Package contents¶

devirtualize.graph module¶

devirtualize.itanium module¶

This modules implements vtable, vtablegroup and typeinfo for the Itanium ABI. For reference, read https://mentorembedded.github.io/cxx-abi/abi.html.

class devirtualize.itanium.ItaniumTypeInfo(ea)[source]¶

ItaniumTypeInfo is the RTTI typeinfo representation for the Itanium ABI.

ea = None¶: The address of the start of this RTTI object

name = None¶: The name present in this RTTI entry

parents = None¶: A list (in inheritance order) of the parent RTTI objects

class devirtualize.itanium.ItaniumVTableGroup(ea)[source]¶

A group of consecutive vtables in the Itanium ABI

ea = None¶: Start address of the table group

primary_table()[source]¶: Same as self.tables[0]

size¶: The size in bytes of this table group

tables = None¶: A list of the tables comprising this group

typeinfo¶: A handle to the typeinfo for the primary table (and so, the full object associated with this table group).

class devirtualize.itanium.ItaniumVtable(ea)[source]¶

The Vtable representation for the Itanium ABI

address_point = None¶: The address of the start of the function array

ea = None¶: The address of the start of this vtable

functions = None¶: A list of function addresses in this vtable (some may be NULL)

offset_to_top = None¶: The offset to the top of the object for a subobject with this vtable

size = None¶: The size in bytes of this vtable

str_ea¶: A string representation of self.ea, in hex. (Clickable when printed in IDA)

typeinfo = None¶: Handle to the RTTI object associated with this vtable (if any)

devirtualize.type module¶

This module defines the generic Type interface for different ABIs.

class devirtualize.type.Type(tablegroup=None, typeinfo=None)[source]¶

This is the fundamental type in Devirtualize. Type is a flexible representation of a type that existed during compilation. Such a type may be discovered via RTTI or the presence of a TableGroup.

ancestors¶

A tree of the parent types for this type (and their parents, etc).

For a heirarchy like this:

A   B
 \ /
  C   D
   \ /
    E

E’s ancestors will be the nested dictionaries:

{
  C: {
    A: {},
    B: {}
  },
  D: {}
}

Warning

Remember that dictionary traversal is not ordered, so the first item in the ancestors dictionary is not necessarily the first parent in the parents list.

build_struct()[source]¶: Creates an IDA structure for this Type.

children = None¶: A list of this type’s children

constructors()[source]¶: A list of constructors associated with this type. The list will be empty for types not backed by tablegroups.

descendants¶

A tree of the child types for this type (and their children, etc).

For a heirarchy like this:

    A
   / \ 
  B   C
 /   / \ 
D   E   F

A’s descendants will be the nested dictionaries:

{
  B: {
    D: {},
  },
  C: {
    E: {},
    F: {}
  }
}

destructors()[source]¶: A list of destructors associated with this type. The list will be empty for types not backed by tablegroups.

family¶: The set of Types that are the direct/indirect children and parents of this Type, as well as the children and parents of those types, recursively.

is_ancestor_of(other)[source]¶: Returns True if other is a direct or indirect child of this Type.

is_descendant_of(other)[source]¶: Returns True if other is a direct or indirect parent of this Type.

parents = None¶: A list of this type’s parents in inheritance order

table_for_cast(parent)[source]¶: Finds the table that would be used for virtual function lookups if this type was cast to ‘parent’.

tablegroup = None¶: Handle to the TableGroup backing this type (if any)

typeinfo = None¶: Handle to the RTTI typeinfo for this type (if any)

devirtualize.type.Types(regenerate=False)[source]¶: Returns a memoized list of Type objects for this binary

devirtualize.type.fixup_this_arg_types(cfunc)[source]¶: Modifies a cfuncptr_t such that its first argument is a pointer to the Type that has this cfunc in its vtable (and is named ‘this’)

devirtualize.type.get_type_by_func(ea)[source]¶: Returns a Type with ea in its vtable. If there are multiple such types, the least derived type is returned (or the 1st found, if the multiple types have no known inheritance relationship).

devirtualize.type.get_type_by_name(name)[source]¶: Returns any type object matching name

devirtualize.type.get_type_by_tinfo(tinfo)[source]¶: Returns the Type that has a struct with the associated tinfo

devirtualize.type.parents_from_destructors(type)[source]¶: Finds the direct parents of the Type associated with tablegroup by examining function calls in its destructor.

devirtualize.type.save_type_info()[source]¶: Save the current state/relationships between types. This essentially ‘saves’ the Devirtualize plugin.

devirtualize.type.tables_from_heuristics(require_rtti=False)[source]¶: Yields addresses of VTableGroups found via heuristic methods

devirtualize.type.tables_from_names()[source]¶: Yields addresses of VtableGroups if binary is not stripped

devirtualize.type.type_matching_typeinfo(types, typeinfo)[source]¶: Get the type in types that is associated with typeinfo.

devirtualize.utils module¶

devirtualize.view module¶

devirtualize.view.translate_vptr_references(cfunc)[source]¶: The real ‘work’ function of Devirtualize. This function takes a cfuncptr and devirtualizes calls.