SlideShare a Scribd company logo

HexRaysCodeXplorer: object oriented RE for fun and profit

Alex Matrosov
Alex Matrosov

HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin: - Automatic type REconstruction for C++ objects. - C-tree graph visualization - a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works. - Navigation through virtual function calls in HexRays Pseudocode window. - Object Explorer - useful interface for navigation through virtual tables (VTBL) structures. In this presentation, the authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (H2HC edition) will be released with new features developed specially for H2Cconference. New features will be committed to GitHub from the stage.

Technology
1 of 46
Download to read offline
HexRaysCodeXplorer: object oriented RE for fun and profit Alexander Matrosov @matrosov Eugene Rodionov @vxradius
C++ Code Reconstruction Problems Show problems on real examples (Flamer) HexRaysCodeXplorerv1.5 [H2HC Edition] Agenda
C++ Code Reconstruction Problems Object identification Type reconstruction Class layout reconstruction Identify constructors/destructors Identify class members Local/global type reconstruction Associate object with exact method calls RTTI reconstruction Vftablereconstruction Associate vftableobject with exact object Class hierarchy reconstruction
C++ Code Reconstruction Problems Class AvfPtra1() a2() A::vfTablemetaA::a1() A::a2() RTTI Object LocatorsignaturepTypeDescriptorpClassDescriptor
C++ Code Reconstruction Problems
REconstructingFlamer Framework
An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
Identify Smart Pointer Structure oSmart pointers oStrings oVectors to maintain the objects oCustom data types: wrappers tasks, triggers and etc.
Data Types Being Used: Smart pointers typedefstructSMART_PTR { void *pObject;// pointer to the object int*RefNo;// reference counter };
Identify Smart Pointer Structure
Data Types Being Used: Vectors structVECTOR { void *vTable;// pointer to the table intNumberOfItems;// self-explanatory intMaxSize;// self-explanatory void *vector;// pointer to buffer with elements }; oUsed to handle the objects: tasks triggers etc.
Identify Exact Virtual Function Call in Vtable
Identify Exact Virtual Function Call in Vtable
Identify Custom Type Operations
Data Types Being Used: Strings structUSTRING_STRUCT { void *vTable;// pointer to the table intRefNo;// reference counter intInitialized; wchar_t*UnicodeBuffer;// pointer to unicodestring char *AsciiBuffer;// pointer to ASCII string intAsciiLength;// length of the ASCII string intReserved; intLength;// Length of unicodestring intLengthMax;// Size of UnicodeBuffer };
Identify Objects Constructors
Identify Objects Constructors
REconstructingObject’s Attributes
REconstructingObject’s Attributes
REconstructingObject’s Methods
REconstructingObject’s Methods
HexRaysCodeXplorer
HexRaysCodeXplorerv1.0: released in 2013 at REcon
HexRaysCodeXplorerFeatures oHex-Rays decompilerplugin oThe plugin was designed to facilitate static analysis of: object oriented code position independent code oThe plugin allows to: navigate through decompiled virtual methods partially reconstruct object type
Hex-Rays DecompilerPlugin SDK oAt the heart of the decompilerlies ctreestructure: syntax tree structure consists of citem_tobjects there are 9 maturity levels of the ctreestructure
Hex-Rays DecompilerPlugin SDK oAt the heart of the decompilerlies ctreestructure: syntax tree structure consists of citem_tobjects there are 9 maturity levels of the ctreestructure
Hex-Rays DecompilerPlugin SDK oType citem_tis a base class for: cexpr_t–expression type cinsn_t–statement type oExpressions have attached type information oStatements include: block, if, for, while, do, switch, return, goto, asm oHex-Rays provides iterators for traversing the citem_tobjects within ctreestructure: ctree_visitor_t ctree_parentee_t citem_tcexpr_tcinsn_t
Hex-Rays Decompiler Plugin SDK o Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type o Expressions have attached type information o Statements include:  block, if, for, while, do, switch, return, goto, asm o Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t citem_t cexpr_t cinsn_t
DEMO time :)
HexRaysCodeXplorer: GapzPosition Independent Code
HexRaysCodeXplorer: Virtual Methods The IDA’s ‘Local Types’ is used to represent object type
Hex-Rays decompilerplugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
Hex-Rays decompilerplugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
HexRaysCodeXplorer: Object Type REconstruction oHex-Rays’sctreestructure may be used to partially reconstruct object type based on its initialization routine (constructor) oInput: pointer to the object instance object initialization routine entry point oOutput: C structure-like object representation
HexRaysCodeXplorer: Object Type REconstruction citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.)
HexRaysCodeXplorer: Object Type REconstruction //reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
HexRaysCodeXplorerv1.5 [H2HC Edition] oNew citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.) ptr, asg, …
HexRaysCodeXplorerv1.5 [H2HC Edition] oNew citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.) ptr, asg, … oType propagation for nested function calls
HexRaysCodeXplorerv1.5 [H2HC Edition] oFeatures of v1.5 [H2HC Edition] : Better Type Reconstruction •Improvements for parsing citem_tobjects with PTR andASG statements •Recursive traversal of Ctreeto reconstruct Types hierarchy Navigate from Pseudo code window to Disassembly line Hints for Ctreeelements which point to Disassembly line Support for x64 version of Hex-Rays Decompiler Some bug fixes by user requests
DEMO time :)
HexRaysCodeXplorer: -> What are the next goals? oDevelop the next version on IdaPython oFocus on the following features: Type reconstruction(C++, Objective-C) Type Navigation (C++, Objective-C) Vtablesparsing based on Hex-Rays API Ctreegraph navigation improvements Patterns for possible vulndetection
Why python?
Python Arsenal Contesthttp://2014.zeronights.org/contests/python-arsenal-contest.html Best exploit devtool/plugin/lib Best forensics tool/plugin/lib Best reversing tool/plugin/lib Best fuzzing tool/plugin/lib Best malware analysis tool/plugin/lib
Thank you for your attention! HexRaysCodeXplorer http://REhints.com@REhints https://github.com/REhints/HexRaysCodeXplorer

Recommended

HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
 
The Rust Programming Language: an Overview
The Rust Programming Language: an OverviewThe Rust Programming Language: an Overview
The Rust Programming Language: an Overview
Roberto Casadei
 
Why rust?
Why rust?Why rust?
Why rust?
Mats Kindahl
 
Rust vs C++
Rust vs C++Rust vs C++
Rust vs C++
corehard_by
 
Start Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeStart Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New Rope
Yung-Yu Chen
 
An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...
Claudio Capobianco
 
Native code in Android applications
Native code in Android applicationsNative code in Android applications
Native code in Android applications
Dmitry Matyukhin
 

Recommended

HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
 
The Rust Programming Language: an Overview
The Rust Programming Language: an OverviewThe Rust Programming Language: an Overview
The Rust Programming Language: an Overview
Roberto Casadei
 
Why rust?
Why rust?Why rust?
Why rust?
Mats Kindahl
 
Rust vs C++
Rust vs C++Rust vs C++
Rust vs C++
corehard_by
 
Start Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeStart Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New Rope
Yung-Yu Chen
 
An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...
Claudio Capobianco
 
Native code in Android applications
Native code in Android applicationsNative code in Android applications
Native code in Android applications
Dmitry Matyukhin
 
Return of c++
Return of c++Return of c++
Return of c++
Yongwei Wu
 
Python Objects
Python ObjectsPython Objects
Python Objects
Quintagroup
 
Google Dart
Google DartGoogle Dart
Google Dart
Eberhard Wolff
 
Android JNI
Android JNIAndroid JNI
Android JNI
Siva Ramakrishna kv
 
Rust Workshop - NITC FOSSMEET 2017
Rust Workshop - NITC FOSSMEET 2017 Rust Workshop - NITC FOSSMEET 2017
Rust Workshop - NITC FOSSMEET 2017
pramode_ce
 
Getting started with C# Programming
Getting started with C# ProgrammingGetting started with C# Programming
Getting started with C# Programming
Bhushan Mulmule
 
Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22
nikomatsakis
 
Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)
nikomatsakis
 
Guaranteeing Memory Safety in Rust
Guaranteeing Memory Safety in RustGuaranteeing Memory Safety in Rust
Guaranteeing Memory Safety in Rust
nikomatsakis
 
Ts archiving
Ts archivingTs archiving
Ts archiving
Confiz
 
Intro to Rust from Applicative / NY Meetup
Intro to Rust from Applicative / NY MeetupIntro to Rust from Applicative / NY Meetup
Intro to Rust from Applicative / NY Meetup
nikomatsakis
 
Python GC
Python GCPython GC
Python GC
delimitry
 
Book
BookBook
Book
luis_lmro
 
From C++ to Objective-C
From C++ to Objective-CFrom C++ to Objective-C
From C++ to Objective-C
corehard_by
 
Fun with Lambdas: C++14 Style (part 2)
Fun with Lambdas: C++14 Style (part 2)Fun with Lambdas: C++14 Style (part 2)
Fun with Lambdas: C++14 Style (part 2)
Sumant Tambe
 
Rust "Hot or Not" at Sioux
Rust "Hot or Not" at SiouxRust "Hot or Not" at Sioux
Rust "Hot or Not" at Sioux
nikomatsakis
 
Node.js extensions in C++
Node.js extensions in C++Node.js extensions in C++
Node.js extensions in C++
Kenneth Geisshirt
 
Java 7
Java 7Java 7
Java 7
Bipul Sinha
 
Objective-C Blocks and Grand Central Dispatch
Objective-C Blocks and Grand Central DispatchObjective-C Blocks and Grand Central Dispatch
Objective-C Blocks and Grand Central Dispatch
Matteo Battaglio
 
Reversing JavaScript
Reversing JavaScriptReversing JavaScript
Reversing JavaScript
Roberto Suggi Liverani
 
Pointers & References in C++
Pointers & References in C++Pointers & References in C++
Pointers & References in C++
Ilio Catallo
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
 

More Related Content

What's hot

Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)
nikomatsakis
 
Ts archiving
Ts archivingTs archiving
Ts archiving
Confiz
 

What's hot (20)

Return of c++
Return of c++Return of c++
Return of c++
 
Python Objects
Python ObjectsPython Objects
Python Objects
 
Google Dart
Google DartGoogle Dart
Google Dart
 
Android JNI
Android JNIAndroid JNI
Android JNI
 
Rust Workshop - NITC FOSSMEET 2017
Rust Workshop - NITC FOSSMEET 2017 Rust Workshop - NITC FOSSMEET 2017
Rust Workshop - NITC FOSSMEET 2017
 
Getting started with C# Programming
Getting started with C# ProgrammingGetting started with C# Programming
Getting started with C# Programming
 
Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22
 
Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)
 
Guaranteeing Memory Safety in Rust
Guaranteeing Memory Safety in RustGuaranteeing Memory Safety in Rust
Guaranteeing Memory Safety in Rust
 
Ts archiving
Ts archivingTs archiving
Ts archiving
 
Intro to Rust from Applicative / NY Meetup
Intro to Rust from Applicative / NY MeetupIntro to Rust from Applicative / NY Meetup
Intro to Rust from Applicative / NY Meetup
 
Python GC
Python GCPython GC
Python GC
 
Book
BookBook
Book
 
From C++ to Objective-C
From C++ to Objective-CFrom C++ to Objective-C
From C++ to Objective-C
 
Fun with Lambdas: C++14 Style (part 2)
Fun with Lambdas: C++14 Style (part 2)Fun with Lambdas: C++14 Style (part 2)
Fun with Lambdas: C++14 Style (part 2)
 
Rust "Hot or Not" at Sioux
Rust "Hot or Not" at SiouxRust "Hot or Not" at Sioux
Rust "Hot or Not" at Sioux
 
Node.js extensions in C++
Node.js extensions in C++Node.js extensions in C++
Node.js extensions in C++
 
Java 7
Java 7Java 7
Java 7
 
Objective-C Blocks and Grand Central Dispatch
Objective-C Blocks and Grand Central DispatchObjective-C Blocks and Grand Central Dispatch
Objective-C Blocks and Grand Central Dispatch
 
Reversing JavaScript
Reversing JavaScriptReversing JavaScript
Reversing JavaScript
 

Viewers also liked

Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Alex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 

Viewers also liked (20)

Pointers & References in C++
Pointers & References in C++Pointers & References in C++
Pointers & References in C++
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Алексей Кутумов, Вектор с нуля
Алексей Кутумов, Вектор с нуляАлексей Кутумов, Вектор с нуля
Алексей Кутумов, Вектор с нуля
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
42054960
4205496042054960
42054960
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 
Heat exchanger
Heat exchangerHeat exchanger
Heat exchanger
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 

Similar to HexRaysCodeXplorer: object oriented RE for fun and profit

Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...
Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...
Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...
DefconRussia
 
Introduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamicIntroduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamic
Gieno Miao
 
Whats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPontoWhats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPonto
Paulo Morgado
 
Introduction to Csharp (C-Sharp) is a programming language developed by Micro...
Introduction to Csharp (C-Sharp) is a programming language developed by Micro...Introduction to Csharp (C-Sharp) is a programming language developed by Micro...
Introduction to Csharp (C-Sharp) is a programming language developed by Micro...
NALESVPMEngg
 
Dynamic Language Performance
Dynamic Language PerformanceDynamic Language Performance
Dynamic Language Performance
Kevin Hazzard
 
Oop lec 3(structures)
Oop lec 3(structures)Oop lec 3(structures)
Oop lec 3(structures)
Asfand Hassan
 

Similar to HexRaysCodeXplorer: object oriented RE for fun and profit (20)

Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...
Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...
Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...
 
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
 
PDC Video on C# 4.0 Futures
PDC Video on C# 4.0 FuturesPDC Video on C# 4.0 Futures
PDC Video on C# 4.0 Futures
 
Clanguage
ClanguageClanguage
Clanguage
 
Introduction to c_plus_plus
Introduction to c_plus_plusIntroduction to c_plus_plus
Introduction to c_plus_plus
 
Introduction to c_plus_plus (6)
Introduction to c_plus_plus (6)Introduction to c_plus_plus (6)
Introduction to c_plus_plus (6)
 
Introduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamicIntroduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamic
 
Whats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPontoWhats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPonto
 
Theory1&amp;2
Theory1&amp;2Theory1&amp;2
Theory1&amp;2
 
C language
C languageC language
C language
 
unit 1 (1).pptx
unit 1 (1).pptxunit 1 (1).pptx
unit 1 (1).pptx
 
.Net Framework Introduction
.Net Framework Introduction.Net Framework Introduction
.Net Framework Introduction
 
C#ppt
C#pptC#ppt
C#ppt
 
Introduction to-csharp
Introduction to-csharpIntroduction to-csharp
Introduction to-csharp
 
Introduction to Csharp (C-Sharp) is a programming language developed by Micro...
Introduction to Csharp (C-Sharp) is a programming language developed by Micro...Introduction to Csharp (C-Sharp) is a programming language developed by Micro...
Introduction to Csharp (C-Sharp) is a programming language developed by Micro...
 
Introduction-to-Csharp.ppt
Introduction-to-Csharp.pptIntroduction-to-Csharp.ppt
Introduction-to-Csharp.ppt
 
Introduction-to-Csharp.ppt
Introduction-to-Csharp.pptIntroduction-to-Csharp.ppt
Introduction-to-Csharp.ppt
 
C language
C languageC language
C language
 
Dynamic Language Performance
Dynamic Language PerformanceDynamic Language Performance
Dynamic Language Performance
 
Oop lec 3(structures)
Oop lec 3(structures)Oop lec 3(structures)
Oop lec 3(structures)
 

Recently uploaded

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

HexRaysCodeXplorer: object oriented RE for fun and profit

  • 1. HexRaysCodeXplorer: object oriented RE for fun and profit Alexander Matrosov @matrosov Eugene Rodionov @vxradius
  • 2. C++ Code Reconstruction Problems Show problems on real examples (Flamer) HexRaysCodeXplorerv1.5 [H2HC Edition] Agenda
  • 3. C++ Code Reconstruction Problems Object identification Type reconstruction Class layout reconstruction Identify constructors/destructors Identify class members Local/global type reconstruction Associate object with exact method calls RTTI reconstruction Vftablereconstruction Associate vftableobject with exact object Class hierarchy reconstruction
  • 4. C++ Code Reconstruction Problems Class AvfPtra1() a2() A::vfTablemetaA::a1() A::a2() RTTI Object LocatorsignaturepTypeDescriptorpClassDescriptor
  • 7. An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
  • 8. An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
  • 9. An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
  • 10. Identify Smart Pointer Structure oSmart pointers oStrings oVectors to maintain the objects oCustom data types: wrappers tasks, triggers and etc.
  • 11. Data Types Being Used: Smart pointers typedefstructSMART_PTR { void *pObject;// pointer to the object int*RefNo;// reference counter };
  • 13. Data Types Being Used: Vectors structVECTOR { void *vTable;// pointer to the table intNumberOfItems;// self-explanatory intMaxSize;// self-explanatory void *vector;// pointer to buffer with elements }; oUsed to handle the objects: tasks triggers etc.
  • 14. Identify Exact Virtual Function Call in Vtable
  • 15. Identify Exact Virtual Function Call in Vtable
  • 16. Identify Custom Type Operations
  • 17. Data Types Being Used: Strings structUSTRING_STRUCT { void *vTable;// pointer to the table intRefNo;// reference counter intInitialized; wchar_t*UnicodeBuffer;// pointer to unicodestring char *AsciiBuffer;// pointer to ASCII string intAsciiLength;// length of the ASCII string intReserved; intLength;// Length of unicodestring intLengthMax;// Size of UnicodeBuffer };
  • 26. HexRaysCodeXplorerFeatures oHex-Rays decompilerplugin oThe plugin was designed to facilitate static analysis of: object oriented code position independent code oThe plugin allows to: navigate through decompiled virtual methods partially reconstruct object type
  • 27. Hex-Rays DecompilerPlugin SDK oAt the heart of the decompilerlies ctreestructure: syntax tree structure consists of citem_tobjects there are 9 maturity levels of the ctreestructure
  • 28. Hex-Rays DecompilerPlugin SDK oAt the heart of the decompilerlies ctreestructure: syntax tree structure consists of citem_tobjects there are 9 maturity levels of the ctreestructure
  • 29. Hex-Rays DecompilerPlugin SDK oType citem_tis a base class for: cexpr_t–expression type cinsn_t–statement type oExpressions have attached type information oStatements include: block, if, for, while, do, switch, return, goto, asm oHex-Rays provides iterators for traversing the citem_tobjects within ctreestructure: ctree_visitor_t ctree_parentee_t citem_tcexpr_tcinsn_t
  • 30. Hex-Rays Decompiler Plugin SDK o Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type o Expressions have attached type information o Statements include:  block, if, for, while, do, switch, return, goto, asm o Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t citem_t cexpr_t cinsn_t
  • 33. HexRaysCodeXplorer: Virtual Methods The IDA’s ‘Local Types’ is used to represent object type
  • 34. Hex-Rays decompilerplugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
  • 35. Hex-Rays decompilerplugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
  • 36. HexRaysCodeXplorer: Object Type REconstruction oHex-Rays’sctreestructure may be used to partially reconstruct object type based on its initialization routine (constructor) oInput: pointer to the object instance object initialization routine entry point oOutput: C structure-like object representation
  • 37. HexRaysCodeXplorer: Object Type REconstruction citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.)
  • 38. HexRaysCodeXplorer: Object Type REconstruction //reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
  • 39. HexRaysCodeXplorerv1.5 [H2HC Edition] oNew citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.) ptr, asg, …
  • 40. HexRaysCodeXplorerv1.5 [H2HC Edition] oNew citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.) ptr, asg, … oType propagation for nested function calls
  • 41. HexRaysCodeXplorerv1.5 [H2HC Edition] oFeatures of v1.5 [H2HC Edition] : Better Type Reconstruction •Improvements for parsing citem_tobjects with PTR andASG statements •Recursive traversal of Ctreeto reconstruct Types hierarchy Navigate from Pseudo code window to Disassembly line Hints for Ctreeelements which point to Disassembly line Support for x64 version of Hex-Rays Decompiler Some bug fixes by user requests
  • 43. HexRaysCodeXplorer: -> What are the next goals? oDevelop the next version on IdaPython oFocus on the following features: Type reconstruction(C++, Objective-C) Type Navigation (C++, Objective-C) Vtablesparsing based on Hex-Rays API Ctreegraph navigation improvements Patterns for possible vulndetection
  • 45. Python Arsenal Contesthttp://2014.zeronights.org/contests/python-arsenal-contest.html Best exploit devtool/plugin/lib Best forensics tool/plugin/lib Best reversing tool/plugin/lib Best fuzzing tool/plugin/lib Best malware analysis tool/plugin/lib
  • 46. Thank you for your attention! HexRaysCodeXplorer http://REhints.com@REhints https://github.com/REhints/HexRaysCodeXplorer