SOAdvancedDissector/README.md
2021-05-08 18:57:54 +02:00

2.6 KiB

SOAdvancedDissector

SOAdvancedDissector is a Python(3) script that rely on GNU readelf, c++filt and vtable-dumper to extract symbols from Linux shared libraries (.so file).

Thanks to these symbols, the full class hierarchy is built allowing to link your code with the target library.

Nevertheless, extracted information is only the start of work. It needs to be reworked to find function type returns, attributes types, filter public/private functions/attributes/methods, add some class attributes and clean some unneeded symbols.

Important vtable-dumper has been forked, the original tool must not be used because it doesn't (for now) implements all needed features. Please use the one from https://github.com/soutade/vtable-dumper

Details

A first pass is done thanks to readelf + binary analysis to extract static information, it's mandatory. It scans typeinfo and vtable entries.

A second optional pass use vtable-dumper which load the shared library allowing to read runtime vtable (which can be cleared in static file compiled with -fPIC) and find class hierarchy. This can be done apart, especially if shared library has been compiled for another platform (ARM).

Improvments

This tool has been designed to do reverse engineering of a specific library (librmsdk.so from Adobe) and even if I tried to do my best, it may doesn't cover all your cases. I won't do a long term support on it but feel free to send patches.

Usage

SOAdvancedDissector.py [-h] -f TARGET -s SECTION_FILE -S SYMBOL_FILE [-V VTABLE_FILE] [-o OUTPUT_DIR] [-c] [-r]

-h, --help show this help message and exit -f TARGET, --file TARGET Target file -s SECTION_FILE, --section-file SECTION_FILE Section file (result from 'readelf --sections|c++filt') -S SYMBOL_FILE, --symbol-file SYMBOL_FILE Symbol file (result from 'readelf -sW|c++filt') -V VTABLE_FILE, --vtable-file VTABLE_FILE Dynamic vtable file (result from 'vtable-dumper --demangle|c++filt') -o OUTPUT_DIR, --output-dir OUTPUT_DIR output directory (default ./output) -c, --clean-output-dir Clean output directory before computing (instead update it) -r, --print-raw-virtual-table Print raw virtual table (debug purpose)

It's recommended to use SOAdvancedDissector.sh script that do all tools extraction stuff.

Sources

Sources can be found @ http://indefero.soutade.fr/p/soadvanceddissector

Grégory Soutadé

Licence

GNU GPLv3