HexRaysCodeXplorer: object oriented RE for fun and profit

HexRaysCodeXplorer: object oriented RE for fun and profit
Alexander Matrosov
@matrosov
Eugene Rodionov
@vxradius

C++ Code Reconstruction Problems
Show problems on real examples (Flamer)
HexRaysCodeXplorerv1.5 [H2HC Edition] Agenda

C++ Code Reconstruction Problems
Object identification
Type reconstruction
Class layout reconstruction
Identify constructors/destructors
Identify class members
Local/global type reconstruction
Associate object with exact method calls
RTTI reconstruction
Vftablereconstruction
Associate vftableobject with exact object
Class hierarchy reconstruction

C++ Code Reconstruction Problems Class AvfPtra1() a2() A::vfTablemetaA::a1() A::a2() RTTI Object LocatorsignaturepTypeDescriptorpClassDescriptor

C++ Code Reconstruction Problems

REconstructingFlamer Framework

An overview of the Flamer Framework
Vector<Command Executor>
DB_Query ClanCmd
Vector<Task>
IDLER CmdExec
Vector<DelayedTasks>
Euphoria
Share
Supplier
Vector<Consumer>
Mobile
Consumer
Cmd
Consumer
Sniffer Munch FileFinder
FileCollect Driller GetConfig
LSS
Sender
Frog Beetlejuice
Lua
Consumer
Media
Consumer
http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/

Identify Smart Pointer Structure
oSmart pointers
oStrings
oVectors to maintain the objects
oCustom data types:
wrappers
tasks,
triggers
and etc.

Data Types Being Used: Smart pointers
typedefstructSMART_PTR
{
void *pObject;// pointer to the object
int*RefNo;// reference counter
};

Identify Smart Pointer Structure

Data Types Being Used: Vectors
structVECTOR
{
void *vTable;// pointer to the table
intNumberOfItems;// self-explanatory
intMaxSize;// self-explanatory
void *vector;// pointer to buffer with elements
};
oUsed to handle the objects:
tasks
triggers
etc.

Identify Exact Virtual Function Call in Vtable

Identify Custom Type Operations

Data Types Being Used: Strings
structUSTRING_STRUCT
{
void *vTable;// pointer to the table
intRefNo;// reference counter
intInitialized;
wchar_t*UnicodeBuffer;// pointer to unicodestring
char *AsciiBuffer;// pointer to ASCII string
intAsciiLength;// length of the ASCII string
intReserved;
intLength;// Length of unicodestring
intLengthMax;// Size of UnicodeBuffer
};

REconstructingObject’s Attributes

REconstructingObject’s Methods

HexRaysCodeXplorerv1.0: released in 2013 at REcon

HexRaysCodeXplorerFeatures
oHex-Rays decompilerplugin
oThe plugin was designed to facilitate static analysis of:
object oriented code
position independent code
oThe plugin allows to:
navigate through decompiled virtual methods
partially reconstruct object type

Hex-Rays DecompilerPlugin SDK
oAt the heart of the decompilerlies ctreestructure:
syntax tree structure
consists of citem_tobjects
there are 9 maturity levels of the ctreestructure

Hex-Rays DecompilerPlugin SDK
oType citem_tis a base class for:
cexpr_t–expression type
cinsn_t–statement type
oExpressions have attached type information
oStatements include:
block, if, for, while, do, switch, return, goto, asm
oHex-Rays provides iterators for traversing the citem_tobjects within ctreestructure:
ctree_visitor_t
ctree_parentee_t
citem_tcexpr_tcinsn_t

Hex-Rays Decompiler Plugin SDK
o Type citem_t is a base class for:
 cexpr_t – expression type
 cinsn_t – statement type
o Expressions have attached type information
o Statements include:
 block, if, for, while, do, switch, return, goto, asm
o Hex-Rays provides iterators for traversing the citem_t objects within ctree
structure:
 ctree_visitor_t
 ctree_parentee_t
citem_t
cexpr_t cinsn_t

HexRaysCodeXplorer: GapzPosition Independent Code

HexRaysCodeXplorer: Virtual Methods
The IDA’s ‘Local Types’ is used to represent object type

Hex-Rays decompilerplugin is used to navigate through the virtual methods
HexRaysCodeXplorer: Virtual Methods

HexRaysCodeXplorer: Object Type REconstruction
oHex-Rays’sctreestructure may be used to partially reconstruct object type based on its initialization routine (constructor)
oInput:
pointer to the object instance
object initialization routine entry point
oOutput:
C structure-like object representation

citem_tobjects to monitor:
memptr
idx
memref
call (LOBYTE, etc.)

//reference of DWORD at offset 12 in buffer a1
*(DWORD *)(a1 + 12) = 0xEFCDAB89;

HexRaysCodeXplorerv1.5 [H2HC Edition]
oNew citem_tobjects to monitor:
memptr
idx
memref
ptr, asg, …

oNew citem_tobjects to monitor:
memptr
idx
memref
ptr, asg, …
oType propagation for nested function calls

oFeatures of v1.5 [H2HC Edition] :
Better Type Reconstruction
•Improvements for parsing citem_tobjects with PTR andASG statements
•Recursive traversal of Ctreeto reconstruct Types hierarchy
Navigate from Pseudo code window to Disassembly line
Hints for Ctreeelements which point to Disassembly line
Support for x64 version of Hex-Rays Decompiler
Some bug fixes by user requests

HexRaysCodeXplorer: -> What are the next goals?
oDevelop the next version on IdaPython
oFocus on the following features:
Type reconstruction(C++, Objective-C)
Type Navigation (C++, Objective-C)
Vtablesparsing based on Hex-Rays API
Ctreegraph navigation improvements
Patterns for possible vulndetection

Python Arsenal Contesthttp://2014.zeronights.org/contests/python-arsenal-contest.html
Best exploit devtool/plugin/lib
Best forensics tool/plugin/lib
Best reversing tool/plugin/lib
Best fuzzing tool/plugin/lib
Best malware analysis tool/plugin/lib

Thank you for your attention!
HexRaysCodeXplorer
http://REhints.com@REhints
https://github.com/REhints/HexRaysCodeXplorer

HexRaysCodeXplorer: object oriented RE for fun and profit

More Related Content

What's hot

Viewers also liked

Similar to HexRaysCodeXplorer: object oriented RE for fun and profit

Recently uploaded

HexRaysCodeXplorer: object oriented RE for fun and profit