Drtti is a plugin for Ghidra and is a static analysis tool that automates the identification and extraction of run-time type information stored within Delphi binaries. This data is used to reconstruct complex types (classes), with methods, fields and properties. The plugin has only currently only been tested on Delphi 4 and is a work in progress.
Using Drtti by itself gives access to the following features:
- Type injection - Adds primitive and built-in Delphi types to Ghidra's data type manager.
- VMT Discovery - Automatically finds virtual method tables for classes within a Delphi binary.
- VMT Construction - Memory maps VMT structure. Can be done either automatically or manually at a specific address.
- Structural Modeling - Generates object/class layouts with the correct in-memory size.
- Member Resolution - Dynamically types fields, properties and method references.
- Method Recovery - Recovers names, and in some cases, signatures for published methods.
If the target binary is also analyzed with IDR then Drtti can import an IDC file generated by IDR to provide further symbolic data. This includes certain Delphi standard library functions, for which there is no embedded RTTI, as well as some global variable types and names.
There are two main ways of installing Drtti. If you are only interested in using the plugin, you can simply load a zipped up version of the plugin into Ghidra using the built in plugin manager. The latest release can be downloaded here. In Ghidra, click File -> Install Extension -> (+) Add Extension. Select the Drtti .zip file and then the plguin will be installed.
If you are interested in contributing to the development of Drtti, there is a
an installation task implemented in the gradle build file, called
installExtension. This requires you to have set up either the environment
variable GHIDRA_CONFIG_DIR or have a local.properties file containing the
property ghidra.config.dir. The value of this property should point to the
Ghidra config directory (not installation directory). On Linux systems this is
usually located under ~/.config/ghidra.
Regardless of installation method, you may need to go into the settings of the Ghidra tool (in this case the decompiler), and enable the plugin. To do this, click File -> Configure -> Configure All Plugins (a small button at the top), then find Drtti in the list and check the box.
If you are interested in contributing to the development of Drtti, read the Contributing document for more information.
Drtti is distributed under the Apache License, Version 2.0, see the LICENSE file.