Pretty advanced/internal question:
Getting close to updating ClassInformer to IDA Pro 9. My IDA Windows binary plugin that finds fixes and labels RTTI structures, and locates vftables and displays them.
I see most of the time IDA 9 does recognize most of the RTTI. I think it’s been like that for a while from at least IDA 8’ish, but haven’t gone back and updated the plugin to handle it.
First question:
So I see there is a built in RTTI plugin but it’s just for Borland targets?
Looking at the strings in built-in “rtti.dll” I see what looks like the same exact strings IDA places for located RTTI containers. Is it this plug-in that is finding the containers or is it actually the IDA type system?
My issue right now is the whole type thing. I’m making the plugin IDA 9+ only. At least my own, I see other forked my plugin and are making it IDA 8 plus still.
I see how they do it some have bugs, also the thing to address is still the whole type thing.
The types that IDA uses are apparently not there. At least looking at “Local Types” there are zero RTTI types.
What I’d like to do is at least make ClassInformer locate all the valid COLs, thus leading to all the valid RTTI associated vftables.
Also if the Borland tool just didn’t work on MSVC Windows targets might not even need ClassInformer at all.
As I write this. Okay if a COL, type_info, etc., etc., is already named with something other then like “DWORD” or “QWORD” pointer than I know IDA already found it.
And/or since I see one can get the type by an address, I can probably just reverse all the IDA RTTI type names, and find out what type lib they are in and use them myself if I located RTTI that IDA has not seen on it’s own.
I’ll probably have figured this out before it gets replied too, but please advise.
Okay round 2:
Apparently for RTTI you guys are using type-less types.
Meaning the types aren’t actually put in to the IDB but rather that “rtti.dll” or some internal system places it all as names and comments piecemeal (maybe).
No combination of “get_named_type”, “get_tinfo”, etc, will give me a type for one of the IDA defined RTTI types.
And now if we look in the “names” window looks like we can gather all the placed RTTI types by name. And IDA apparently does a good job of it as I can see, because it looks like loosely about 3,000 types that my COL scanner only find maybe two.
And it might have actually been like this for a while. Seems like back at IDA 7 scanning would come up with a bunch missing. But maybe great since IDA 8.
At first going back almost 20 years now with Igor Skochinsky’s excellent RTTI IDC scripts, my ClassInformer was basically a C/C++ version with a chooser window. Had since changed since I went from scanning for vftables to scanning for COLs (thanks to the “sh!ft”). Which was much more accurate and probably even faster.
So now really ClassInfomer becomes more of a viewing tool. And still some minor things like finding and fixing static CTOR/DTOR tables which IDA finds well most of the time now too.
Hi,
Borland RTTI is handled by the bdescr plugin, although it hasn’t been updated in a long time. The MSVC and GNU metadata is parsed by the rtti plugin. Currently it only performs formatting and labeling of the metadata, because there is not enough information to create actual class types. We’re planning to extend and improve it to handle more complex situations (e.g. I think currently some multiple inheritance situations are not parsed properly).
Note that in some cases you might see empty classes appear in Local types. I believe those are created by the decompiler when it uses demangled function names to guess argument types. Because classes are passed by pointer, a forward declaration is enough and can be filled with the full layout later.