/devi

Devirtualize Virtual Calls

Primary LanguagePython

devi - DEvirtualize VIrtual calls

Devi is a simple tool that uses runtime information to devirtualize virtual calls in c++ binaries.

Usage

Devi consits of two components, one for dynamic analysis (DBI) and one for static analysis (disassembler).

Running the Frida Tracer

Minimal Command Line

Spawn process:

python devi_frida.py -m <module_name> -o <JSON_output> -- <software_to_trace> <arguments for binary>

Attach to process:

python devi_frida.py -m <module_name> -s <sysmbol_to_hook> -o <JSON_output> -p <pid_of_target>

Disassembler Plugin:

For Binary Ninja see https://github.com/murx-/devi_binja for IDA follow along here.

Copy devi_ida.py to your IDA plugin folder or load the script via File -> Script file... and load devi_ida.py.

Once devi is loaded you can load the JSON file containing the virtual calls via File -> Load File -> Load Virtual Calls.

Minimal Example

python devi_frida.py -m main -o virtual_calls.json -- tests/HelloWorld myArgs

Load JSON file into IDA Pro.

Disassembly

Before:

Disassembly before devi

After:

Disassembly with devi

Xrefs

Before:

Xrefs before devi

After:

Xrefs after devi

Xref Graph

Before:

Xrefs graph before devi

After:

Xrefs graph after devi

Supported Frameworks

Supported DBIs:

  • Frida

Supported Disassemblers:

Misc

This tool is heavily inspired by Ablation.