{"id":21145992,"url":"https://github.com/trou/apache-module-ida-til","last_synced_at":"2025-07-09T07:32:09.201Z","repository":{"id":52444046,"uuid":"350780060","full_name":"trou/apache-module-ida-til","owner":"trou","description":"Making Type Info Library (TIL) file for Apache modules","archived":false,"fork":false,"pushed_at":"2021-03-25T15:27:54.000Z","size":614,"stargazers_count":44,"open_issues_count":0,"forks_count":7,"subscribers_count":7,"default_branch":"master","last_synced_at":"2023-04-01T10:14:07.341Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trou.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-03-23T16:22:25.000Z","updated_at":"2023-03-25T17:29:56.000Z","dependencies_parsed_at":"2022-08-13T01:51:03.368Z","dependency_job_id":null,"html_url":"https://github.com/trou/apache-module-ida-til","commit_stats":null,"previous_names":[],"tags_count":null,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trou%2Fapache-module-ida-til","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trou%2Fapache-module-ida-til/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trou%2Fapache-module-ida-til/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trou%2Fapache-module-ida-til/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trou","download_url":"https://codeload.github.com/trou/apache-module-ida-til/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225492617,"owners_count":17482924,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-20T08:45:02.606Z","updated_at":"2024-11-20T08:45:03.134Z","avatar_url":"https://github.com/trou.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Creating TIL files for IDA\n\n## Intro\n\nCreating a *Type Information Library* makes it easier to reverse engineer\nbinaries by providing IDA with detailed and acurate information about types.\n\nTypes include:\n\n* function prototypes\n* structures\n* enums\n\nThe main point is that IDA will apply function prototypes to the imports \nand include the relevant data types in the database.\n\n\n## Creating a TIL file for Apache\n\nAs an example, we will create a TIL file which can help reversing Apache modules.\n\n\nEverything here will be done on a Debian Sid, amd64 from March 2021, but most of\nit will work on most Linux distros.\n\n\n### Prerequisites\n\nWe need the source code of the libraries we want to analyze. My target used\nApache 2.2, so let's fetch it:\n\n```\nwget https://archive.apache.org/dist/httpd/httpd-2.2.34.tar.bz2\nwget https://archive.apache.org/dist/httpd/httpd-2.2.34.tar.bz2.asc \ncurl https://downloads.apache.org/httpd/KEYS | gpg2 --import\ngpg2 --verify httpd-2.2.34.tar.bz2.asc httpd-2.2.34.tar.bz2 \n```\n\nThe archive contains things we want to include in our TIL:\n\n* the headers for writing modules\n* the Apache Runtime (apr) lib\n\nFirst, we need to do a `./configure` to have the right headers generated.\nOf course, this phase will need to reflect the configuration that was used \nby your target.\n\nIn my case, the binary was compiled with `GCC: (GNU) 3.2.3 20030502 (Red Hat Linux 3.2.3-56)`, which \nis *ancient*. But in theory, there should not be real differences in ABI between a recent and old\nGCC compiler on Linux amd64, so let's proceed anyway.\n\n## TIL\n\n### Compiler config\n\nFirst, we need to get the right configuration for the compiler options in `tilib`: depending on\nthe architecture and target ABI, the structures padding, type sizes, etc. will vary.\n\nThis is the \"documentation\":\n\n```\n$ ./tilib -C?\n  -C... specifies the compiler information\n  It has the -Cx# form, where # - value, x is one of the following:\n  c-compiler id, m-model, p-sizeof(near*), g-defalign (0/1/2/4/8/6 for16)\n  b-sizeof(bool), e-sizeof(enum), i-sizeof(int), s-sizeof(short)\n  l-sizeof(long), L-sizeof(longlong), R-explicit stack offsets\n  v-calling convention, B-bitness (3 for 32 or 6 for 64), D-sizeof(long double)\n  8-4 byte alignment for 8byte scalars (__int64/double) inside structures (y/n)\n  a-shorthand for cmpgbeislLvB8. The default is us40144248i3n\nCompiler ids:        Pointer sizes:\n  0 or u: Unknown          1: sizeof(near*)=1, sizeof(far*)=2\n  1 or v: Visual C++       2: sizeof(near*)=2, sizeof(far*)=4\n  2 or b: Borland C++      4: sizeof(near*)=4, sizeof(far*)=6\n  3 or w: Watcom C++       8: sizeof(near*)=8, sizeof(far*)=8\n  6 or g: GNU C++         Memory models:\n  7 or a: Visual Age C++   s: small   (code=near, data=near)\n  8 or d: Delphi           l: large   (code=far, data=far)\n                           c: compact (code=near, data=far)\n                           m: medium  (code=far, data=near)\nCalling conventions:\n  i: invalid    s: stdcall      u: unknown (default)\n  v: void       p: pascall\n  c: cdecl      r: fastcall\n  e: (...)      t: thiscall\nFor example, BCC small model v3.1: -Cabs2122224\n             GNU C++:              -Cags44444248u\n```\n\n\nAs you can see, `-C` is *difficult* to master. Here's how to read the\n-`Cags44444` which you can find in tilib's `gcc.cfg`:\n\n```\n; from GCC 32 config:\n; -Cags44444\n; cmpgbeislLvB8 (expansion for for \"Ca\")\n; us40144248i3n (default)\n; gs44444\n; |||||||||||||_ 8bytes scalars alignment\n; ||||||||||||__ bitness\n; |||||||||||___ calling convention\n; ||||||||||____ sizeof(longlong)\n; |||||||||_____ sizeof(long)    : \n; ||||||||______ sizeof(short) : 4\n; |||||||_______ sizeof(int)   : 4\n; ||||||________ sizeof(enum)  : 4\n; |||||_________ sizeof(bool)  : 4\n; ||||__________ defalign: 4\n; |||___________ pointer size: 4\n; ||____________ mem model: small\n; |_____________ compiler: gcc\n```\n\n#### Creating our own config\n\n* Use `sizes.c`\n* `cp gcc.cfg gcc64.cfg`\n* Update `gcc64.cfg`\n\n**Note:** the (updated) `gcc64.cfg` was provided by Igor Skochinsky from Hex-Rays, I just added the comments.\n\n#### Building TIL steps\n\nFirst we need to make a top level header which includes everything: `apache_all.h`.\n\nThen, we will preprocess it using `gcc -E` to preprocess everything and facilitate\nthe ingestion by `tilib`.\n\nThen we begin the loop of fixing errors and warnings.\n\nThe most important hacks are:\n\n* Adding `#define __asm__(arg)` to our `apache_all.h` file, to \"nop\" inline asm\n* Adding `-D__extension__= \\` to the `tilib` call, which will \"nop\" the unsupported `__extension__` keyword\n* Adding `\"-D__builtin_va_list=void *\"` which will work around the need for the internal definition of `va_list`\n* Add `-D__UNKNOWN_ATTR__=UNKNOWN_ATTR` in `gcc64.cfg`\n\nOf course the command line options could be included in the `.cfg` file.\n\nSee `make_til.sh` for the final result.\n\n#### Fixing \"opaque\" structures\n\nIdentify which structures have no \"size\" in the .til file:\n\n```\n$ tilib  -l apache22-debian64.til  | grep \"FFFFFFFF struct\"\n[...]\nFFFFFFFF struct ap_conf_vector_t;\nFFFFFFFF struct ap_filter_provider_t;\nFFFFFFFF struct apr_allocator_t;\nFFFFFFFF struct apr_bucket_alloc_t;\n[...]\n```\n\nsome are opaque by \"design\", such as `ap_conf_vector_t`, others should be added\nin the `apache_all.h` file by copy pasting.\n\n\n# Result\n\n\nThe TIL file should be put inside `til/pc` in IDA dir to be discovered.\n\nAfter loading the TIL file (Shift-F11, Insert), and defining the module export as `module`, note\nhow all the Apache related imports are now in **bold**, with their types defined:\n![Before / After](img/before_after1.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrou%2Fapache-module-ida-til","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrou%2Fapache-module-ida-til","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrou%2Fapache-module-ida-til/lists"}