Virtuailor is an IDAPython tool that reconstructs vtables for C++ code written for intel architecture and both 32bit and 64bit code. The tool constructed from 2 parts, static and dynamic.
The first is the static part, contains the following capabilities:
Detects indirect calls.
Hooks the value assignment of the indirect calls using conditional breakpoints (the hook code).
The second is the dynamic part, contains the following capabilities:
Creates vtable structures.
Rename functions and vtables addresses.
Add structure offset to the assembly indirect calls.
Add xref from indirect calls to their virtual functions(multiple xrefs).
Output and General Functions
vtables structures
The structures Virtuailor creates from the vtable used in virtual call that were hit. The vtable functions are extracted from the memory based on the relevant register that was used in the BP opcode.
发表于 2019-2-2 21:10
