when virtual hell freezes over- reversing c++ code...when virtual hell freezes over- reversing c++...
TRANSCRIPT
![Page 1: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/1.jpg)
When Virtual Hell Freezes Over- Reversing C++ Code
Gal Zaban @0xgalz
<3
![Page 2: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/2.jpg)
id;whoami
● Gal Zaban● Reverse Engineer● Security Researcher at Viral Security Group● In my spare-time I like sewing
This is my own private research
![Page 3: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/3.jpg)
Agenda● REsearch
○ C++ Internals■ Object Creation■ Inheritance ■ Multiple Inheritance ■ Vtables■ Virtual calls
● DEvelopment○ IDAPython - Breakpoints○ “Virtualor” - IDAPython framework that automates reverse
engineering of C++
![Page 4: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/4.jpg)
The Problem
![Page 5: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/5.jpg)
Reversing C++ is Hard
![Page 6: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/6.jpg)
Dynamic Object Creation
![Page 7: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/7.jpg)
Dynamic Object Creation
![Page 8: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/8.jpg)
Dynamic Object Creation
![Page 9: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/9.jpg)
Dynamic Object Creation
Object Creation
Action Assembly
Heap Allocation call operator new(uint)
Constructor Call call j_gz_Object_ctor
![Page 10: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/10.jpg)
Basic Constructor Action
Assembly
Object Assembly
VTable mov dword ptr [eax], VTable
Member1 movsd qword ptr [eax+8], xmm0
Member2 -
... -
MemberX -
![Page 11: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/11.jpg)
How Does A Vtable Look Like?
FatherA Vtable
PrintHello()
PrintHelloMe()
PrintNum()
Father0 Vtable
PrintHello()
PrintHelloMe()
![Page 12: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/12.jpg)
Vtable In IDA
![Page 13: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/13.jpg)
VTables and Virtual Calls
Assignment of the vtable to EDX
Move the virtual func to EAX
The Virtual Call
![Page 14: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/14.jpg)
Multiple Inheritance
![Page 15: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/15.jpg)
Multiple Inheritance
Multiple Inheritance Structure
FatherA
FatherB
C’s Members
The Son’s Full Object
C_A_VTable
FatherA_Member1
....
FatherA_MemberX
C_B_VTable
FatherB_Member1
...
FatherB_MemberX
C_Member1
...
C_MemberX
![Page 16: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/16.jpg)
Function Calls w Multiple Inheritance
![Page 17: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/17.jpg)
It requires a lot of work
![Page 18: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/18.jpg)
I wanted to make it fluffy
![Page 19: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/19.jpg)
IDAPython + IDC =
![Page 20: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/20.jpg)
IDAPython is ezpz to write
![Page 21: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/21.jpg)
But IDC is more extensive
![Page 22: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/22.jpg)
How it all began
![Page 23: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/23.jpg)
Virtualor
![Page 24: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/24.jpg)
Automated IDA tracing
● Create trace breakpoints on virtual calls
● Parse the trace file created by IDA
![Page 25: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/25.jpg)
The Tracing problem
● It didn’t give a realtime solution for vtables
● This solution can only provide the specific function call and not all the vtable
![Page 26: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/26.jpg)
● Taint backward to the instruction that assigns the relevant function to the register of the virtual call
● Create the structure of the vtable based on the
vtable base pointer
● Correlate between the structure and the vtable pointer
How can we make it a dynamic solution?
![Page 27: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/27.jpg)
IDAPython- How to create a Breakpoint
![Page 28: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/28.jpg)
Hook VTables Pointers
● Find all the virtual calls ● Add breakpoints on the vtable’s function
assignment
![Page 29: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/29.jpg)
Conditional BP as a hook
● Write code inside the BP conditions● Add false binary condition in order to disable
the breakpoint prior to the BP execution
![Page 30: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/30.jpg)
Conditionals BP and IDAPython
● By default IDAPython support only IDC Conditional Breakpoints
● In IDC conditions we cannot #include idc.idc
![Page 31: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/31.jpg)
IDAPython internals
● Diving into the files of IDAPython modules● We must find a way to change the condition to
IDAPython
![Page 32: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/32.jpg)
![Page 33: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/33.jpg)
![Page 34: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/34.jpg)
The new BP Creation
![Page 35: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/35.jpg)
The Hook Purpose
● Create IDA structures of the vtables
● Connect the structures with the virtual calls
● Add comments and references to the code
● Correlate the vtable base pointer to its struct
![Page 36: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/36.jpg)
The Hook location
● The breakpoint located on the assignment of the relevant function to the register.
![Page 37: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/37.jpg)
Get The Vtable Pointer
What Created the Hook
p_vtable = idc.GetRegValue(\"""" + reg_vtable + """\")
pv_func_addr = idc.GetRegValue(\"""" + reg_vtable + """\") + """ + offset + """
![Page 38: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/38.jpg)
Get The Vtable Pointer
● And this is how it looks in the hook’s condition:
![Page 39: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/39.jpg)
Get Functions From VtableWhat Created the Hook
all_functions = []
if """ + offset + """ > 0:
cnt = 0
while cnt <= """ + offset + """:
pv_func_addr = idc.GetRegValue( \"""" + reg_vtable + """\") + cnt
v_func_addr = get_wide_dword(pv_func_addr)
v_func_name = GetFunctionName(v_func_addr)
all_functions.append(v_func_name)
cnt += 4
![Page 40: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/40.jpg)
Now we have we have the vtable!
![Page 41: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/41.jpg)
Create The Structure
What Created the Hook The Vtable Name
struct_id = add_struc(-1, "vtable_" + hex(p_vtable), 0) vtable_0x1379ba8L
![Page 42: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/42.jpg)
Add Vtable Functions as Members
What Created the Hook Functions Members Examples
cnt = 0for func_name in all_functions:
idc.add_struc_member(struct_id, “v_” + func_name, cnt*4 , FF_DWRD, -1, 4) cnt += 1
v_sub_1359e84
OR
v_gz_calc_size
![Page 43: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/43.jpg)
This is how the structure looks like now...
![Page 44: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/44.jpg)
Unfortunately It's not Fluffy Enough..
Because we also want comments!
![Page 45: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/45.jpg)
Add Comments To The Structure
● Add where the function were assigned
● Add function’s names to existing comments○ using the same function from different parts
of the code.
![Page 46: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/46.jpg)
Add Comments To The StructureWhat Created the Hook
cmt_curr = idc.GetMemberComment(struct_id, cnt*4, 1)
# New Commentif cmt_curr== None: if """ + offset + """ == cnt*4: idc.SetMemberComment(struct_id, cnt*4 , "Was used in address:" + " """ + hex(start_addr) + """" , 1)
# Adding function’s names to existing commentelse:
cmt_new = cmt_curr cmt_new += ", " + " """ + hex(start_addr) + """ " idc.SetMemberComment(struct_id, cnt*4 , cmt_new , 1)
![Page 47: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/47.jpg)
Add Comments To The Assembly What Created the Hook
virtual_call_addr = """ + hex(start_addr) + """
last_text = idc.get_cmt(virtual_call_addr, 1)if last_text == None: last_text = ""
idc.set_cmt(virtual_call_addr, last_text + "vtable structure is: " + "vtable_" + hex(p_vtable) + ", function: " + curr_func, 1)
![Page 48: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/48.jpg)
And One Last Thing To Add ...
![Page 49: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/49.jpg)
Structure Offset and False Condition
What Created the Hook
idc.op_stroff(virtual_call_addr, 1, struct_id, 0)
"Gal" == "IDA"
![Page 50: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/50.jpg)
Now The Hook Is Finished!
![Page 51: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/51.jpg)
The Hook
![Page 52: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/52.jpg)
Before
![Page 53: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/53.jpg)
After- vtable structures
![Page 54: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/54.jpg)
After- The Disassembly
![Page 55: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/55.jpg)
What’s next?
● Add structures for all the objects (local, static, dynamic) and the inheritance.
● Add logic to the names of the functions in the vtables based on their code: strings, function calls, loops and more.
![Page 56: When Virtual Hell Freezes Over- Reversing C++ Code...When Virtual Hell Freezes Over- Reversing C++ Code Gal Zaban @0xgalz](https://reader034.vdocuments.site/reader034/viewer/2022052408/5f064d5e7e708231d4174fbb/html5/thumbnails/56.jpg)
@0xgalz