SlideShare une entreprise Scribd logo

Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented RE easier

DefconRussia
DefconRussia

The document discusses HexRaysCodeXplorer, a Hex-Rays decompiler plugin that aims to facilitate static analysis of C++ object-oriented and position-independent code. It does this by allowing users to navigate through decompiled virtual methods and partially reconstruct object types. The plugin utilizes the ctree syntax tree structure at the core of the Hex-Rays decompiler to traverse expressions and statements. It can also take a object instance pointer and initialization routine to output a C-like structure representation of the partially reconstructed object type.

Technologie
1  sur  27
Télécharger pour lire hors ligne
HexRaysCodeXplorer: make object-oriented RE easier Aleksandr MatrosovEugene Rodionov @matrosov @vxradius
C++ Code Reconstruction Problems  Object identification  Type reconstruction  Class layout reconstruction     Identify constructors/destructors Identify class members Local/global type reconstruction Associate object with exact method calls  RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction
C++ Code Reconstruction: the truth is out there
An overview of the Flamer Framework Vector<Command Executor> Vector<Consumer> DB_Query ClanCmd FileCollect Driller GetConfig Munch FileFinder Mobile Consumer Cmd Consumer Vector<Task> IDLER CmdExec Sniffer Lua Consumer Vector<DelayedTasks> Media Consumer Euphoria Share Supplier LSS Sender Frog Beetlejuice
An overview of the Flamer Framework Vector<Command Executor> Vector<Consumer> DB_Query ClanCmd FileCollect Driller GetConfig Munch FileFinder Mobile Consumer Cmd Consumer Vector<Task> IDLER CmdExec Sniffer Lua Consumer Vector<DelayedTasks> Media Consumer Euphoria Share Supplier LSS Sender Frog Beetlejuice
An overview of the Flamer Framework Vector<Command Executor> Vector<Consumer> DB_Query ClanCmd FileCollect Driller GetConfig Munch FileFinder Mobile Consumer Cmd Consumer Vector<Task> IDLER CmdExec Sniffer Lua Consumer Vector<DelayedTasks> Media Consumer Euphoria Share Supplier LSS Sender Frog Beetlejuice
HexRaysCodeXplorer
HexRaysCodeXplorer Features  Hex-Rays decompiler plugin  The plugin was designed to facilitate static analysis of:  object oriented code  position independent code  The plugin allows to:  navigate through decompiled virtual methods  partially reconstruct object type
Hex-Rays Decompiler Plugin SDK  At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure
Hex-Rays Decompiler Plugin SDK  At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure
Hex-Rays Decompiler Plugin SDK  Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type citem_t cexpr_t cinsn_t  Expressions have attached type information  Statements include:  block, if, for, while, do, switch, return, goto, asm  Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t
Hex-Rays Decompiler Plugin SDK  Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type citem_t cexpr_t cinsn_t  Expressions have attached type information  Statements include:  block, if, for, while, do, switch, return, goto, asm  Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t
HexRaysCodeXplorer: Gapz Position Independent Code
HexRaysCodeXplorer: Virtual Methods  The IDA’s “Local Types” is used to represent object type
HexRaysCodeXplorer: Virtual Methods  Hex-Rays decompiler plugin is used to navigate through the virtual methods
HexRaysCodeXplorer: Virtual Methods  Hex-Rays decompiler plugin is used to navigate through the virtual methods
HexRaysCodeXplorer: Object Type REconstruction  Hex-Rays’s ctree structure may be used to partially reconstruct object type based on its initialization routine (constructor)  Input:  pointer to the object instance  object initialization routine entry point  Output:  C structure-like object representation
HexRaysCodeXplorer: Object Type REconstruction  Hex-Rays’s ctree structure may be used to partially reconstruct object type based on its initialization routine (constructor)  Input:  pointer to the object instance  object initialization routine entry point  Output:  C structure-like object representation
HexRaysCodeXplorer: Object Type REconstruction  citem_t objects to monitor:  memptr  call (LOBYTE, etc.)  idx  memref
HexRaysCodeXplorer: Object Type REconstruction // reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
HexRaysCodeXplorer: Object Type REconstruction // reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
HexRaysCodeXplorer 1.1 [ZeroNights Edition]  Type Reconstruction:  reconstruct type into IDA local types  bugfixes =)  ObjectExplorer:  Auto structures for VTBL  Click on VTBL and jump to code  ObjectExplorer hints for VTBL
NO TIME for DEMO
Thank you for your attention! Eugene Rodionov Aleksandr Matrosov @vxradius @matrosov

Recommandé

HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitAlex Matrosov
 
Manipulating object-behavior-at-runtime
Manipulating object-behavior-at-runtimeManipulating object-behavior-at-runtime
Manipulating object-behavior-at-runtimeAndrei Ursan
 
Persistence And Documents
Persistence And DocumentsPersistence And Documents
Persistence And DocumentsSV.CO
 
Java 7
Java 7Java 7
Java 7Bipul Sinha
 
Python Objects
Python ObjectsPython Objects
Python ObjectsQuintagroup
 
Memory management
Memory managementMemory management
Memory managementKuban Dzhakipov
 
Node.js Deserialization
Node.js DeserializationNode.js Deserialization
Node.js DeserializationNSConclave
 

Recommandé

HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitAlex Matrosov
 
Manipulating object-behavior-at-runtime
Manipulating object-behavior-at-runtimeManipulating object-behavior-at-runtime
Manipulating object-behavior-at-runtimeAndrei Ursan
 
Persistence And Documents
Persistence And DocumentsPersistence And Documents
Persistence And DocumentsSV.CO
 
Java 7
Java 7Java 7
Java 7Bipul Sinha
 
Python Objects
Python ObjectsPython Objects
Python ObjectsQuintagroup
 
Memory management
Memory managementMemory management
Memory managementKuban Dzhakipov
 
Node.js Deserialization
Node.js DeserializationNode.js Deserialization
Node.js DeserializationNSConclave
 
Python Deserialization Attacks
Python Deserialization AttacksPython Deserialization Attacks
Python Deserialization AttacksNSConclave
 
Java Collection
Java CollectionJava Collection
Java CollectionDeeptiJava
 
Real World Generics In Swift
Real World Generics In SwiftReal World Generics In Swift
Real World Generics In SwiftVadym Markov
 
{"JSON, Swift and Type Safety" : "It's a wrap"}
{"JSON, Swift and Type Safety" : "It's a wrap"}{"JSON, Swift and Type Safety" : "It's a wrap"}
{"JSON, Swift and Type Safety" : "It's a wrap"}Anthony Levings
 
Look Ma, “update DB to HTML5 using C++”, no hands! 
Look Ma, “update DB to HTML5 using C++”, no hands! Look Ma, “update DB to HTML5 using C++”, no hands! 
Look Ma, “update DB to HTML5 using C++”, no hands! aleks-f
 
Adopting Swift Generics
Adopting Swift GenericsAdopting Swift Generics
Adopting Swift GenericsMax Sokolov
 
MongoDB World 2019: Building a GraphQL API with MongoDB, Prisma, & TypeScript
MongoDB World 2019: Building a GraphQL API with MongoDB, Prisma, & TypeScriptMongoDB World 2019: Building a GraphQL API with MongoDB, Prisma, & TypeScript
MongoDB World 2019: Building a GraphQL API with MongoDB, Prisma, & TypeScriptMongoDB
 
Dynamic C++ Silicon Valley Code Camp 2012
Dynamic C++ Silicon Valley Code Camp 2012Dynamic C++ Silicon Valley Code Camp 2012
Dynamic C++ Silicon Valley Code Camp 2012aleks-f
 
Constructors and Destructors
Constructors and DestructorsConstructors and Destructors
Constructors and DestructorsKeyur Vadodariya
 
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)PROIDEA
 
Ts archiving
Ts archivingTs archiving
Ts archivingConfiz
 
[2019-07] GraphQL in depth (serverside)
[2019-07] GraphQL in depth (serverside)[2019-07] GraphQL in depth (serverside)
[2019-07] GraphQL in depth (serverside)croquiscom
 
Using Reflections and Automatic Code Generation
Using Reflections and Automatic Code GenerationUsing Reflections and Automatic Code Generation
Using Reflections and Automatic Code GenerationIvan Dolgushin
 
Generics past, present and future
Generics past, present and futureGenerics past, present and future
Generics past, present and futureRichardWarburton
 
For mobile 5/13'
For mobile 5/13'For mobile 5/13'
For mobile 5/13'Jakub Hladík
 
Extending Node.js using C++
Extending Node.js using C++Extending Node.js using C++
Extending Node.js using C++Kenneth Geisshirt
 
Gradle - small introduction
Gradle - small introductionGradle - small introduction
Gradle - small introductionIgor Popov
 
Lecture 2, c++(complete reference,herbet sheidt)chapter-12
Lecture 2, c++(complete reference,herbet sheidt)chapter-12Lecture 2, c++(complete reference,herbet sheidt)chapter-12
Lecture 2, c++(complete reference,herbet sheidt)chapter-12Abu Saleh
 
The Xtext Grammar Language
The Xtext Grammar LanguageThe Xtext Grammar Language
The Xtext Grammar LanguageDr. Jan Köhnlein
 
JavaScript, TypeScipt and React Native
JavaScript, TypeScipt and React NativeJavaScript, TypeScipt and React Native
JavaScript, TypeScipt and React NativeMitchell Tilbrook
 
Lowery contact sheet l
Lowery contact sheet lLowery contact sheet l
Lowery contact sheet lreuben95
 
Maria elena bernal
Maria elena bernalMaria elena bernal
Maria elena bernal0987561580
 

Contenu connexe

Tendances

Python Deserialization Attacks
Python Deserialization AttacksPython Deserialization Attacks
Python Deserialization AttacksNSConclave
 
Java Collection
Java CollectionJava Collection
Java CollectionDeeptiJava
 
Real World Generics In Swift
Real World Generics In SwiftReal World Generics In Swift
Real World Generics In SwiftVadym Markov
 
{"JSON, Swift and Type Safety" : "It's a wrap"}
{"JSON, Swift and Type Safety" : "It's a wrap"}{"JSON, Swift and Type Safety" : "It's a wrap"}
{"JSON, Swift and Type Safety" : "It's a wrap"}Anthony Levings
 
Look Ma, “update DB to HTML5 using C++”, no hands! 
Look Ma, “update DB to HTML5 using C++”, no hands! Look Ma, “update DB to HTML5 using C++”, no hands! 
Look Ma, “update DB to HTML5 using C++”, no hands! aleks-f
 
Adopting Swift Generics
Adopting Swift GenericsAdopting Swift Generics
Adopting Swift GenericsMax Sokolov
 
MongoDB World 2019: Building a GraphQL API with MongoDB, Prisma, & TypeScript
MongoDB World 2019: Building a GraphQL API with MongoDB, Prisma, & TypeScriptMongoDB World 2019: Building a GraphQL API with MongoDB, Prisma, & TypeScript
MongoDB World 2019: Building a GraphQL API with MongoDB, Prisma, & TypeScriptMongoDB
 
Dynamic C++ Silicon Valley Code Camp 2012
Dynamic C++ Silicon Valley Code Camp 2012Dynamic C++ Silicon Valley Code Camp 2012
Dynamic C++ Silicon Valley Code Camp 2012aleks-f
 
Constructors and Destructors
Constructors and DestructorsConstructors and Destructors
Constructors and DestructorsKeyur Vadodariya
 
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)PROIDEA
 
Ts archiving
Ts archivingTs archiving
Ts archivingConfiz
 
[2019-07] GraphQL in depth (serverside)
[2019-07] GraphQL in depth (serverside)[2019-07] GraphQL in depth (serverside)
[2019-07] GraphQL in depth (serverside)croquiscom
 
Using Reflections and Automatic Code Generation
Using Reflections and Automatic Code GenerationUsing Reflections and Automatic Code Generation
Using Reflections and Automatic Code GenerationIvan Dolgushin
 
Generics past, present and future
Generics past, present and futureGenerics past, present and future
Generics past, present and futureRichardWarburton
 
Gradle - small introduction
Gradle - small introductionGradle - small introduction
Gradle - small introductionIgor Popov
 
Lecture 2, c++(complete reference,herbet sheidt)chapter-12
Lecture 2, c++(complete reference,herbet sheidt)chapter-12Lecture 2, c++(complete reference,herbet sheidt)chapter-12
Lecture 2, c++(complete reference,herbet sheidt)chapter-12Abu Saleh
 
JavaScript, TypeScipt and React Native
JavaScript, TypeScipt and React NativeJavaScript, TypeScipt and React Native
JavaScript, TypeScipt and React NativeMitchell Tilbrook
 

Tendances (20)

Python Deserialization Attacks
Python Deserialization AttacksPython Deserialization Attacks
Python Deserialization Attacks
 
Java Collection
Java CollectionJava Collection
Java Collection
 
Real World Generics In Swift
Real World Generics In SwiftReal World Generics In Swift
Real World Generics In Swift
 
{"JSON, Swift and Type Safety" : "It's a wrap"}
{"JSON, Swift and Type Safety" : "It's a wrap"}{"JSON, Swift and Type Safety" : "It's a wrap"}
{"JSON, Swift and Type Safety" : "It's a wrap"}
 
Look Ma, “update DB to HTML5 using C++”, no hands! 
Look Ma, “update DB to HTML5 using C++”, no hands! Look Ma, “update DB to HTML5 using C++”, no hands! 
Look Ma, “update DB to HTML5 using C++”, no hands! 
 
Adopting Swift Generics
Adopting Swift GenericsAdopting Swift Generics
Adopting Swift Generics
 
MongoDB World 2019: Building a GraphQL API with MongoDB, Prisma, & TypeScript
MongoDB World 2019: Building a GraphQL API with MongoDB, Prisma, & TypeScriptMongoDB World 2019: Building a GraphQL API with MongoDB, Prisma, & TypeScript
MongoDB World 2019: Building a GraphQL API with MongoDB, Prisma, & TypeScript
 
Dynamic C++ Silicon Valley Code Camp 2012
Dynamic C++ Silicon Valley Code Camp 2012Dynamic C++ Silicon Valley Code Camp 2012
Dynamic C++ Silicon Valley Code Camp 2012
 
Constructors and Destructors
Constructors and DestructorsConstructors and Destructors
Constructors and Destructors
 
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
 
Ts archiving
Ts archivingTs archiving
Ts archiving
 
[2019-07] GraphQL in depth (serverside)
[2019-07] GraphQL in depth (serverside)[2019-07] GraphQL in depth (serverside)
[2019-07] GraphQL in depth (serverside)
 
Using Reflections and Automatic Code Generation
Using Reflections and Automatic Code GenerationUsing Reflections and Automatic Code Generation
Using Reflections and Automatic Code Generation
 
Generics past, present and future
Generics past, present and futureGenerics past, present and future
Generics past, present and future
 
For mobile 5/13'
For mobile 5/13'For mobile 5/13'
For mobile 5/13'
 
Extending Node.js using C++
Extending Node.js using C++Extending Node.js using C++
Extending Node.js using C++
 
Gradle - small introduction
Gradle - small introductionGradle - small introduction
Gradle - small introduction
 
Lecture 2, c++(complete reference,herbet sheidt)chapter-12
Lecture 2, c++(complete reference,herbet sheidt)chapter-12Lecture 2, c++(complete reference,herbet sheidt)chapter-12
Lecture 2, c++(complete reference,herbet sheidt)chapter-12
 
The Xtext Grammar Language
The Xtext Grammar LanguageThe Xtext Grammar Language
The Xtext Grammar Language
 
JavaScript, TypeScipt and React Native
JavaScript, TypeScipt and React NativeJavaScript, TypeScipt and React Native
JavaScript, TypeScipt and React Native
 

En vedette

Lowery contact sheet l
Lowery contact sheet lLowery contact sheet l
Lowery contact sheet lreuben95
 
Maria elena bernal
Maria elena bernalMaria elena bernal
Maria elena bernal0987561580
 
Locations
Locations Locations
Locations mica16
 
Urolige elever - hvad virker?
Urolige elever - hvad virker?Urolige elever - hvad virker?
Urolige elever - hvad virker?SFI-slides
 
寶藏巖藝術村
寶藏巖藝術村寶藏巖藝術村
寶藏巖藝術村family
 
Préfabrication
PréfabricationPréfabrication
PréfabricationSami Sahli
 

En vedette (10)

Lowery contact sheet l
Lowery contact sheet lLowery contact sheet l
Lowery contact sheet l
 
Maria elena bernal
Maria elena bernalMaria elena bernal
Maria elena bernal
 
Locations
Locations Locations
Locations
 
How big is life
How big is lifeHow big is life
How big is life
 
Urolige elever - hvad virker?
Urolige elever - hvad virker?Urolige elever - hvad virker?
Urolige elever - hvad virker?
 
тек контр и па
тек контр и патек контр и па
тек контр и па
 
寶藏巖藝術村
寶藏巖藝術村寶藏巖藝術村
寶藏巖藝術村
 
Correlations using SPSS
Correlations using SPSSCorrelations using SPSS
Correlations using SPSS
 
面試心得分享
面試心得分享面試心得分享
面試心得分享
 
Préfabrication
PréfabricationPréfabrication
Préfabrication
 

Similaire à Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented RE easier

Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
 
Visual C++ project model
Visual C++ project modelVisual C++ project model
Visual C++ project modelPVS-Studio
 
.Net Framework Introduction
.Net Framework Introduction.Net Framework Introduction
.Net Framework IntroductionAbhishek Sahu
 
Introduction to c_plus_plus
Introduction to c_plus_plusIntroduction to c_plus_plus
Introduction to c_plus_plusSayed Ahmed
 
Introduction to c_plus_plus (6)
Introduction to c_plus_plus (6)Introduction to c_plus_plus (6)
Introduction to c_plus_plus (6)Sayed Ahmed
 
Whats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPontoWhats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPontoPaulo Morgado
 
PDC Video on C# 4.0 Futures
PDC Video on C# 4.0 FuturesPDC Video on C# 4.0 Futures
PDC Video on C# 4.0 Futuresnithinmohantk
 
Constructors in C++.pptx
Constructors in C++.pptxConstructors in C++.pptx
Constructors in C++.pptxRassjb
 
Framework engineering JCO 2011
Framework engineering JCO 2011Framework engineering JCO 2011
Framework engineering JCO 2011YoungSu Son
 
Developing your first application using FIWARE
Developing your first application using FIWAREDeveloping your first application using FIWARE
Developing your first application using FIWAREFIWARE
 
7.-Download_CS201-Solved-Subjective-with-Reference-by-Aqib.doc
7.-Download_CS201-Solved-Subjective-with-Reference-by-Aqib.doc7.-Download_CS201-Solved-Subjective-with-Reference-by-Aqib.doc
7.-Download_CS201-Solved-Subjective-with-Reference-by-Aqib.docabdulhaq467432
 
Understanding Reflection
Understanding ReflectionUnderstanding Reflection
Understanding ReflectionTamir Khason
 
Introduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamicIntroduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamicGieno Miao
 
Whidbey old
Whidbey old Whidbey old
Whidbey old grenaud
 
Introduction To Dojo
Introduction To DojoIntroduction To Dojo
Introduction To Dojoyoavrubin
 
Proxy design pattern (Class Ambassador)
Proxy design pattern (Class Ambassador)Proxy design pattern (Class Ambassador)
Proxy design pattern (Class Ambassador)Sameer Rathoud
 
Dynamic Language Performance
Dynamic Language PerformanceDynamic Language Performance
Dynamic Language PerformanceKevin Hazzard
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet IntroductionWei Sun
 

Similaire à Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented RE easier (20)

Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
 
Visual C++ project model
Visual C++ project modelVisual C++ project model
Visual C++ project model
 
.Net Framework Introduction
.Net Framework Introduction.Net Framework Introduction
.Net Framework Introduction
 
Introduction to c_plus_plus
Introduction to c_plus_plusIntroduction to c_plus_plus
Introduction to c_plus_plus
 
Introduction to c_plus_plus (6)
Introduction to c_plus_plus (6)Introduction to c_plus_plus (6)
Introduction to c_plus_plus (6)
 
Whats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPontoWhats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPonto
 
PDC Video on C# 4.0 Futures
PDC Video on C# 4.0 FuturesPDC Video on C# 4.0 Futures
PDC Video on C# 4.0 Futures
 
Constructors in C++.pptx
Constructors in C++.pptxConstructors in C++.pptx
Constructors in C++.pptx
 
Framework engineering JCO 2011
Framework engineering JCO 2011Framework engineering JCO 2011
Framework engineering JCO 2011
 
Developing your first application using FIWARE
Developing your first application using FIWAREDeveloping your first application using FIWARE
Developing your first application using FIWARE
 
7.-Download_CS201-Solved-Subjective-with-Reference-by-Aqib.doc
7.-Download_CS201-Solved-Subjective-with-Reference-by-Aqib.doc7.-Download_CS201-Solved-Subjective-with-Reference-by-Aqib.doc
7.-Download_CS201-Solved-Subjective-with-Reference-by-Aqib.doc
 
Understanding Reflection
Understanding ReflectionUnderstanding Reflection
Understanding Reflection
 
1204csharp
1204csharp1204csharp
1204csharp
 
Introduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamicIntroduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamic
 
Whidbey old
Whidbey old Whidbey old
Whidbey old
 
Modern C++
Modern C++Modern C++
Modern C++
 
Introduction To Dojo
Introduction To DojoIntroduction To Dojo
Introduction To Dojo
 
Proxy design pattern (Class Ambassador)
Proxy design pattern (Class Ambassador)Proxy design pattern (Class Ambassador)
Proxy design pattern (Class Ambassador)
 
Dynamic Language Performance
Dynamic Language PerformanceDynamic Language Performance
Dynamic Language Performance
 
DotNet Introduction
DotNet IntroductionDotNet Introduction
DotNet Introduction
 

Plus de DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 

Plus de DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Dernier

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

Dernier (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented RE easier

  • 1. HexRaysCodeXplorer: make object-oriented RE easier Aleksandr MatrosovEugene Rodionov @matrosov @vxradius
  • 2. C++ Code Reconstruction Problems  Object identification  Type reconstruction  Class layout reconstruction     Identify constructors/destructors Identify class members Local/global type reconstruction Associate object with exact method calls  RTTI reconstruction  Vftable reconstruction  Associate vftable object with exact object  Class hierarchy reconstruction
  • 3. C++ Code Reconstruction: the truth is out there
  • 4. An overview of the Flamer Framework Vector<Command Executor> Vector<Consumer> DB_Query ClanCmd FileCollect Driller GetConfig Munch FileFinder Mobile Consumer Cmd Consumer Vector<Task> IDLER CmdExec Sniffer Lua Consumer Vector<DelayedTasks> Media Consumer Euphoria Share Supplier LSS Sender Frog Beetlejuice
  • 5. An overview of the Flamer Framework Vector<Command Executor> Vector<Consumer> DB_Query ClanCmd FileCollect Driller GetConfig Munch FileFinder Mobile Consumer Cmd Consumer Vector<Task> IDLER CmdExec Sniffer Lua Consumer Vector<DelayedTasks> Media Consumer Euphoria Share Supplier LSS Sender Frog Beetlejuice
  • 6. An overview of the Flamer Framework Vector<Command Executor> Vector<Consumer> DB_Query ClanCmd FileCollect Driller GetConfig Munch FileFinder Mobile Consumer Cmd Consumer Vector<Task> IDLER CmdExec Sniffer Lua Consumer Vector<DelayedTasks> Media Consumer Euphoria Share Supplier LSS Sender Frog Beetlejuice
  • 8.
  • 9. HexRaysCodeXplorer Features  Hex-Rays decompiler plugin  The plugin was designed to facilitate static analysis of:  object oriented code  position independent code  The plugin allows to:  navigate through decompiled virtual methods  partially reconstruct object type
  • 10. Hex-Rays Decompiler Plugin SDK  At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure
  • 11. Hex-Rays Decompiler Plugin SDK  At the heart of the decompiler lies ctree structure:  syntax tree structure  consists of citem_t objects  there are 9 maturity levels of the ctree structure
  • 12. Hex-Rays Decompiler Plugin SDK  Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type citem_t cexpr_t cinsn_t  Expressions have attached type information  Statements include:  block, if, for, while, do, switch, return, goto, asm  Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t
  • 13. Hex-Rays Decompiler Plugin SDK  Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type citem_t cexpr_t cinsn_t  Expressions have attached type information  Statements include:  block, if, for, while, do, switch, return, goto, asm  Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t
  • 15. HexRaysCodeXplorer: Virtual Methods  The IDA’s “Local Types” is used to represent object type
  • 16. HexRaysCodeXplorer: Virtual Methods  Hex-Rays decompiler plugin is used to navigate through the virtual methods
  • 17. HexRaysCodeXplorer: Virtual Methods  Hex-Rays decompiler plugin is used to navigate through the virtual methods
  • 18. HexRaysCodeXplorer: Object Type REconstruction  Hex-Rays’s ctree structure may be used to partially reconstruct object type based on its initialization routine (constructor)  Input:  pointer to the object instance  object initialization routine entry point  Output:  C structure-like object representation
  • 19. HexRaysCodeXplorer: Object Type REconstruction  Hex-Rays’s ctree structure may be used to partially reconstruct object type based on its initialization routine (constructor)  Input:  pointer to the object instance  object initialization routine entry point  Output:  C structure-like object representation
  • 20. HexRaysCodeXplorer: Object Type REconstruction  citem_t objects to monitor:  memptr  call (LOBYTE, etc.)  idx  memref
  • 21. HexRaysCodeXplorer: Object Type REconstruction // reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
  • 22. HexRaysCodeXplorer: Object Type REconstruction // reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
  • 23. HexRaysCodeXplorer 1.1 [ZeroNights Edition]  Type Reconstruction:  reconstruct type into IDA local types  bugfixes =)  ObjectExplorer:  Auto structures for VTBL  Click on VTBL and jump to code  ObjectExplorer hints for VTBL
  • 24. NO TIME for DEMO
  • 25.
  • 26.
  • 27. Thank you for your attention! Eugene Rodionov Aleksandr Matrosov @vxradius @matrosov