Every user of IDA Pro likes cross-references - they are very useful but applicable for objects in global memory only. What if I want to have cross-references for virtual methods and class/record fields - like what functions some specific virtual method was called from? Unfortunately IDA Pro cannot shows this - partially because this information is not stored in debug info and also due to weak algo for types propagation. Call of virtual method typically looks similar to
mov rax, [rbp+var_8] ; this
mov rax, [rax] ; this._vptr
add rax, 10h
mov rcx, [rax] ; load method from vtable, why not mov rcx, [rax+0x10]?
call rcx ; or even better just call
[rax+0x10]?
Lets think where we can get such kind of cross-references - sure compiler must have it somewhere inside to generate native code, right? So generally speaking compiler is your next friend (right after disassembler and debugger).
Run gcc with -c -fdump-final-insns options on simple C++ test file and check how call of virtual method looks like:(call_insn # 0 0 2 (set (reg:DI 0 ax)
(call (mem:QI (reg/f:DI 1 dx [orig:85 _4 ] [85]) [ *OBJ_TYPE_REF(_4;this_7(D)->3B) S1 A8])
(const_int 0 [0]))) "vtest.cc":31:21# {*call_value}
What? What is _4, which type has this and what means ->3B instead of method name? Looking ahead, I can say that actually all needed information really stored in RTL thought function dump_generic_node (from tree-pretty-print.cc) is just too lazy to show it properly. Seems that we can develop gcc plugin to extract this cross-references (in fact, the first couple of months of development this was not at all obvious)
why gcc?
visual c++
Unlike .NET with excellent roslyn Microsoft don`t allow you to make plugin for their C++ compiler nor even describes it`s internal IR
clang
Don't write a clang plugin (c)
In fact probably you could do this. If I right remember llvm IR has full support for virtual methods. Another question is to what extent final native code matches with IR - like some pieces of code could be removed due to dead-code elimination, merged within GCSE pass and so on
Besides llvm still has someproblems with producing bootable linux kernel
Anyway I am too stupid to understand bunch of llvm classes with hellish templates and too impatient to wait for several hours every time when recompiling clang after inserting couple of debug prints
gcc plugin basics
-fplugin-arg-NAME-<key>[=<value>]the value is not mandatory