Awesome
devi - DEvirtualize VIrtual calls
Devi is a simple tool that uses runtime information to devirtualize virtual calls in c++ binaries.
Usage
Devi consits of two components, one for dynamic analysis (DBI) and one for static analysis (disassembler).
Running the Frida Tracer
Minimal Command Line
Spawn process:
python devi_frida.py -m <module_name> -o <JSON_output> -- <software_to_trace> <arguments for binary>
Attach to process:
python devi_frida.py -m <module_name> -s <sysmbol_to_hook> -o <JSON_output> -p <pid_of_target>
Disassembler Plugin:
For Binary Ninja see https://github.com/murx-/devi_binja for IDA follow along here.
Copy devi_ida.py to your IDA plugin folder or load the script via File -> Script file... and load devi_ida.py.
Once devi is loaded you can load the JSON file containing the virtual calls via File -> Load File -> Load Virtual Calls.
Minimal Example
python devi_frida.py -m main -o virtual_calls.json -- tests/HelloWorld myArgs
Load JSON file into IDA Pro.
Disassembly
Before:
After:
Xrefs
Before:
After:
Xref Graph
Before:
After:
Supported Frameworks
Supported DBIs:
- Frida
Supported Disassemblers:
- IDA
- Binary Ninja
Misc
This tool is heavily inspired by Ablation.