IDA c++分析c++类结构辅助插件ida_medigate使用记录

1.下载插件

IDA_medigate

2.将medigate_cpp_plugin.py放到 ida的plugin文件夹中 plugins/ida-referee/referee.py 放置到plugin中

3.将下载的 ida_medigate 放到IDA 内置的python38的Lib\site-packages\目录下

如:D:\IDA_Pro_7.7\python38\Lib\site-packages

4.配置插件搜索路径

在 IDA中输入

import idaapi
idaapi.get_user_idadir() 

得到路径
‘C:\Users\XXX\AppData\Roaming\Hex-Rays\IDA Pro’

在路径下新建一个 idapythonrc.py

添加代码

import ida_idaapi
idaapi.require(‘ida_medigate’)

5.报错

D:\IDA_Pro_7.7\plugins\medigate_cpp_plugin.py: [Errno 2] No such file or directory: 'D:\\tmp\\cpp_plugin.log'
Traceback (most recent call last):
  File "D:\IDA_Pro_7.7\python\3\ida_idaapi.py", line 580, in IDAPython_ExecScript
    exec(code, g)
  File "D:/IDA_Pro_7.7/plugins/medigate_cpp_plugin.py", line 2, in <module>
    from ida_medigate.cpp_plugin.plugin import CPPPlugin
  File "D:\IDA_Pro_7.7\python38\lib\site-packages\ida_medigate\cpp_plugin\plugin.py", line 4, in <module>
    from .hooks import CPPHooks, CPPUIHooks, HexRaysHooks
  File "D:\IDA_Pro_7.7\python38\lib\site-packages\ida_medigate\cpp_plugin\hooks.py", line 16, in <module>
    logging.basicConfig(
  File "logging\__init__.py", line 1988, in basicConfig
  File "logging\__init__.py", line 1147, in __init__
  File "logging\__init__.py", line 1176, in _open
FileNotFoundError: [Errno 2] No such file or directory: 'D:\\tmp\\cpp_plugin.log'

新建 D:\tmp\cpp_plugin.log

6.使用

作者提供的demo


using namespace std;

class A {
	public:
	int x_a;
	virtual int f_a()=0;
};

class B : public A{ 
	public:
	int x_b;
	int f_a(){x_a = 0;}
	virtual int f_b(){this->f_a();}
};

class Z {
	public:
	virtual int f_z1(){cout << "f_z1";}
	virtual int f_z2(){cout << "f_z2";}
};

class C: public B, public Z{
	public:
    int f_a(){x_a = 5;}
	int x_c;
	int f_c(){x_c = 0;}
	virtual int f_z1(){cout << "f_z3";}
};


int main()
{
	C *c = new C();
    c->f_a();
    c->f_b();
    c->f_z1();
    c->f_z2();
    
	return 0;
}

7.自动构建类层次

IDA 命令窗口输入

from ida_medigate.rtti_parser import GccRTTIParser

GccRTTIParser.init_parser()

GccRTTIParser.build_all()

查看 D:\tmp\cpp_plugin.log 查看日志信息

2023-07-03 15:23:00,589 - DEBUG - Starting :12344 0x3038
2023-07-03 15:23:00,590 - INFO - C: Parsed typeinfo
2023-07-03 15:23:00,590 - INFO - B: Parsed typeinfo
2023-07-03 15:23:00,590 - INFO - A: Parsed typeinfo
2023-07-03 15:23:00,590 - DEBUG - A: Finish setup parents
2023-07-03 15:23:00,590 - DEBUG - create_vtable_struct(A, 0)
2023-07-03 15:23:00,590 - DEBUG - Couldn't found parent vtable A 0
2023-07-03 15:23:00,591 - ERROR - Couldn't decompile 0x3034
Traceback (most recent call last):
  File "D:\IDA_Pro_7.7\python38\lib\site-packages\ida_medigate\cpp_utils.py", line 293, in update_func_this
    func_details = utils.get_func_details(func_ea)
  File "D:\IDA_Pro_7.7\python38\lib\site-packages\ida_medigate\utils.py", line 101, in get_func_details
    xfunc = ida_hexrays.decompile(func_ea)
  File "D:\IDA_Pro_7.7\python\3\ida_hexrays.py", line 25850, in decompile
    raise DecompilationFailure(hf)
ida_hexrays.DecompilationFailure: Decompilation failed: 3034: special segments cannot be decompiled
2023-07-03 15:23:00,596 - DEBUG - B: Finish setup parents
2023-07-03 15:23:00,597 - DEBUG - Is struct!
2023-07-03 15:23:00,597 - DEBUG - Is struct: A/4278190317
2023-07-03 15:23:00,597 - DEBUG - create_vtable_struct(B, 0)
2023-07-03 15:23:00,597 - DEBUG - Found parent vtable B 0
2023-07-03 15:23:00,597 - DEBUG - add_child_vtable (A, B, 4278190323)
2023-07-03 15:23:00,598 - DEBUG - pointed_struct: <ida_struct.struc_t; proxy of <Swig Object of type 'struc_t *' at 0x0000012F07938450> >
2023-07-03 15:23:00,598 - DEBUG - A vtable isn't union -> unionize it!
2023-07-03 15:23:00,598 - DEBUG - install_vtables_union(A, <ida_struct.member_t; proxy of <Swig Object of type 'member_t *' at 0x0000012F07938210> >, A_vtbl *)
2023-07-03 15:23:00,598 - DEBUG - Is struct!
2023-07-03 15:23:00,598 - DEBUG - Is struct: A_vtbl_orig/4278190318
2023-07-03 15:23:00,599 - DEBUG - add_to_struct 4278190324 B_vtbl
2023-07-03 15:23:00,599 - DEBUG - Is struct!
2023-07-03 15:23:00,599 - DEBUG - Is struct: B_vtbl/4278190323
2023-07-03 15:23:00,602 - DEBUG - analyzing function at 0x98E
2023-07-03 15:23:00,602 - DEBUG - Cleared 0 xrefs
2023-07-03 15:23:00,603 - DEBUG - Overwriting!
2023-07-03 15:23:00,607 - DEBUG - analyzing function at 0x9A8
2023-07-03 15:23:00,607 - DEBUG - Cleared 0 xrefs
2023-07-03 15:23:00,609 - INFO - Z: Parsed typeinfo
2023-07-03 15:23:00,609 - DEBUG - Z: Finish setup parents
2023-07-03 15:23:00,609 - DEBUG - create_vtable_struct(Z, 0)
2023-07-03 15:23:00,609 - DEBUG - Couldn't found parent vtable Z 0
2023-07-03 15:23:00,618 - DEBUG - analyzing function at 0x9CE
2023-07-03 15:23:00,618 - DEBUG - Cleared 0 xrefs
2023-07-03 15:23:00,623 - DEBUG - analyzing function at 0xA00
2023-07-03 15:23:00,623 - DEBUG - Cleared 0 xrefs
2023-07-03 15:23:00,624 - DEBUG - C: Finish setup parents
2023-07-03 15:23:00,624 - DEBUG - Is struct!
2023-07-03 15:23:00,624 - DEBUG - Is struct: B/4278190321
2023-07-03 15:23:00,625 - DEBUG - Expanding struc B 0x4 -> 0xc
2023-07-03 15:23:00,625 - DEBUG - Delete member (0x4dfe0000-0x4dfe000b)
2023-07-03 15:23:00,625 - DEBUG - Now fix args:
2023-07-03 15:23:00,625 - DEBUG - [4278190334, 'baseclass_0', 0, 1610613760, 4278190321, 12] = -2
2023-07-03 15:23:00,625 - DEBUG - Is struct!
2023-07-03 15:23:00,626 - DEBUG - Is struct: Z/4278190329
2023-07-03 15:23:00,626 - DEBUG - create_vtable_struct(C, 0)
2023-07-03 15:23:00,626 - DEBUG - Found parent vtable C 0
2023-07-03 15:23:00,626 - DEBUG - add_child_vtable (B, C, 4278190338)
2023-07-03 15:23:00,626 - DEBUG - pointed_struct: <ida_struct.struc_t; proxy of <Swig Object of type 'struc_t *' at 0x0000012F07938030> >
2023-07-03 15:23:00,626 - DEBUG - Not a struct vtable: A
2023-07-03 15:23:00,626 - DEBUG - B vtable isn't union -> unionize it!
2023-07-03 15:23:00,627 - DEBUG - install_vtables_union(B, None, A)
2023-07-03 15:23:00,627 - DEBUG - Is struct!
2023-07-03 15:23:00,627 - DEBUG - Is struct: B_vtbl_orig/4278190323
2023-07-03 15:23:00,627 - DEBUG - add_to_struct 4278190339 C_vtbl
2023-07-03 15:23:00,627 - DEBUG - Is struct!
2023-07-03 15:23:00,627 - DEBUG - Is struct: C_vtbl/4278190338
2023-07-03 15:23:00,628 - DEBUG - add_child_vtable (A, C, 4278190338)
2023-07-03 15:23:00,628 - DEBUG - pointed_struct: <ida_struct.struc_t; proxy of <Swig Object of type 'struc_t *' at 0x0000012F07938330> >
2023-07-03 15:23:00,628 - DEBUG - add_to_struct 4278190324 C_vtbl
2023-07-03 15:23:00,628 - DEBUG - Is struct!
2023-07-03 15:23:00,628 - DEBUG - Is struct: C_vtbl/4278190338
2023-07-03 15:23:00,631 - DEBUG - analyzing function at 0xA32
2023-07-03 15:23:00,631 - DEBUG - Cleared 0 xrefs
2023-07-03 15:23:00,632 - DEBUG - Overwriting!
2023-07-03 15:23:00,635 - DEBUG - analyzing function at 0x9A8
2023-07-03 15:23:00,635 - DEBUG - Loaded 0 xrefs
2023-07-03 15:23:00,635 - DEBUG - Cleared 0 xrefs
2023-07-03 15:23:00,635 - DEBUG -  0x9BD 	struct B_vtbl_orig 	dr_R | XREF_USER
2023-07-03 15:23:00,635 - DEBUG -  0x9BD 	member B_vtbl_orig.B__sub_98E 	dr_R | XREF_USER
2023-07-03 15:23:00,635 - DEBUG -  0x9BD 	struct B_vtbl 	dr_R | XREF_USER
2023-07-03 15:23:00,636 - DEBUG -  0x9BD 	member B_vtbl.B 	dr_R | XREF_USER
2023-07-03 15:23:00,636 - DEBUG -  0x9BD 	struct B 	dr_R | XREF_USER
2023-07-03 15:23:00,636 - DEBUG -  0x9BD 	member B.baseclass_0 	dr_R | XREF_USER
2023-07-03 15:23:00,639 - DEBUG - analyzing function at 0x9A8
2023-07-03 15:23:00,639 - DEBUG - Loaded 6 xrefs
2023-07-03 15:23:00,639 - DEBUG - Cleared 6 xrefs
2023-07-03 15:23:00,639 - DEBUG -  0x9BD 	struct B_vtbl_orig 	dr_R | XREF_USER
2023-07-03 15:23:00,639 - DEBUG -  0x9BD 	member B_vtbl_orig.B__sub_98E 	dr_R | XREF_USER
2023-07-03 15:23:00,640 - DEBUG -  0x9BD 	struct B_vtbl 	dr_R | XREF_USER
2023-07-03 15:23:00,640 - DEBUG -  0x9BD 	member B_vtbl.B 	dr_R | XREF_USER
2023-07-03 15:23:00,640 - DEBUG -  0x9BD 	struct B 	dr_R | XREF_USER
2023-07-03 15:23:00,640 - DEBUG -  0x9BD 	member B.baseclass_0 	dr_R | XREF_USER
2023-07-03 15:23:00,644 - DEBUG - analyzing function at 0xA4C
2023-07-03 15:23:00,645 - DEBUG - Cleared 0 xrefs
2023-07-03 15:23:00,646 - DEBUG - create_vtable_struct(C, 12)
2023-07-03 15:23:00,646 - DEBUG - Found parent vtable C 12
2023-07-03 15:23:00,647 - DEBUG - add_child_vtable (Z, C, 4278190346)
2023-07-03 15:23:00,647 - DEBUG - pointed_struct: <ida_struct.struc_t; proxy of <Swig Object of type 'struc_t *' at 0x0000012F07938030> >
2023-07-03 15:23:00,647 - DEBUG - Z vtable isn't union -> unionize it!
2023-07-03 15:23:00,647 - DEBUG - install_vtables_union(Z, <ida_struct.member_t; proxy of <Swig Object of type 'member_t *' at 0x0000012F07938060> >, Z_vtbl *)
2023-07-03 15:23:00,647 - DEBUG - Is struct!
2023-07-03 15:23:00,647 - DEBUG - Is struct: Z_vtbl_orig/4278190330
2023-07-03 15:23:00,648 - DEBUG - add_to_struct 4278190347 C_000C_vtbl
2023-07-03 15:23:00,648 - DEBUG - Is struct!
2023-07-03 15:23:00,648 - DEBUG - Is struct: C_000C_vtbl/4278190346
2023-07-03 15:23:00,650 - DEBUG - analyzing function at 0xA7E
2023-07-03 15:23:00,650 - DEBUG - Cleared 0 xrefs
2023-07-03 15:23:00,651 - DEBUG - Overwriting!
2023-07-03 15:23:00,654 - DEBUG - analyzing function at 0xA00
2023-07-03 15:23:00,654 - DEBUG - Loaded 0 xrefs
2023-07-03 15:23:00,654 - DEBUG - Cleared 0 xrefs
2023-07-03 15:23:00,658 - DEBUG - analyzing function at 0xA00
2023-07-03 15:23:00,658 - DEBUG - Loaded 0 xrefs
2023-07-03 15:23:00,658 - DEBUG - Cleared 0 xrefs
2023-07-03 15:23:00,659 - INFO - Done 12344
2023-07-03 15:23:00,659 - DEBUG - Starting :12336 0x3030
2023-07-03 15:23:00,659 - INFO - Done 12336
2023-07-03 15:23:00,659 - DEBUG - Starting :12320 0x3020
2023-07-03 15:23:00,659 - INFO - Done 12320

查看IDA 结构体
IDA c++分析c++类结构辅助插件ida_medigate使用记录_第1张图片

查找 sub_84A函数 快捷键Y 将v0类型改成C
IDA c++分析c++类结构辅助插件ida_medigate使用记录_第2张图片
类和虚函数的类型基本都能识别清楚
IDA c++分析c++类结构辅助插件ida_medigate使用记录_第3张图片

8.手动构建类层次

需要手动选择虚函数表 然后在命名行窗口输入指令

from ida_medigate import cpp_utils

cpp_utils.make_vtable("B")

IDA c++分析c++类结构辅助插件ida_medigate使用记录_第4张图片

9.设置继承

cpp_utils.add_baseclass("C", "B")

10.总结

插件使用 手动设置类有时候会导致IDA崩溃 没法恢复成跟作者demo一模一样的情况
对于分析cpp的程序 这个插件是非常有帮助的

你可能感兴趣的:(c++,IDA,IDApython,逆向)