image image
James Rowley at Hardwear USA 2023

James Rowley



Analyzing Decompiled C++ Vtables and Objects in GCC Binaries






Workshop Title:

Analyzing Decompiled C++ Vtables and Objects in GCC Binaries

Abstract:

In the process of reverse engineering binary software, one may encounter strange patterns in both code and data, slowing progress and muddying the intent of the original code. Such is the case for software originally written in C++ – but, we’ve developed simple techniques for analyzing and understanding C++ binaries (albeit limited to those compiled by GCC).Static analysis of C++ binaries need not be any more difficult than for C, and in fact, the data emitted by the C++ compiler can be leveraged to better understand the intent of the original code in situations where symbols have been stripped.

This workshop will demonstrate these techniques in Ghidra, redefining the virtual tables and virtual method calls that enable C++’s object model, in terms of pure-C structures and types.We will compile a simple C++ program with GCC, then annotate it in Ghidra to a sufficient degree to recover its original meaning, including classes and objects.


Speaker Bio:

James Rowley is an engineer at Marcus Engineering, with over 5 years of experience in embedded systems development, both hardware and software, as well as reverse engineering such systems.