Menu
I would like to know how to change the address of Test which is in the virtual table with that of HackedVTable.
void HackedVtable()
{
cout << "Hacked V-Table" << endl;
}
class Base
{
public:
virtual Test() { cout <<"base"; }
virtual Test1() { cout << "Test 1"; }
void *prt;
Base(){}
};
class Derived : public Base
{
public:
Test()
{
cout <<"derived";
}
};
int main()
{
Base b1;
b1.Test(); // how to change this so that `HackedVtable` should be called instead of `Test`?
return 0;
}
603
Client applications and service providers written in C define MAPI objects by creating a data structure and an array of ordered function pointers known as a virtual function table, or vtable. A pointer to the vtable must be the first member of the data structure.
Whenever there is a virtual function call, the v-table is used to resolve to the function address. An object of the class that contains one or more virtual functions contains a virtual pointer called the vptr at the very beginning of the object in the memory.
The vtable is created at compile time. When a new object is created during run time, the hidden vtable pointer is set to point to the vtable. Keep in mind, though, that you can't make reliable use if the virtual functions until the object is fully constructed.
Virtual functions are slow when you have a cache miss looking them up. As we'll see through benchmarks, they can be very slow. They can also be very fast when used carefully — to the point where it's impossible to measure the overhead.
This works for 32-bit MSVC builds (it's a very simplified version of some production code that's been in use for well over a year). Note that your replacement method must explicitly specify the this parameter (pointer).
// you can get the VTable location either by dereferencing the
// first pointer in the object or by analyzing the compiled binary.
unsigned long VTableLocation = 0U;
// then you have to figure out which slot the function is in. this is easy
// since they're in the same order as they are declared in the class definition.
// just make sure to update the index if 1) the function declarations are
// re-ordered and/or 2) virtual methods are added/removed from any base type.
unsigned VTableOffset = 0U;
typedef void (__thiscall Base::*FunctionType)(const Base*);
FunctionType* vtable = reinterpret_cast<FunctionType*>(VTableLocation);
bool hooked = false;
HANDLE process = ::GetCurrentProcess();
DWORD protection = PAGE_READWRITE;
DWORD oldProtection;
if ( ::VirtualProtectEx( process, &vtable[VTableOffset], sizeof(int), protection, &oldProtection ) )
{
vtable[VTableOffset] = static_cast<FunctionType>(&ReplacementMethod);
if ( ::VirtualProtectEx( process, &vtable[VTableOffset], sizeof(int), oldProtection, &oldProtection ) )
hooked = true;
}
The V-Table is an implementation detail.
The compiler is not required to use one (it just happens to be the easiest way to implement virtual functions). But saying that each compiler can (and does) implement it slightly differently as a result there is no answer to your question.
If you ask how do I hack a vtable for a program built with:
Compiler <X> Version <Y> Build <Z>
Then somebody may know the answer.
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
