
"Class Informer" 
=========================================================
IDA Pro Win32 class vftable finder, namer, fixer, lister plug-in.
Version 1.02, March 2011
By Sirmabus

---------------------------------------------------------

Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type
data. Places structure defs, names, labels, and comments to make more sense of
class vftables ("Virtual Function Table") and make them read easier as an aid
to reverse engineering.
Creates a list window with found vftables for browsing.

RTTI ("Run-Time Type Identification"):
http://en.wikipedia.org/wiki/RTTI

RTCI ("Run Time Class Information") the MFC forerunner to "RTTI":
http://msdn.microsoft.com/en-us/library/fych0hw6(VS.80).aspx

It's currently targeted specifically for Microsoft Visual C++ 32bit complied
binaries only. Will get unpredictable results if used on other targets.

Currently somewhat limited for other then the norm of vftables being in 
".rdata", and code in the ".text" segments.

Based off of the article and IDC scripts by Igor Skochinsky:
http://www.openrce.org/articles/full_view/23
http://www.openrce.org/downloads/details/196

And derivative work:
http://www.blackhat.com/presentations/bh-dc-07/Sabanal_Yason/
Paper/bh-dc-07-Sabanal_Yason-WP.pdf


-- [Install] --------------------------------------------
Copy the plug-in to your IDA Pro "plugins" directory. 
Then edit your "..\plugins\plugins.cfg" to setup with a hotkey.

IE: Add these two lines:

; Sirmabus "Class Informer" plug-in
Class-Informer IDA_ClassInformer_PlugIn.plw Alt-7 0

See IDA documentation for more on installing and using plug-ins.


-- [How to run it] --------------------------------------
Invoke as typical in IDA with hot key, or through IDA's Edit->Plugins menu.

If you are working on an unpacked target, you should fix the PE sections
and name the ".text" and ".rdata" segments you want to examine.

It will typically run from a few seconds to several minutes, depending on the
size of the target, and generally how fast your machine is (with hard drive 
speed being a contributing factor).

Try using my "Extra Pass" plug-in first for best results, as the ".text" clean-
up might expose more validated tables.

On completion a list window will come up showing any found vftables and
and class information.
Click on a line to jump to it.

If you want to save the list to text file, get a debug output viewer like 
Mark Russinovich's excellent "DebugView" at:
http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx

Example list output:
0046769C 077 CEdit:CWnd, CCmdTarget, CObject;  (SI)

This is: vftable address, method count, then class hierarchy, and ended with
some additional class info.
To make things easier to read, all known type names are considered to be a 
"class" unless explicitly proceeded with "struct" to indicate "structure" type.

The addition info at the end:
"(SI)" single inheritance hierarchy, "(MI)" multiple inheritance, 
"(VI)" virtual inheritance, or "(MI VI)" multiple virtual inheritance.
If there is an absence of one of these then it's a MFC 'RTCI' type.

Using latest IDA SDK and tested on versions 5.2 and 5.3,.


-- [Design] -------------------------------------------

I read Igor Skochinsky's excellent article "Reversing Microsoft Visual C++"
some time ago. But only recently tried his IDC scripts accompanying the article.
I was amazed at how well it worked in identifying vftables with type info and 
how it cleaned the IDB up (a large MSVC compiled target).

IMHO it can be overlooked if you RE'ing MSVC C++ targets.
I wanted to put it into a plug-in for speed, flexibility, and as a general test
bed for R&D on the area.

I originally wanted to have automatic member naming.
The idea being to take the class name and at least partially naming
member functions (mostly ignoring calling and returning arguments).
But decided it probably isn't that useful. 
And there will probably be a lot of redundancy that can ends up in custom sigs,
as noise.
Also the same reasoning I did not use the ctor and dtor identifications
found in Igorsk's scripts.

For my RE work I just want to see these classes by name, and where to find
them for examination.

Essentially, it works a lot like Igorsk's scripts, with some differences like 
doing MFC 'RTCI' types, placing type structures (rather then the individual
fields), and does static/global ctor/dtor processing.


I got tired of IDA's only partially functioning wait box, so I 
sub-classed it. Should now have near instant cancel when you click the "Cancel"
button or press the "break" key. 
And to better show progress, I fancied it up a bit with with a progress bar,
and indicator w/text animation.


-- [Known problems] -----------------------------------

For some odd reason, when you first load a IDB and activate the plug-in, IDA does
something that causes it to be active (in plug-in terms "autoIsOk() == FALSE").
Just invoke the plug-in again to pass it.

Please report any issues on my support forum:
http://www.macromonkey.com/bb/viewforum.php?f=65


-- [Changes] ------------------------------------------

1.02 - 1) Added user code and data segment selector.
          Allows user to select multiple data and code segments instead of the
          default of ".text" and ".rdata" by name.
          For those rare executable targets that have multiple code sections,
          and, or, unpacked executables with mixed segments, etc.                   
       2) Added config option for verbose output to the debuger channel.  
       3) Improved overall processing speed.
       4) Since there can multiple instances of the same class or structure, and
          IDA names must be unique all duplicate names are now serialised.
          More things labeled, and no more "duplicate name" warning spam.
          Note: Effects only label names, commented names are not altered
       5) Updated to IDA SDK 5.5
       6) Added links to my IDA plug-ins support forum.

1.01 - 1) No longer pops up an error and exits IDA when an incompatible IDB is
          loaded! Just displays a "not loaded" log message now.
       2) Fixed IDA tab page update issue.
       3) Now built with IDA SDK 5.4, and tested with IDA 5.4.          
       4) Fixed incorrect string placement in the RTTI type info struct.
          Now the structures are right which make a cleaner DB.
          This was a major bottleneck that caused the structure placement to be about
          36x slower, now only about 1x.
       5) Fixed some misspellings.

-- [TODO] ---------------------------------------------
Get compiler specific info for at least other popular compilers (Intel, 
Borland, GCC, etc).

- Sirmabus


Terms of Use
------------
This software is provided "as is", without any guarantee made as to its
suitability or fitness for any particular use. It may contain bugs, so use
this software is at your own risk.  The author(s) are not responsible for
any damage that may be caused through its use.