PyClassInformer : An Advanced RTTI Parsing Plugin For IDA Pro

PyClassInformer is an IDAPython-based plugin designed for parsing Run-Time Type Information (RTTI) in C++ binaries.

While existing tools like Class Informer and SusanRTTI offer similar functionality, PyClassInformer stands out by addressing limitations such as the inability to use these tools as libraries and the lack of advanced class hierarchy management.

Key Features

Cross-Platform Compatibility: PyClassInformer supports Windows, macOS, and Linux, as it is written in Python and runs within IDA Pro.
RTTI Parsing: It parses RTTI for both x86 and x64 binaries, extracting detailed information about class layouts and hierarchies.
Enhanced Visualization: The plugin provides a tabular output with additional columns like:
- Offset: Displays the offset of a virtual function table (vftable) in the class layout.
- Hierarchy Order: Shows inheritance order from a class to its top-most superclass.
Integration with Python: Results can be accessed programmatically by importing PyClassInformer as a library, enabling advanced automation and analysis.

To launch PyClassInformer:

Press Alt+Shift+L in IDA Pro.
Alternatively, navigate to Edit -> Plugins -> PyClassInformer.

Double-clicking any entry in the results navigates directly to the corresponding vftable address.

Place pyclassinformer_plugin.py and the pyclassinformer folder into the plugins directory of your IDA user directory ($IDAUSR).
Restart IDA Pro to load the plugin.

IDA Pro: Version 7.4 or later (tested on versions up to 9.1).
Python: Version 3.x (tested on Python 3.8 and 3.10).

PyClassInformer outputs detailed RTTI information, including Complete Object Locators (COL), Class Hierarchy Descriptors (CHD), and Base Class Descriptors (BCD).

It also visualizes class hierarchies in a tree-like structure, aiding reverse engineers in understanding complex inheritance relationships.

Compared to tools like Class Informer, PyClassInformer offers:

Library functionality for integration into custom Python scripts.
Additional data columns for better analysis of class layouts and hierarchies.

While it shares some similarities with SusanRTTI, PyClassInformer enhances usability by combining RTTI parsing with flexible data handling capabilities.

In summary, PyClassInformer is an invaluable tool for reverse engineers working with C++ binaries, offering both ease of use and powerful insights into object-oriented structures.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.