Skip to content
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.

astrelsky/Ghidra-Cpp-Class-Analyzer

Repository files navigation

Run tests Ghidra C++ Class and Run Time Type Information Analyzer

NOTICE

This project has reached its end of life and is no longer being maintained. Ghidra currently provides scripts for RTTI analysis and class reconstruction. These scripts should now be used and improved upon.

API Documentation

A fully built and linked version of the documentation is available at https://astrelsky.github.io/Ghidra-Cpp-Class-Analyzer.

Building

Run the following command in a terminal of your choice.

gradle buildExtension

Upon completion the output will be located in the dist folder.

Installation

Extract the archive to a destination folder of your choice. Launch ghidra and from the project manager go to file->Install Extensions... Click the + icon near the top right corner of the window. Select the the path of the extracted Ghidra-Cpp-Class-Analyzer folder and select OK. After restarting ghidra open the CodeBrowser and go to file->Configure...->Experimental and select ClassTypeInfoManagerPlugin. Restart the CodeBrowser to allow the analyzers to be refreshed.

Features

  • GCC RTTI models and analysis.
  • Vtable analysis and class namespace setting.
  • Constructor/Destructor analysis.
  • Reconstruction of class inheritance models for virtual multiple inheritance.
  • Tree style display of inheritance hierarchy.

Supported Compilers

  • GCC
  • Clang
  • Visual Studio (Control Flow Guard (CFG) not supported)

Inheritance Modeling via the Type Info Tree

Capture

Class Type Info Color Coding

#FFFF00 - Nested Class #28a745 - Basic Class #d73a49 - Abstract Class #0366d6 - Virtual Class #6f42c1 - Virtual Abstract Class

CppClassAnalyzerGhidraScript

Want to make a GhidraScript with easy access to the ClassTypeInfoManager for the currentProgram? Try extending the CppClassAnalyzerGhidraScript class instead of GhidraScript. Unfortunately this is currently only possible for scripts written in Java.

Fill Out Class Decompiler Action

Right clicking within the decompiler window in a __thiscall function with which a ClassTypeInfo exists will contain an action to fill out the class. It behaves similarly to the fill out structure action accept class members are determined via calls to other __thiscall functions.

Dynamic RTTI Handling

For GNU binaries a project archive will need to be created to provide data required for analysis. Each library containing dynamic RTTI will need to be analyzed and copied into the project archive via the TypeInfoTree prior to analyzing the program. In the future an archive wil be distributed for libstdc++.

TODO

  • Graphing
  • Type Info Tree filter
  • Help Documentation