Virtual table layout on MSVC- where's the type info?

Question

I have the following C++ code illustrating virtual methods:

class X{
    O a;
    H b;
    virtual void c() = 0;
    virtual void d() = 0;
};

class Y : public X{
    virtual void c();
    virtual void d();
};

which outputs the following vtable layout on MSVC:

1>  class X size(24):
1>      +---
1>   0  | {vfptr}
1>   8  | a
1>  16  | b
1>      +---
1>  
1>  X::$vftable@:
1>      | &X_meta
1>      |  0
1>   0  | &X::c
1>   1  | &X::d
1>  
1>  X::c this adjustor: 0
1>  X::d this adjustor: 0
1>  
1>  
1>  class Y size(24):
1>      +---
1>      | +--- (base class X)
1>   0  | | {vfptr}
1>   8  | | a
1>  16  | | b
1>      | +---
1>      +---
1>  
1>  Y::$vftable@:
1>      | &Y_meta
1>      |  0
1>   0  | &Y::c
1>   1  | &Y::d
1>  
1>  Y::c this adjustor: 0
1>  Y::d this adjustor: 0
1>  
1>  

After reading Inside the C++ object model I was wondering in the above vtable layouts where is the type info?

In the book (I think they use GCC vtable layout) the type info would be in the 0th element of the vtable. For MSVC this is not the case as its a virtual function- so where is the type info stored?? Is that what "_meta" is??

Answer 1

Is that what "_meta" is??

Yes. What did you think that meant, other than polymorphic metadata?

Answer 2

For MSC you will find it useful to search more information on RTTICompleteObjectLocator, which isn't quite documented but looks roughly like this:

struct RTTICompleteObjectLocator
{
    DWORD signature;
    DWORD offset;
    DWORD cdOffset;
    struct TypeDescriptor*;
    struct RTTIClassHierarchyDescriptor*;
};

It is indeed located adjacent to the vtable, so it can be easily located by pointer adjustment in the generated assembly.

_{This is the source I've kept in my bookmarks for a couple of years: P. Sabanal, M.Yason. Reversing C++, Black Hat DC 2007}