SlideShare a Scribd company logo

HexRaysCodeXplorer: object oriented RE for fun and profit

Alex Matrosov, profile picture
Alex Matrosov

The document discusses the Hex-Rays Code Explorer, a tool designed for the analysis and reconstruction of C++ code, focusing on object-oriented programming challenges such as object identification, type reconstruction, and virtual function call identification. It highlights the features of version 1.5, including improvements in parsing and navigation, and outlines future development goals like enhancing type navigation and vtable parsing. The tool is positioned as a valuable resource for static analysis of complex code and malware analysis.

Technology
1 of 46
Downloaded 33 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
HexRaysCodeXplorer: object oriented RE for fun and profit Alexander Matrosov @matrosov Eugene Rodionov @vxradius
C++ Code Reconstruction Problems Show problems on real examples (Flamer) HexRaysCodeXplorerv1.5 [H2HC Edition] Agenda
C++ Code Reconstruction Problems Object identification Type reconstruction Class layout reconstruction Identify constructors/destructors Identify class members Local/global type reconstruction Associate object with exact method calls RTTI reconstruction Vftablereconstruction Associate vftableobject with exact object Class hierarchy reconstruction
C++ Code Reconstruction Problems Class AvfPtra1() a2() A::vfTablemetaA::a1() A::a2() RTTI Object LocatorsignaturepTypeDescriptorpClassDescriptor
C++ Code Reconstruction Problems
REconstructingFlamer Framework
An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
Identify Smart Pointer Structure oSmart pointers oStrings oVectors to maintain the objects oCustom data types: wrappers tasks, triggers and etc.
Data Types Being Used: Smart pointers typedefstructSMART_PTR { void *pObject;// pointer to the object int*RefNo;// reference counter };
Identify Smart Pointer Structure
Data Types Being Used: Vectors structVECTOR { void *vTable;// pointer to the table intNumberOfItems;// self-explanatory intMaxSize;// self-explanatory void *vector;// pointer to buffer with elements }; oUsed to handle the objects: tasks triggers etc.
Identify Exact Virtual Function Call in Vtable
Identify Exact Virtual Function Call in Vtable
Identify Custom Type Operations
Data Types Being Used: Strings structUSTRING_STRUCT { void *vTable;// pointer to the table intRefNo;// reference counter intInitialized; wchar_t*UnicodeBuffer;// pointer to unicodestring char *AsciiBuffer;// pointer to ASCII string intAsciiLength;// length of the ASCII string intReserved; intLength;// Length of unicodestring intLengthMax;// Size of UnicodeBuffer };
Identify Objects Constructors
Identify Objects Constructors
REconstructingObject’s Attributes
REconstructingObject’s Attributes
REconstructingObject’s Methods
REconstructingObject’s Methods
HexRaysCodeXplorer
HexRaysCodeXplorerv1.0: released in 2013 at REcon
HexRaysCodeXplorerFeatures oHex-Rays decompilerplugin oThe plugin was designed to facilitate static analysis of: object oriented code position independent code oThe plugin allows to: navigate through decompiled virtual methods partially reconstruct object type
Hex-Rays DecompilerPlugin SDK oAt the heart of the decompilerlies ctreestructure: syntax tree structure consists of citem_tobjects there are 9 maturity levels of the ctreestructure
Hex-Rays DecompilerPlugin SDK oAt the heart of the decompilerlies ctreestructure: syntax tree structure consists of citem_tobjects there are 9 maturity levels of the ctreestructure
Hex-Rays DecompilerPlugin SDK oType citem_tis a base class for: cexpr_t–expression type cinsn_t–statement type oExpressions have attached type information oStatements include: block, if, for, while, do, switch, return, goto, asm oHex-Rays provides iterators for traversing the citem_tobjects within ctreestructure: ctree_visitor_t ctree_parentee_t citem_tcexpr_tcinsn_t
Hex-Rays Decompiler Plugin SDK o Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type o Expressions have attached type information o Statements include:  block, if, for, while, do, switch, return, goto, asm o Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t citem_t cexpr_t cinsn_t
DEMO time :)
HexRaysCodeXplorer: GapzPosition Independent Code
HexRaysCodeXplorer: Virtual Methods The IDA’s ‘Local Types’ is used to represent object type
Hex-Rays decompilerplugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
Hex-Rays decompilerplugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
HexRaysCodeXplorer: Object Type REconstruction oHex-Rays’sctreestructure may be used to partially reconstruct object type based on its initialization routine (constructor) oInput: pointer to the object instance object initialization routine entry point oOutput: C structure-like object representation
HexRaysCodeXplorer: Object Type REconstruction citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.)
HexRaysCodeXplorer: Object Type REconstruction //reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
HexRaysCodeXplorerv1.5 [H2HC Edition] oNew citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.) ptr, asg, …
HexRaysCodeXplorerv1.5 [H2HC Edition] oNew citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.) ptr, asg, … oType propagation for nested function calls
HexRaysCodeXplorerv1.5 [H2HC Edition] oFeatures of v1.5 [H2HC Edition] : Better Type Reconstruction •Improvements for parsing citem_tobjects with PTR andASG statements •Recursive traversal of Ctreeto reconstruct Types hierarchy Navigate from Pseudo code window to Disassembly line Hints for Ctreeelements which point to Disassembly line Support for x64 version of Hex-Rays Decompiler Some bug fixes by user requests
DEMO time :)
HexRaysCodeXplorer: -> What are the next goals? oDevelop the next version on IdaPython oFocus on the following features: Type reconstruction(C++, Objective-C) Type Navigation (C++, Objective-C) Vtablesparsing based on Hex-Rays API Ctreegraph navigation improvements Patterns for possible vulndetection
Why python?
Python Arsenal Contesthttp://2014.zeronights.org/contests/python-arsenal-contest.html Best exploit devtool/plugin/lib Best forensics tool/plugin/lib Best reversing tool/plugin/lib Best fuzzing tool/plugin/lib Best malware analysis tool/plugin/lib
Thank you for your attention! HexRaysCodeXplorer http://REhints.com@REhints https://github.com/REhints/HexRaysCodeXplorer

More Related Content

PDF
[PUBLIC] Git – Concepts and Workflows.pdf
ChimaEzeamama1
 
PPTX
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
 
PPTX
Git basics to advance with diagrams
Dilum Navanjana
 
KEY
Git and GitHub
James Gray
 
PDF
Git and Github
Wen-Tien Chang
 
PPTX
Abc of docker
shohan_slideshare
 
PDF
Git for beginners
Arulmurugan Rajaraman
 
PPTX
Git 101 for Beginners
Anurag Upadhaya
 
[PUBLIC] Git – Concepts and Workflows.pdf
ChimaEzeamama1
 
Object Oriented Code RE with HexraysCodeXplorer
Alex Matrosov
 
Git basics to advance with diagrams
Dilum Navanjana
 
Git and GitHub
James Gray
 
Git and Github
Wen-Tien Chang
 
Abc of docker
shohan_slideshare
 
Git for beginners
Arulmurugan Rajaraman
 
Git 101 for Beginners
Anurag Upadhaya
 

What's hot (20)

PDF
Openhab Grafana and Influxdb
Code-House
 
PDF
[NDC16] Effective Git
Chanwoong Kim
 
PDF
Jenkins with Unity3d & Android
종국 임
 
PDF
Docker multi-stage build
Alexei Ledenev
 
PPT
Introduction to Git and Github
Somkiat Puisungnoen
 
PDF
Version Control System - Git
Carlo Bernaschina
 
PDF
Git & Github for beginners
Paulo Henrique Nonaka
 
DOCX
Bitbucket
hariprasad1035
 
PPTX
Kafka timestamp offset
DaeMyung Kang
 
PPTX
Git in 10 minutes
Safique Ahmed Faruque
 
PDF
Git - An Introduction
Behzad Altaf
 
PPTX
Introduction to Git and GitHub Part 1
Omar Fathy
 
PPTX
Git and GitHub
Md. Ahsan Habib Nayan
 
PDF
Front end architecture
Remus Langu
 
PDF
Git flow
Valerio Como
 
PDF
Getting Git Right
Sven Peters
 
PDF
Git and GitHub for Documentation
Anne Gentle
 
KEY
Introduction to Git
Lukas Fittl
 
PPTX
Intro to git and git hub
Venkat Malladi
 
PDF
Git in a nutshell
Pranesh Vittal
 
Openhab Grafana and Influxdb
Code-House
 
[NDC16] Effective Git
Chanwoong Kim
 
Jenkins with Unity3d & Android
종국 임
 
Docker multi-stage build
Alexei Ledenev
 
Introduction to Git and Github
Somkiat Puisungnoen
 
Version Control System - Git
Carlo Bernaschina
 
Git & Github for beginners
Paulo Henrique Nonaka
 
Bitbucket
hariprasad1035
 
Kafka timestamp offset
DaeMyung Kang
 
Git in 10 minutes
Safique Ahmed Faruque
 
Git - An Introduction
Behzad Altaf
 
Introduction to Git and GitHub Part 1
Omar Fathy
 
Git and GitHub
Md. Ahsan Habib Nayan
 
Front end architecture
Remus Langu
 
Git flow
Valerio Como
 
Getting Git Right
Sven Peters
 
Git and GitHub for Documentation
Anne Gentle
 
Introduction to Git
Lukas Fittl
 
Intro to git and git hub
Venkat Malladi
 
Git in a nutshell
Pranesh Vittal
 
Ad

Viewers also liked (20)

PDF
Pointers & References in C++
Ilio Catallo
 
PDF
Festi botnet analysis and investigation
Alex Matrosov
 
PDF
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 
PPTX
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
PDF
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
 
PDF
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
PPTX
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
PDF
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 
PPTX
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
PDF
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
PPTX
Алексей Кутумов, Вектор с нуля
Sergey Platonov
 
PDF
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
PDF
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
DOCX
42054960
andres castillo
 
PDF
Smartcard vulnerabilities in modern banking malware
Alex Matrosov
 
PDF
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE
 
PPTX
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
PDF
Bootkits: past, present & future
Alex Matrosov
 
PDF
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Alex Matrosov
 
PPT
Heat exchanger
Eman Abdel Raouf
 
Pointers & References in C++
Ilio Catallo
 
Festi botnet analysis and investigation
Alex Matrosov
 
Defeating x64: The Evolution of the TDL Rootkit
Alex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Alex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
Alex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
Алексей Кутумов, Вектор с нуля
Sergey Platonov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
42054960
andres castillo
 
Smartcard vulnerabilities in modern banking malware
Alex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Alex Matrosov
 
Bootkits: past, present & future
Alex Matrosov
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Alex Matrosov
 
Heat exchanger
Eman Abdel Raouf
 
Ad

Similar to HexRaysCodeXplorer: object oriented RE for fun and profit (20)

PDF
Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...
DefconRussia
 
PDF
Half-automatic Compilable Source Code Recovery
Joxean Koret
 
PDF
Introduction to HDF5 Data Model, Programming Model and Library APIs
The HDF-EOS Tools and Information Center
 
PPT
HDF5 Abstract Data Model
The HDF-EOS Tools and Information Center
 
PDF
Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
DefconRussia
 
PDF
Introduction to HDF5 Data Model, Programming Model and Library APIs
The HDF-EOS Tools and Information Center
 
PDF
Static analysis for beginners
Antonio Costa aka Cooler_
 
PPT
Introduction to HDF5 Data Model, Programming Model and Library APIs
The HDF-EOS Tools and Information Center
 
PDF
C++ CoreHard Autumn 2018. Debug C++ Without Running - Anastasia Kazakova
corehard_by
 
PDF
Type Profiler: An Analysis to guess type signatures
mametter
 
PDF
Overloading in Overdrive: A Generic Data-Centric Messaging Library for DDS
Sumant Tambe
 
PDF
[E-Dev-Day-US-2015][8/9] he EFL API in Review (Tom Hacohen)
EnlightenmentProject
 
PPT
What will be new in HDF5?
The HDF-EOS Tools and Information Center
 
PDF
Eo fosdem 15
Samsung Open Source Group
 
PDF
C++ Interview Questions and Answers PDF By ScholarHat
Scholarhat
 
PDF
Reverse_Engineering_of_binary_File_Formats.pdf
TrippLilley
 
PDF
Pseudo dynamic immutable records in C++
ant_pt
 
PPT
9780324782011_PPT_ch09.ppt
ValhallaExcalibur
 
PDF
Knowing your Python Garbage Collector
fcofdezc
 
PDF
C,c++ interview q&a
Kumaran K
 
Aleksandr Matrosov, Eugene Rodionov - HexRaysCodeXplorer make object-oriented...
DefconRussia
 
Half-automatic Compilable Source Code Recovery
Joxean Koret
 
Introduction to HDF5 Data Model, Programming Model and Library APIs
The HDF-EOS Tools and Information Center
 
HDF5 Abstract Data Model
The HDF-EOS Tools and Information Center
 
Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
DefconRussia
 
Introduction to HDF5 Data Model, Programming Model and Library APIs
The HDF-EOS Tools and Information Center
 
Static analysis for beginners
Antonio Costa aka Cooler_
 
Introduction to HDF5 Data Model, Programming Model and Library APIs
The HDF-EOS Tools and Information Center
 
C++ CoreHard Autumn 2018. Debug C++ Without Running - Anastasia Kazakova
corehard_by
 
Type Profiler: An Analysis to guess type signatures
mametter
 
Overloading in Overdrive: A Generic Data-Centric Messaging Library for DDS
Sumant Tambe
 
[E-Dev-Day-US-2015][8/9] he EFL API in Review (Tom Hacohen)
EnlightenmentProject
 
What will be new in HDF5?
The HDF-EOS Tools and Information Center
 
Eo fosdem 15
Samsung Open Source Group
 
C++ Interview Questions and Answers PDF By ScholarHat
Scholarhat
 
Reverse_Engineering_of_binary_File_Formats.pdf
TrippLilley
 
Pseudo dynamic immutable records in C++
ant_pt
 
9780324782011_PPT_ch09.ppt
ValhallaExcalibur
 
Knowing your Python Garbage Collector
fcofdezc
 
C,c++ interview q&a
Kumaran K
 

Recently uploaded (20)

PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 

HexRaysCodeXplorer: object oriented RE for fun and profit

  • 1. HexRaysCodeXplorer: object oriented RE for fun and profit Alexander Matrosov @matrosov Eugene Rodionov @vxradius
  • 2. C++ Code Reconstruction Problems Show problems on real examples (Flamer) HexRaysCodeXplorerv1.5 [H2HC Edition] Agenda
  • 3. C++ Code Reconstruction Problems Object identification Type reconstruction Class layout reconstruction Identify constructors/destructors Identify class members Local/global type reconstruction Associate object with exact method calls RTTI reconstruction Vftablereconstruction Associate vftableobject with exact object Class hierarchy reconstruction
  • 4. C++ Code Reconstruction Problems Class AvfPtra1() a2() A::vfTablemetaA::a1() A::a2() RTTI Object LocatorsignaturepTypeDescriptorpClassDescriptor
  • 7. An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
  • 8. An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
  • 9. An overview of the Flamer Framework Vector<Command Executor> DB_Query ClanCmd Vector<Task> IDLER CmdExec Vector<DelayedTasks> Euphoria Share Supplier Vector<Consumer> Mobile Consumer Cmd Consumer Sniffer Munch FileFinder FileCollect Driller GetConfig LSS Sender Frog Beetlejuice Lua Consumer Media Consumer http://www.welivesecurity.com/2012/08/02/flamer-analysis-framework-reconstruction/
  • 10. Identify Smart Pointer Structure oSmart pointers oStrings oVectors to maintain the objects oCustom data types: wrappers tasks, triggers and etc.
  • 11. Data Types Being Used: Smart pointers typedefstructSMART_PTR { void *pObject;// pointer to the object int*RefNo;// reference counter };
  • 13. Data Types Being Used: Vectors structVECTOR { void *vTable;// pointer to the table intNumberOfItems;// self-explanatory intMaxSize;// self-explanatory void *vector;// pointer to buffer with elements }; oUsed to handle the objects: tasks triggers etc.
  • 14. Identify Exact Virtual Function Call in Vtable
  • 15. Identify Exact Virtual Function Call in Vtable
  • 16. Identify Custom Type Operations
  • 17. Data Types Being Used: Strings structUSTRING_STRUCT { void *vTable;// pointer to the table intRefNo;// reference counter intInitialized; wchar_t*UnicodeBuffer;// pointer to unicodestring char *AsciiBuffer;// pointer to ASCII string intAsciiLength;// length of the ASCII string intReserved; intLength;// Length of unicodestring intLengthMax;// Size of UnicodeBuffer };
  • 26. HexRaysCodeXplorerFeatures oHex-Rays decompilerplugin oThe plugin was designed to facilitate static analysis of: object oriented code position independent code oThe plugin allows to: navigate through decompiled virtual methods partially reconstruct object type
  • 27. Hex-Rays DecompilerPlugin SDK oAt the heart of the decompilerlies ctreestructure: syntax tree structure consists of citem_tobjects there are 9 maturity levels of the ctreestructure
  • 28. Hex-Rays DecompilerPlugin SDK oAt the heart of the decompilerlies ctreestructure: syntax tree structure consists of citem_tobjects there are 9 maturity levels of the ctreestructure
  • 29. Hex-Rays DecompilerPlugin SDK oType citem_tis a base class for: cexpr_t–expression type cinsn_t–statement type oExpressions have attached type information oStatements include: block, if, for, while, do, switch, return, goto, asm oHex-Rays provides iterators for traversing the citem_tobjects within ctreestructure: ctree_visitor_t ctree_parentee_t citem_tcexpr_tcinsn_t
  • 30. Hex-Rays Decompiler Plugin SDK o Type citem_t is a base class for:  cexpr_t – expression type  cinsn_t – statement type o Expressions have attached type information o Statements include:  block, if, for, while, do, switch, return, goto, asm o Hex-Rays provides iterators for traversing the citem_t objects within ctree structure:  ctree_visitor_t  ctree_parentee_t citem_t cexpr_t cinsn_t
  • 33. HexRaysCodeXplorer: Virtual Methods The IDA’s ‘Local Types’ is used to represent object type
  • 34. Hex-Rays decompilerplugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
  • 35. Hex-Rays decompilerplugin is used to navigate through the virtual methods HexRaysCodeXplorer: Virtual Methods
  • 36. HexRaysCodeXplorer: Object Type REconstruction oHex-Rays’sctreestructure may be used to partially reconstruct object type based on its initialization routine (constructor) oInput: pointer to the object instance object initialization routine entry point oOutput: C structure-like object representation
  • 37. HexRaysCodeXplorer: Object Type REconstruction citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.)
  • 38. HexRaysCodeXplorer: Object Type REconstruction //reference of DWORD at offset 12 in buffer a1 *(DWORD *)(a1 + 12) = 0xEFCDAB89;
  • 39. HexRaysCodeXplorerv1.5 [H2HC Edition] oNew citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.) ptr, asg, …
  • 40. HexRaysCodeXplorerv1.5 [H2HC Edition] oNew citem_tobjects to monitor: memptr idx memref call (LOBYTE, etc.) ptr, asg, … oType propagation for nested function calls
  • 41. HexRaysCodeXplorerv1.5 [H2HC Edition] oFeatures of v1.5 [H2HC Edition] : Better Type Reconstruction •Improvements for parsing citem_tobjects with PTR andASG statements •Recursive traversal of Ctreeto reconstruct Types hierarchy Navigate from Pseudo code window to Disassembly line Hints for Ctreeelements which point to Disassembly line Support for x64 version of Hex-Rays Decompiler Some bug fixes by user requests
  • 43. HexRaysCodeXplorer: -> What are the next goals? oDevelop the next version on IdaPython oFocus on the following features: Type reconstruction(C++, Objective-C) Type Navigation (C++, Objective-C) Vtablesparsing based on Hex-Rays API Ctreegraph navigation improvements Patterns for possible vulndetection
  • 45. Python Arsenal Contesthttp://2014.zeronights.org/contests/python-arsenal-contest.html Best exploit devtool/plugin/lib Best forensics tool/plugin/lib Best reversing tool/plugin/lib Best fuzzing tool/plugin/lib Best malware analysis tool/plugin/lib
  • 46. Thank you for your attention! HexRaysCodeXplorer http://REhints.com@REhints https://github.com/REhints/HexRaysCodeXplorer