Merge remote-tracking branch

'origin/GP-339_ghidra007_RecoverClassesFromRTTI--SQUASHED'

Ghidra/Features/Base/ghidra_scripts/GraphClassesScript.java

@@ -0,0 +1,201 @@
+/* ###
+ * IP: GHIDRA
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+//Script to graph class hierarchies given metadata found in class structure description that
+// was applied using the ExtractClassInfoFromRTTIScript. 
+//@category C++
+import java.util.*;
+
+import ghidra.app.script.GhidraScript;
+import ghidra.app.services.GraphDisplayBroker;
+import ghidra.framework.plugintool.PluginTool;
+import ghidra.program.model.data.*;
+import ghidra.service.graph.*;
+import ghidra.util.exception.CancelledException;
+import ghidra.util.task.TaskMonitor;
+
+public class GraphClassesScript extends GhidraScript {
+
+	List<Structure> classStructures = new ArrayList<Structure>();
+
+	@Override
+	public void run() throws Exception {
+
+		if (currentProgram == null) {
+			println("There is no open program");
+			return;
+		}
+
+		DataTypeManager dataTypeManager = currentProgram.getDataTypeManager();
+
+		String path = new String("ClassDataTypes");
+		CategoryPath dataTypePath = new CategoryPath(CategoryPath.ROOT, path);
+
+		Category category = dataTypeManager.getCategory(dataTypePath);
+		if (category == null) {
+			println(
+				"/ClassDataTypes folder does not exist so there is no class data to process. Please run the ExtractClassInfoFromRTTIScript to generate the necessary information needed to run this script.");
+			return;
+		}
+
+		Category[] subCategories = category.getCategories();
+
+		getClassStructures(subCategories);
+
+		AttributedGraph graph = createGraph();
+		if (graph.getVertexCount() == 0) {
+			println(
+				"There was no metadata in the class structures so a graph could not be created. Please run the ExtractClassInfoFromRTTIScript to generate the necessary information needed to run this script.");
+		}
+		else {
+			showGraph(graph);
+		}
+
+	}
+
+	private void getClassStructures(Category[] categories) throws CancelledException {
+
+		for (Category category : categories) {
+			monitor.checkCanceled();
+			DataType[] dataTypes = category.getDataTypes();
+			for (DataType dataType : dataTypes) {
+				monitor.checkCanceled();
+				if (dataType.getName().equals(category.getName()) &&
+					dataType instanceof Structure) {
+
+					// if the data type name is the same as the folder name then
+					// it is the main class structure
+					Structure classStructure = (Structure) dataType;
+					if (!classStructures.contains(classStructure)) {
+						classStructures.add(classStructure);
+					}
+
+				}
+			}
+
+			Category[] subcategories = category.getCategories();
+
+			if (subcategories.length > 0) {
+				getClassStructures(subcategories);
+			}
+		}
+	}
+
+	private AttributedGraph createGraph() throws CancelledException {
+
+		AttributedGraph g = new AttributedGraph();
+
+		Iterator<Structure> classStructuresIterator = classStructures.iterator();
+		while (classStructuresIterator.hasNext()) {
+
+			monitor.checkCanceled();
+
+			Structure classStructure = classStructuresIterator.next();
+
+			String description = classStructure.getDescription();
+			String mainClassName = getClassName(description);
+
+			if (mainClassName == null) {
+				continue;
+			}
+
+			AttributedVertex classVertex = g.addVertex(mainClassName);
+
+			int numParents = 0;
+			while (description.contains(":")) {
+
+				numParents++;
+
+				int indexOfColon = description.indexOf(":", 0);
+
+				description = description.substring(indexOfColon + 1);
+
+				int endOfBlock = description.indexOf(":", 0);
+				if (endOfBlock == -1) {
+					endOfBlock = description.length();
+				}
+
+				String parentName = description.substring(0, endOfBlock);
+
+				description = description.substring(endOfBlock);
+
+				boolean isVirtualParent = false;
+				if (parentName.contains("virtual")) {
+					isVirtualParent = true;
+				}
+
+				parentName = parentName.replace("virtual", "");
+				parentName = parentName.replace(" ", "");
+
+
+				AttributedVertex parentVertex = g.addVertex(parentName);
+
+				AttributedEdge edge = g.addEdge(parentVertex, classVertex);
+				if (isVirtualParent) {
+					edge.setAttribute("Color", "Orange");
+				}
+				// else leave it default lime green
+			}
+
+			// no parent = blue vertex
+			if (numParents == 0) {
+				classVertex.setAttribute("Color", "Blue");
+			}
+			// single parent = green vertex
+			else if (numParents == 1) {
+				classVertex.setAttribute("Color", "Green");
+			}
+			// multiple parents = red vertex
+			else {
+				classVertex.setAttribute("Color", "Red");
+			}
+		}
+
+		return g;
+	}
+
+	private void showGraph(AttributedGraph graph) throws Exception {
+
+		GraphDisplay display;
+		PluginTool tool = state.getTool();
+		GraphDisplayBroker broker = tool.getService(GraphDisplayBroker.class);
+		GraphDisplayProvider service = broker.getGraphDisplayProvider("Default Graph Display");
+		display = service.getGraphDisplay(false, TaskMonitor.DUMMY);
+		display.setGraph(graph, "test graph", false, TaskMonitor.DUMMY);
+	}
+
+	private String getClassName(String description) {
+
+		// parse description for class hierarchy
+		if (!description.startsWith("class")) {
+			return null;
+		}
+
+		// skip "class " to get overall class
+		description = description.substring(6);
+		int indexOfColon = description.indexOf(":", 0);
+		String mainClassName;
+		if (indexOfColon == -1) {
+			mainClassName = description;
+		}
+		else {
+			mainClassName = description.substring(0, indexOfColon - 1);
+		}
+		mainClassName = mainClassName.replace(" ", "");
+
+		return mainClassName;
+	}
+
+}

Ghidra/Features/Base/ghidra_scripts/SearchForImageBaseOffsets.java

@@ -0,0 +1,84 @@
+/* ###
+ * IP: GHIDRA
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import ghidra.app.script.GhidraScript;
+import ghidra.program.model.address.Address;
+import ghidra.util.exception.CancelledException;
+
+public class SearchForImageBaseOffsets extends GhidraScript {
+
+	@Override
+	public void run() throws Exception {
+
+		if (currentProgram == null) {
+			println("No open program");
+			return;
+		}
+
+		if (currentProgram.getMemory().isBigEndian()) {
+			println("This script only looks for little endian image base offsets");
+			return;
+		}
+
+		Address imageBase = currentProgram.getImageBase();
+
+		long currentAddressOffset = currentAddress.getOffset();
+		long imageBaseOffset = imageBase.getOffset();
+
+		long currentAddressIbo = imageBaseOffset ^ currentAddressOffset;
+
+		byte searchBytes[] = createLittleEndianByteArray(currentAddressIbo, 8);
+		println("searching for possible ibo64 references to " + currentAddress.toString() + " ...");
+		searchForByteArray(searchBytes);
+
+		searchBytes = createLittleEndianByteArray(currentAddressIbo, 4);
+		println("searching for possible ibo32 references to " + currentAddress.toString() + " ...");
+		searchForByteArray(searchBytes);
+
+	}
+
+	/**
+	 * Method to create a byte array out of the given long value
+	 * @param value the given value
+	 * @param numBytes the number of bytes from the low end of the value to copy into the array
+	 * @return the little endian byte array for the given value
+	 * @throws CancelledException if cancelled
+	 */
+	private byte[] createLittleEndianByteArray(long value, int numBytes)
+			throws CancelledException {
+
+
+		byte byteArray[] = new byte[numBytes];
+
+		for (int i = 0; i < numBytes; i++) {
+			monitor.checkCanceled();
+			byteArray[i] = (byte) (value >> (8 * i) & 0xff);
+		}
+
+		return byteArray;
+	}
+
+	private void searchForByteArray(byte[] byteArray) throws CancelledException {
+		Address start = currentProgram.getMinAddress();
+		Address found = find(start, byteArray);
+		while (found != null) {
+			monitor.checkCanceled();
+			println(found.toString());
+			start = found.add(1);
+			found = find(start, byteArray);
+		}
+	}
+
+}

Ghidra/Features/Base/ghidra_scripts/UpdateClassFunctionDataScript.java

@@ -0,0 +1,191 @@
+/* ###
+ * IP: GHIDRA
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+//Script to update the given class's virtual functions' function signature data types and 
+// the given class's vfunction structure field name for any differing functions in 
+// the class virtual function table(s). To run, put the cursor on any of the desired class's
+// virtual functions or at the top a class vftable. The script will not work if the <class>_vftable
+// structure is not applied to the vftable using the ExtractClassInfoFromRTTIScript.
+//@category C++
+
+import java.util.*;
+
+import ghidra.app.script.GhidraScript;
+import ghidra.program.model.address.Address;
+import ghidra.program.model.data.*;
+import ghidra.program.model.listing.*;
+import ghidra.program.model.symbol.*;
+import ghidra.util.exception.CancelledException;
+import ghidra.util.exception.DuplicateNameException;
+
+public class UpdateClassFunctionDataScript extends GhidraScript {
+	@Override
+	public void run() throws Exception {
+
+		if (currentProgram == null) {
+			println("There is no open program");
+			return;
+		}
+
+
+		Function function = getFunctionContaining(currentAddress);
+		if (function != null) {
+
+			Namespace parentNamespace = function.getParentNamespace();
+			
+			Parameter thisParam = function.getParameter(0);
+			if (thisParam.getName().equals("this")) {
+				DataType dataType = thisParam.getDataType();
+				if (dataType instanceof Pointer) {
+					Pointer pointer = (Pointer) dataType;
+					DataType baseDataType = pointer.getDataType();
+					if (baseDataType.getName().equals(parentNamespace.getName())) {
+						// call update
+						println("updating class " + parentNamespace.getName());
+						updateClassFunctionDataTypes(parentNamespace);
+						return;
+					}
+				}
+
+			}
+			
+		}
+
+		Symbol primarySymbol = currentProgram.getSymbolTable().getPrimarySymbol(currentAddress);
+		if (primarySymbol.getName().equals("vftable") ||
+			primarySymbol.getName().substring(1).startsWith("vftable")) {
+			updateClassFunctionDataTypes(primarySymbol.getParentNamespace());
+			return;
+		}
+
+	}
+
+	private void updateClassFunctionDataTypes(Namespace classNamespace)
+			throws CancelledException, DuplicateNameException, DataTypeDependencyException {
+
+		List<Symbol> classVftableSymbols = getClassVftableSymbols(classNamespace);
+
+		Iterator<Symbol> vftableIterator = classVftableSymbols.iterator();
+		while (vftableIterator.hasNext()) {
+			monitor.checkCanceled();
+			Symbol vftableSymbol = vftableIterator.next();
+			Address vftableAddress = vftableSymbol.getAddress();
+			Data data = getDataAt(vftableAddress);
+			if (data == null) {
+				continue;
+			}
+			DataType baseDataType = data.getBaseDataType();
+			if (!(baseDataType instanceof Structure)) {
+				continue;
+			}
+
+			Structure vfunctionStructure = (Structure) baseDataType;
+
+			Category category = getDataTypeCategory(vfunctionStructure);
+
+			if (category == null) {
+				continue;
+			}
+
+			// check that the structure name starts with <classname>_vtable and that it is in 
+			// the dt folder with name <classname>
+			if (category.getName().equals(classNamespace.getName()) &&
+				vfunctionStructure.getName().startsWith(classNamespace.getName() + "_vftable")) {
+				println(
+					"Updating vfunction signature data types and (if necessary) vtable structure for vftable at address " +
+					vftableAddress.toString());
+				updateVfunctionDataTypes(data, vfunctionStructure, vftableAddress);
+			}
+		}
+
+	}
+
+	/**
+	 * Method to find any function signatures in the given vfunction structure that have changed
+	 * and update the function signature data types
+	 * @throws DuplicateNameException 
+	 * @throws DataTypeDependencyException 
+	 */
+	private void updateVfunctionDataTypes(Data structureAtAddress, Structure vfunctionStructure,
+			Address vftableAddress) throws DuplicateNameException, DataTypeDependencyException {
+
+		DataTypeManager dtMan = currentProgram.getDataTypeManager();
+
+		int numVfunctions = structureAtAddress.getNumComponents();
+
+		for (int i = 0; i < numVfunctions; i++) {
+			Data dataComponent = structureAtAddress.getComponent(i);
+
+			Reference[] referencesFrom = dataComponent.getReferencesFrom();
+			if (referencesFrom.length != 1) {
+				continue;
+			}
+			Address functionAddress = referencesFrom[0].getToAddress();
+			Function vfunction = getFunctionAt(functionAddress);
+			if (vfunction == null) {
+				continue;
+			}
+			FunctionDefinitionDataType functionSignatureDataType =
+				(FunctionDefinitionDataType) vfunction.getSignature();
+
+			DataTypeComponent structureComponent = vfunctionStructure.getComponent(i);
+			DataType componentDataType = structureComponent.getDataType();
+			if (!(componentDataType instanceof Pointer)) {
+				continue;
+			}
+
+			Pointer pointer = (Pointer) componentDataType;
+			DataType pointedToDataType = pointer.getDataType();
+			if (functionSignatureDataType.equals(pointedToDataType)) {
+				continue;
+			}
+			// update data type with new new signature
+			dtMan.replaceDataType(pointedToDataType, functionSignatureDataType, true);
+			if (!structureComponent.getFieldName().equals(vfunction.getName())) {
+				structureComponent.setFieldName(vfunction.getName());
+			}
+		}
+
+	}
+
+	private Category getDataTypeCategory(DataType dataType) {
+
+		DataTypeManager dataTypeManager = currentProgram.getDataTypeManager();
+		CategoryPath originalPath = dataType.getCategoryPath();
+		Category category = dataTypeManager.getCategory(originalPath);
+
+		return category;
+	}
+
+	private List<Symbol> getClassVftableSymbols(Namespace classNamespace)
+			throws CancelledException {
+
+		SymbolTable symbolTable = currentProgram.getSymbolTable();
+		List<Symbol> vftableSymbols = new ArrayList<Symbol>();
+
+		SymbolIterator symbols = symbolTable.getSymbols(classNamespace);
+		while (symbols.hasNext()) {
+
+			monitor.checkCanceled();
+			Symbol symbol = symbols.next();
+			if (symbol.getName().equals("vftable") ||
+				symbol.getName().substring(1).startsWith("vftable")) {
+				vftableSymbols.add(symbol);
+			}
+
+		}
+		return vftableSymbols;
+	}
+}