SlideShare a Scribd company logo

HexRaysCodeXplorer: object oriented RE for fun and profit

Alex Matrosov
Alex Matrosov

HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin: - Automatic type REconstruction for C++ objects. - C-tree graph visualization - a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works. - Navigation through virtual function calls in HexRays Pseudocode window. - Object Explorer - useful interface for navigation through virtual tables (VTBL) structures. In this presentation, the authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (H2HC edition) will be released with new features developed specially for H2Cconference. New features will be committed to GitHub from the stage.

Technology
1 of 46
Download to read offline
HexRaysCodeXplorer: object oriented RE for fun and profit Alexander Matrosov @matrosov Eugene Rodionov @vxradius
C++ Code Reconstruction Problems Show problems on real examples (Flamer) HexRaysCodeXplorerv1.5 [H2HC Edition] Agenda
C++ Code Reconstruction Problems Object identification Type reconstruction Class layout reconstruction Identify constructors/destructors Identify class members Local/global type reconstruction Associate object with exact method calls RTTI reconstruction Vftablereconstruction Associate vftableobject with exact object Class hierarchy reconstruction
C++ Code Reconstruction Problems Class AvfPtra1() a2() A::vfTablemetaA::a1() A::a2() RTTI Object LocatorsignaturepTypeDescriptorpClassDescriptor
C++ Code Reconstruction Problems
REconstructingFlamer Framework
An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
Identify Smart Pointer Structure oSmart pointers oStrings oVectors to maintain the objects oCustom data types: wrappers tasks, triggers and etc.
Data Types Being Used: Smart pointers typedefstructSMART_PTR { void *pObject;// pointer to the object int*RefNo;// reference counter };
Identify Smart Pointer Structure
Data Types Being Used: Vectors structVECTOR { void *vTable;// pointer to the table intNumberOfItems;// self-explanatory intMaxSize;// self-explanatory void *vector;// pointer to buffer with elements }; oUsed to handle the objects: tasks triggers etc.
Identify Exact Virtual Function Call in Vtable
Identify Exact Virtual Function Call in Vtable
Identify Custom Type Operations
Data Types Being Used: Strings structUSTRING_STRUCT { void *vTable;// pointer to the table intRefNo;// reference counter intInitialized; wchar_t*UnicodeBuffer;// pointer to unicodestring char *AsciiBuffer;// pointer to ASCII string intAsciiLength;// length of the ASCII string intReserved; intLength;// Length of unicodestring intLengthMax;// Size of UnicodeBuffer };
Identify Objects Constructors
Identify Objects Constructors
REconstructingObject’s Attributes
REconstructingObject’s Attributes
REconstructingObject’s Methods
REconstructingObject’s Methods
HexRaysCodeXplorer
HexRaysCodeXplorerv1.0: released in 2013 at REcon
HexRaysCodeXplorerFeatures oHex-Rays decompilerplugin oThe plugin was designed to facilitate static analysis of: object oriented code position independent code oThe plugin allows to: navigate through decompiled virtual methods partially reconstruct object type
Hex-Rays DecompilerPlugin SDK oAt the heart of the decompilerlies ctreestructure: syntax tree structure consists of citem_tobjects there are 9 maturity levels of the ctreestructure
Hex-Rays DecompilerPlugin SDK oAt the heart of the decompilerlies ctreestructure: syntax tree structure consists of citem_tobjects there are 9 maturity levels of the ctreestructure
Hex-Rays DecompilerPlugin SDK oType citem_tis a base class for: cexpr_t–expression type cinsn_t–statement type oExpressions have attached type information oStatements include: block, if, for, while, do, switch, return, goto, asm oHex-Rays provides iterators for traversing the citem_tobjects within ctreestructure: ctree_visitor_t ctree_parentee_t citem_tcexpr_tcinsn_t
Hex-Rays Decompiler Plugin SDK o Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type o Expressions have attached type information o Statements include:  block, if, for, while, do, switch, return, goto, asm o Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t citem_t cexpr_t cinsn_t
DEMO time :)
HexRaysCodeXplorer: GapzPosition Independent Code
HexRaysCodeXplorer: Virtual Methods The IDA’s ‘Local Types’ is used to represent object type
Hex-Rays decompilerplugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
Hex-Rays decompilerplugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
HexRaysCodeXplorer: Object Type REconstruction oHex-Rays’sctreestructure may be used to partially reconstruct object type based on its initialization routine (constructor) oInput: pointer to the object instance object initialization routine entry point oOutput: C structure-like object representation
HexRaysCodeXplorer: Object Type REconstruction citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.)
HexRaysCodeXplorer: Object Type REconstruction //reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
HexRaysCodeXplorerv1.5 [H2HC Edition] oNew citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.) ptr, asg, …
HexRaysCodeXplorerv1.5 [H2HC Edition] oNew citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.) ptr, asg, … oType propagation for nested function calls
HexRaysCodeXplorerv1.5 [H2HC Edition] oFeatures of v1.5 [H2HC Edition] : Better Type Reconstruction •Improvements for parsing citem_tobjects with PTR andASG statements •Recursive traversal of Ctreeto reconstruct Types hierarchy Navigate from Pseudo code window to Disassembly line Hints for Ctreeelements which point to Disassembly line Support for x64 version of Hex-Rays Decompiler Some bug fixes by user requests
DEMO time :)
HexRaysCodeXplorer: -> What are the next goals? oDevelop the next version on IdaPython oFocus on the following features: Type reconstruction(C++, Objective-C) Type Navigation (C++, Objective-C) Vtablesparsing based on Hex-Rays API Ctreegraph navigation improvements Patterns for possible vulndetection
Why python?
Python Arsenal Contesthttp://2014.zeronights.org/contests/python-arsenal-contest.html Best exploit devtool/plugin/lib Best forensics tool/plugin/lib Best reversing tool/plugin/lib Best fuzzing tool/plugin/lib Best malware analysis tool/plugin/lib
Thank you for your attention! HexRaysCodeXplorer http://REhints.com@REhints https://github.com/REhints/HexRaysCodeXplorer

Recommended

HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
 
The Rust Programming Language: an Overview
The Rust Programming Language: an OverviewThe Rust Programming Language: an Overview
The Rust Programming Language: an OverviewRoberto Casadei
 
Why rust?
Why rust?Why rust?
Why rust?Mats Kindahl
 
Rust vs C++
Rust vs C++Rust vs C++
Rust vs C++corehard_by
 
Start Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeStart Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeYung-Yu Chen
 
An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...Claudio Capobianco
 
Native code in Android applications
Native code in Android applicationsNative code in Android applications
Native code in Android applicationsDmitry Matyukhin
 

Recommended

HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
 
The Rust Programming Language: an Overview
The Rust Programming Language: an OverviewThe Rust Programming Language: an Overview
The Rust Programming Language: an OverviewRoberto Casadei
 
Why rust?
Why rust?Why rust?
Why rust?Mats Kindahl
 
Rust vs C++
Rust vs C++Rust vs C++
Rust vs C++corehard_by
 
Start Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeStart Wrap Episode 11: A New Rope
Start Wrap Episode 11: A New RopeYung-Yu Chen
 
An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...Claudio Capobianco
 
Native code in Android applications
Native code in Android applicationsNative code in Android applications
Native code in Android applicationsDmitry Matyukhin
 
Return of c++
Return of c++Return of c++
Return of c++Yongwei Wu
 
Python Objects
Python ObjectsPython Objects
Python ObjectsQuintagroup
 
Google Dart
Google DartGoogle Dart
Google DartEberhard Wolff
 
Android JNI
Android JNIAndroid JNI
Android JNISiva Ramakrishna kv
 
Rust Workshop - NITC FOSSMEET 2017
Rust Workshop - NITC FOSSMEET 2017 Rust Workshop - NITC FOSSMEET 2017
Rust Workshop - NITC FOSSMEET 2017 pramode_ce
 
Getting started with C# Programming
Getting started with C# ProgrammingGetting started with C# Programming
Getting started with C# ProgrammingBhushan Mulmule
 
Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22nikomatsakis
 
Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)nikomatsakis
 
Guaranteeing Memory Safety in Rust
Guaranteeing Memory Safety in RustGuaranteeing Memory Safety in Rust
Guaranteeing Memory Safety in Rustnikomatsakis
 
Ts archiving
Ts archivingTs archiving
Ts archivingConfiz
 
Intro to Rust from Applicative / NY Meetup
Intro to Rust from Applicative / NY MeetupIntro to Rust from Applicative / NY Meetup
Intro to Rust from Applicative / NY Meetupnikomatsakis
 
Python GC
Python GCPython GC
Python GCdelimitry
 
Book
BookBook
Bookluis_lmro
 
From C++ to Objective-C
From C++ to Objective-CFrom C++ to Objective-C
From C++ to Objective-Ccorehard_by
 
Fun with Lambdas: C++14 Style (part 2)
Fun with Lambdas: C++14 Style (part 2)Fun with Lambdas: C++14 Style (part 2)
Fun with Lambdas: C++14 Style (part 2)Sumant Tambe
 
Rust "Hot or Not" at Sioux
Rust "Hot or Not" at SiouxRust "Hot or Not" at Sioux
Rust "Hot or Not" at Siouxnikomatsakis
 
Node.js extensions in C++
Node.js extensions in C++Node.js extensions in C++
Node.js extensions in C++Kenneth Geisshirt
 
Java 7
Java 7Java 7
Java 7Bipul Sinha
 
Objective-C Blocks and Grand Central Dispatch
Objective-C Blocks and Grand Central DispatchObjective-C Blocks and Grand Central Dispatch
Objective-C Blocks and Grand Central DispatchMatteo Battaglio
 
Reversing JavaScript
Reversing JavaScriptReversing JavaScript
Reversing JavaScriptRoberto Suggi Liverani
 
Pointers & References in C++
Pointers & References in C++Pointers & References in C++
Pointers & References in C++Ilio Catallo
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigationAlex Matrosov
 

More Related Content

What's hot

Rust Workshop - NITC FOSSMEET 2017
Rust Workshop - NITC FOSSMEET 2017 Rust Workshop - NITC FOSSMEET 2017
Rust Workshop - NITC FOSSMEET 2017 pramode_ce
 
Getting started with C# Programming
Getting started with C# ProgrammingGetting started with C# Programming
Getting started with C# ProgrammingBhushan Mulmule
 
Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22nikomatsakis
 
Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)nikomatsakis
 
Guaranteeing Memory Safety in Rust
Guaranteeing Memory Safety in RustGuaranteeing Memory Safety in Rust
Guaranteeing Memory Safety in Rustnikomatsakis
 
Ts archiving
Ts archivingTs archiving
Ts archivingConfiz
 
Intro to Rust from Applicative / NY Meetup
Intro to Rust from Applicative / NY MeetupIntro to Rust from Applicative / NY Meetup
Intro to Rust from Applicative / NY Meetupnikomatsakis
 
From C++ to Objective-C
From C++ to Objective-CFrom C++ to Objective-C
From C++ to Objective-Ccorehard_by
 
Fun with Lambdas: C++14 Style (part 2)
Fun with Lambdas: C++14 Style (part 2)Fun with Lambdas: C++14 Style (part 2)
Fun with Lambdas: C++14 Style (part 2)Sumant Tambe
 
Rust "Hot or Not" at Sioux
Rust "Hot or Not" at SiouxRust "Hot or Not" at Sioux
Rust "Hot or Not" at Siouxnikomatsakis
 
Objective-C Blocks and Grand Central Dispatch
Objective-C Blocks and Grand Central DispatchObjective-C Blocks and Grand Central Dispatch
Objective-C Blocks and Grand Central DispatchMatteo Battaglio
 

What's hot (20)

Return of c++
Return of c++Return of c++
Return of c++
 
Python Objects
Python ObjectsPython Objects
Python Objects
 
Google Dart
Google DartGoogle Dart
Google Dart
 
Android JNI
Android JNIAndroid JNI
Android JNI
 
Rust Workshop - NITC FOSSMEET 2017
Rust Workshop - NITC FOSSMEET 2017 Rust Workshop - NITC FOSSMEET 2017
Rust Workshop - NITC FOSSMEET 2017
 
Getting started with C# Programming
Getting started with C# ProgrammingGetting started with C# Programming
Getting started with C# Programming
 
Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22Rust tutorial from Boston Meetup 2015-07-22
Rust tutorial from Boston Meetup 2015-07-22
 
Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)Rust: Reach Further (from QCon Sao Paolo 2018)
Rust: Reach Further (from QCon Sao Paolo 2018)
 
Guaranteeing Memory Safety in Rust
Guaranteeing Memory Safety in RustGuaranteeing Memory Safety in Rust
Guaranteeing Memory Safety in Rust
 
Ts archiving
Ts archivingTs archiving
Ts archiving
 
Intro to Rust from Applicative / NY Meetup
Intro to Rust from Applicative / NY MeetupIntro to Rust from Applicative / NY Meetup
Intro to Rust from Applicative / NY Meetup
 
Python GC
Python GCPython GC
Python GC
 
Book
BookBook
Book
 
From C++ to Objective-C
From C++ to Objective-CFrom C++ to Objective-C
From C++ to Objective-C
 
Fun with Lambdas: C++14 Style (part 2)
Fun with Lambdas: C++14 Style (part 2)Fun with Lambdas: C++14 Style (part 2)
Fun with Lambdas: C++14 Style (part 2)
 
Rust "Hot or Not" at Sioux
Rust "Hot or Not" at SiouxRust "Hot or Not" at Sioux
Rust "Hot or Not" at Sioux
 
Node.js extensions in C++
Node.js extensions in C++Node.js extensions in C++
Node.js extensions in C++
 
Java 7
Java 7Java 7
Java 7
 
Objective-C Blocks and Grand Central Dispatch
Objective-C Blocks and Grand Central DispatchObjective-C Blocks and Grand Central Dispatch
Objective-C Blocks and Grand Central Dispatch
 
Reversing JavaScript
Reversing JavaScriptReversing JavaScript
Reversing JavaScript
 

Viewers also liked

Pointers & References in C++
Pointers & References in C++Pointers & References in C++
Pointers & References in C++Ilio Catallo
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigationAlex Matrosov
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetAlex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Алексей Кутумов, Вектор с нуля
Алексей Кутумов, Вектор с нуляАлексей Кутумов, Вектор с нуля
Алексей Кутумов, Вектор с нуляSergey Platonov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonAlex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackAlex Matrosov
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyCODE BLUE
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionAlex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 

Viewers also liked (20)

Pointers & References in C++
Pointers & References in C++Pointers & References in C++
Pointers & References in C++
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Алексей Кутумов, Вектор с нуля
Алексей Кутумов, Вектор с нуляАлексей Кутумов, Вектор с нуля
Алексей Кутумов, Вектор с нуля
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
42054960
4205496042054960
42054960
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 
Heat exchanger
Heat exchangerHeat exchanger
Heat exchanger
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 

Similar to HexRaysCodeXplorer: object oriented RE for fun and profit

Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...
Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...
Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...DefconRussia
 
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)PROIDEA
 
PDC Video on C# 4.0 Futures
PDC Video on C# 4.0 FuturesPDC Video on C# 4.0 Futures
PDC Video on C# 4.0 Futuresnithinmohantk
 
Introduction to c_plus_plus
Introduction to c_plus_plusIntroduction to c_plus_plus
Introduction to c_plus_plusSayed Ahmed
 
Introduction to c_plus_plus (6)
Introduction to c_plus_plus (6)Introduction to c_plus_plus (6)
Introduction to c_plus_plus (6)Sayed Ahmed
 
Introduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamicIntroduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamicGieno Miao
 
Whats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPontoWhats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPontoPaulo Morgado
 
.Net Framework Introduction
.Net Framework Introduction.Net Framework Introduction
.Net Framework IntroductionAbhishek Sahu
 
Introduction to-csharp
Introduction to-csharpIntroduction to-csharp
Introduction to-csharpSDFG5
 
Introduction to Csharp (C-Sharp) is a programming language developed by Micro...
Introduction to Csharp (C-Sharp) is a programming language developed by Micro...Introduction to Csharp (C-Sharp) is a programming language developed by Micro...
Introduction to Csharp (C-Sharp) is a programming language developed by Micro...NALESVPMEngg
 
Introduction-to-Csharp.ppt
Introduction-to-Csharp.pptIntroduction-to-Csharp.ppt
Introduction-to-Csharp.pptAlmamoon
 
Introduction-to-Csharp.ppt
Introduction-to-Csharp.pptIntroduction-to-Csharp.ppt
Introduction-to-Csharp.pptmothertheressa
 
Dynamic Language Performance
Dynamic Language PerformanceDynamic Language Performance
Dynamic Language PerformanceKevin Hazzard
 
Oop lec 3(structures)
Oop lec 3(structures)Oop lec 3(structures)
Oop lec 3(structures)Asfand Hassan
 

Similar to HexRaysCodeXplorer: object oriented RE for fun and profit (20)

Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...
Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...
Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...
 
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
4Developers 2018: Ile (nie) wiesz o strukturach w .NET (Łukasz Pyrzyk)
 
PDC Video on C# 4.0 Futures
PDC Video on C# 4.0 FuturesPDC Video on C# 4.0 Futures
PDC Video on C# 4.0 Futures
 
Clanguage
ClanguageClanguage
Clanguage
 
Introduction to c_plus_plus
Introduction to c_plus_plusIntroduction to c_plus_plus
Introduction to c_plus_plus
 
Introduction to c_plus_plus (6)
Introduction to c_plus_plus (6)Introduction to c_plus_plus (6)
Introduction to c_plus_plus (6)
 
Introduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamicIntroduction to c sharp 4.0 and dynamic
Introduction to c sharp 4.0 and dynamic
 
Whats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPontoWhats New In C# 4 0 - NetPonto
Whats New In C# 4 0 - NetPonto
 
Theory1&amp;2
Theory1&amp;2Theory1&amp;2
Theory1&amp;2
 
C language
C languageC language
C language
 
unit 1 (1).pptx
unit 1 (1).pptxunit 1 (1).pptx
unit 1 (1).pptx
 
.Net Framework Introduction
.Net Framework Introduction.Net Framework Introduction
.Net Framework Introduction
 
C#ppt
C#pptC#ppt
C#ppt
 
Introduction to-csharp
Introduction to-csharpIntroduction to-csharp
Introduction to-csharp
 
Introduction to Csharp (C-Sharp) is a programming language developed by Micro...
Introduction to Csharp (C-Sharp) is a programming language developed by Micro...Introduction to Csharp (C-Sharp) is a programming language developed by Micro...
Introduction to Csharp (C-Sharp) is a programming language developed by Micro...
 
Introduction-to-Csharp.ppt
Introduction-to-Csharp.pptIntroduction-to-Csharp.ppt
Introduction-to-Csharp.ppt
 
Introduction-to-Csharp.ppt
Introduction-to-Csharp.pptIntroduction-to-Csharp.ppt
Introduction-to-Csharp.ppt
 
C language
C languageC language
C language
 
Dynamic Language Performance
Dynamic Language PerformanceDynamic Language Performance
Dynamic Language Performance
 
Oop lec 3(structures)
Oop lec 3(structures)Oop lec 3(structures)
Oop lec 3(structures)
 

Recently uploaded

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

HexRaysCodeXplorer: object oriented RE for fun and profit

  • 1. HexRaysCodeXplorer: object oriented RE for fun and profit Alexander Matrosov @matrosov Eugene Rodionov @vxradius
  • 2. C++ Code Reconstruction Problems Show problems on real examples (Flamer) HexRaysCodeXplorerv1.5 [H2HC Edition] Agenda
  • 3. C++ Code Reconstruction Problems Object identification Type reconstruction Class layout reconstruction Identify constructors/destructors Identify class members Local/global type reconstruction Associate object with exact method calls RTTI reconstruction Vftablereconstruction Associate vftableobject with exact object Class hierarchy reconstruction
  • 4. C++ Code Reconstruction Problems Class AvfPtra1() a2() A::vfTablemetaA::a1() A::a2() RTTI Object LocatorsignaturepTypeDescriptorpClassDescriptor
  • 7. An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
  • 8. An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
  • 9. An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
  • 10. Identify Smart Pointer Structure oSmart pointers oStrings oVectors to maintain the objects oCustom data types: wrappers tasks, triggers and etc.
  • 11. Data Types Being Used: Smart pointers typedefstructSMART_PTR { void *pObject;// pointer to the object int*RefNo;// reference counter };
  • 13. Data Types Being Used: Vectors structVECTOR { void *vTable;// pointer to the table intNumberOfItems;// self-explanatory intMaxSize;// self-explanatory void *vector;// pointer to buffer with elements }; oUsed to handle the objects: tasks triggers etc.
  • 14. Identify Exact Virtual Function Call in Vtable
  • 15. Identify Exact Virtual Function Call in Vtable
  • 16. Identify Custom Type Operations
  • 17. Data Types Being Used: Strings structUSTRING_STRUCT { void *vTable;// pointer to the table intRefNo;// reference counter intInitialized; wchar_t*UnicodeBuffer;// pointer to unicodestring char *AsciiBuffer;// pointer to ASCII string intAsciiLength;// length of the ASCII string intReserved; intLength;// Length of unicodestring intLengthMax;// Size of UnicodeBuffer };
  • 26. HexRaysCodeXplorerFeatures oHex-Rays decompilerplugin oThe plugin was designed to facilitate static analysis of: object oriented code position independent code oThe plugin allows to: navigate through decompiled virtual methods partially reconstruct object type
  • 27. Hex-Rays DecompilerPlugin SDK oAt the heart of the decompilerlies ctreestructure: syntax tree structure consists of citem_tobjects there are 9 maturity levels of the ctreestructure
  • 28. Hex-Rays DecompilerPlugin SDK oAt the heart of the decompilerlies ctreestructure: syntax tree structure consists of citem_tobjects there are 9 maturity levels of the ctreestructure
  • 29. Hex-Rays DecompilerPlugin SDK oType citem_tis a base class for: cexpr_t–expression type cinsn_t–statement type oExpressions have attached type information oStatements include: block, if, for, while, do, switch, return, goto, asm oHex-Rays provides iterators for traversing the citem_tobjects within ctreestructure: ctree_visitor_t ctree_parentee_t citem_tcexpr_tcinsn_t
  • 30. Hex-Rays Decompiler Plugin SDK o Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type o Expressions have attached type information o Statements include:  block, if, for, while, do, switch, return, goto, asm o Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t citem_t cexpr_t cinsn_t
  • 33. HexRaysCodeXplorer: Virtual Methods The IDA’s ‘Local Types’ is used to represent object type
  • 34. Hex-Rays decompilerplugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
  • 35. Hex-Rays decompilerplugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
  • 36. HexRaysCodeXplorer: Object Type REconstruction oHex-Rays’sctreestructure may be used to partially reconstruct object type based on its initialization routine (constructor) oInput: pointer to the object instance object initialization routine entry point oOutput: C structure-like object representation
  • 37. HexRaysCodeXplorer: Object Type REconstruction citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.)
  • 38. HexRaysCodeXplorer: Object Type REconstruction //reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
  • 39. HexRaysCodeXplorerv1.5 [H2HC Edition] oNew citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.) ptr, asg, …
  • 40. HexRaysCodeXplorerv1.5 [H2HC Edition] oNew citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.) ptr, asg, … oType propagation for nested function calls
  • 41. HexRaysCodeXplorerv1.5 [H2HC Edition] oFeatures of v1.5 [H2HC Edition] : Better Type Reconstruction •Improvements for parsing citem_tobjects with PTR andASG statements •Recursive traversal of Ctreeto reconstruct Types hierarchy Navigate from Pseudo code window to Disassembly line Hints for Ctreeelements which point to Disassembly line Support for x64 version of Hex-Rays Decompiler Some bug fixes by user requests
  • 43. HexRaysCodeXplorer: -> What are the next goals? oDevelop the next version on IdaPython oFocus on the following features: Type reconstruction(C++, Objective-C) Type Navigation (C++, Objective-C) Vtablesparsing based on Hex-Rays API Ctreegraph navigation improvements Patterns for possible vulndetection
  • 45. Python Arsenal Contesthttp://2014.zeronights.org/contests/python-arsenal-contest.html Best exploit devtool/plugin/lib Best forensics tool/plugin/lib Best reversing tool/plugin/lib Best fuzzing tool/plugin/lib Best malware analysis tool/plugin/lib
  • 46. Thank you for your attention! HexRaysCodeXplorer http://REhints.com@REhints https://github.com/REhints/HexRaysCodeXplorer