binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

Demangled type names reference missing types

Open CouleeApps opened this issue 2 years ago • 3 comments

Version and Platform (required):

  • Binary Ninja Version: 3.5.4288-dev
  • OS: macOS
  • OS Version: 12.4
  • CPU Architecture: M1

Bug Description: When the Demangler constructs a type from a name, it can create Named Type References to types that do not yet exist in the analysis. These types are not created even afterwards, leaving you with a bunch of broken type references to missing names. This is especially noticeable when loading a PDB with mangled names and stripped type information.

Steps To Reproduce: Please provide all steps required to reproduce the behavior:

  1. Grab the binary from https://github.com/Vector35/binaryninja-api/issues/4235
  2. In the load options, disable pdb.features.createMissingNamedTypes (it is a workaround for PDBs for this bug)
  3. Go to 0x140056c08
  4. Try to navigate to the type of that variable
  5. Notice it does not exist

Expected Behavior: I expected types used in the analysis to exist, even if just as forward declared empty structures or something.

Screenshots: image This type does not exist.

Additional Information: ~Demangler plugins #467 is blocking on this~ Demangler plugins proceeded without fixing this haha

CouleeApps avatar Aug 08 '23 03:08 CouleeApps

I've run into another variant of this when reversing a macOS C++ binary. Asking on Slack, it was suggested that it's another case of this issue, so wanted to include the context here.

In the linear view, there are a bunch of struct vtable_for_* entries, but there are no corresponding types created for them:

image

On slack, @CouleeApps said (Ref): "those are an artifact of the binary having a symbol for "here's where the vtable is" but it doesn't actually define a type for it"

This also seems to apply to the typeinfo_for_* entries as well:

image

0xdevalias avatar Apr 11 '24 06:04 0xdevalias

This issue seems somewhat related (at least to the variant I mentioned in my previous comment above):

  • https://github.com/Vector35/binaryninja-api/issues/1163

Also this comment/references:

I'm not 100%, so correct me if i'm wrong, but I believe this may be related to automatically creating the structs for vtable_for_* and typeinfo_for_* and similar?

If so, I was wondering why this didn't seem to currently be a thing, I first found myself at this issue (due to the empty structs not being visible in the types):

  • https://github.com/Vector35/binaryninja-api/issues/4551

And then found the following blog series, which helped me understand the in-memory layout of the vtables/etc in clang binaries a lot better:

  • https://shaharmike.com/cpp/vtable-part1/

    • C++ vtables - Part 1 - Basics

  • https://shaharmike.com/cpp/vtable-part2/

    • C++ vtables - Part 2 - Multiple Inheritance

  • https://shaharmike.com/cpp/vtable-part3/

    • C++ vtables - Part 3 - Virtual Inheritance

  • https://shaharmike.com/cpp/vtable-part4/

    • C++ vtables - Part 4 - Compiler-Generated Code

Or for something way more low-level:

  • https://clang.llvm.org/doxygen/VTableBuilder_8cpp_source.html

This may also be of interest:

  • https://blog.trailofbits.com/2017/02/13/devirtualizing-c-with-binary-ninja/

As well as the existing vtable docs:

  • https://docs.binary.ninja/guide/cpp.html#virtual-function-tables

It would be awesome if Binary Ninja core was able to handle this automagically!

Also, since they don't seem to be cross-linked currently, here is the issue for MSVC for easier findability:

  • https://github.com/Vector35/binaryninja-api/issues/3930

Originally posted by @0xdevalias in https://github.com/Vector35/binaryninja-api/issues/3857#issuecomment-2049192814

0xdevalias avatar Jun 07 '24 06:06 0xdevalias

I've also ran into this issue when dealing with a x86-64 Linux ELF.

ccarpenter04 avatar Jun 07 '24 15:06 ccarpenter04