SusanRTTI: an IDAPython plugin for viewing run-time type information

Background

Run-type type information, or RTTI, refers to class information present in compiled C++ binaries. Depending on the class hierarchy used by the programmer who wrote the original code, it may be possible to retrieve a great deal of information about the program. This can be extremely useful in the course of reverse engineering–just knowing names can be quite helpful, but knowing which classes inherit from which other classes is even more powerful. For more detailed information on RTTI, see the Wikipedia article on the topic.

There are already other IDA plugins that perform this functionality, such as the well-established Class Informer, so why make a new plugin? It can be quite useful to extract RTTI from a binary, but if the target binary contains a lot of classes with complex inheritance relationships, it can be difficult to fully grasp how they relate to each other in practice. Here’s how SusanRTTI attempts to improve upon this workflow: * Class diagram within IDA * Rather than outputting a flat textual list of classes and their relationships to other classes, this plugin generates a graph within IDA showing the hierarchy of classes: Example of graph inside IDA

* DOT export functionality * In addition to displaying a graph using IDA’s own graphing engine, the plugin supports exporting to DOT format, which allows you to produce even nicer graphs using an external tool such as GraphViz:

Example of GraphViz graph

* Support for multiple compilers * RTTI formats are different for each C++ compiler. This plugin supports parsing RTTI from binaries compiled with MSVC or GCC. * Architecture- and platform-independent * This plugin is written in Python, allowing it to work on any architecture (32-bit or 64-bit IDA versions) and on any platform (Windows, Linux, Mac) without modification or recompilation.

Usage

The requirements to use the plugin are fairly simple: as long as you have a copy of IDA Pro installed, with a corresponding installation of Python. The plugin can be obtained from GitHub at the following URL: https://github.com/nccgroup/PythonClassInformer

First, open up the IDA database that you’d like to read RTTI for. Then, within IDA, go to File -> Script file… and choose “classinformer.py”. (You can also press Alt-F7 to avoid having to use the File menu every time you’d like to run the plugin.) If all goes well, you should see a graph within IDA looking something like this:

IDA interface displaying class hierarchy graph

From there, you can navigate around the graph and explore the class hierarchy in the exact same fashion as you would explore basic blocks in IDA.

If you’d like to have more control over how the graph is formatted, you can also export the graph to a DOT file in order to render a graph using an external tool. Just right-click on the graph and click “Export DOT”:

Exporting graph to DOT format

Then, you can use a tool such as GraphViz to render the graph:

IDA interface displaying class hierarchy graph

Conclusion

RTTI can be an extremely helpful way to gain insight about a C++ binary during reverse engineering, and Susan RTTI’s visualization of the class hierarchies can strengthen these insights even further. We hope reverse engineers’ lives will become a little easier using the visualizations produced by this plugin. Currently, there are several known issues with the parsing of RTTI data that we’re planning on fixing, as well as some features we’d like to add, so stay tuned for future updates.

Published date:  05 October 2017

Written by:  Tyler Colgan

Filter By Service

Filter By Date