide a prototype
and a vtable address, there's no need for us to know the relation between the
objects inheritance-wise.