Are vTable pointers always located inside a module? menu

These ads disappear when you log in.

Results 1 to 5 of 5
  1. #1
    Torpedoes's Avatar ★ Elder ★ Doomsayer
    CoreCoins User Authenticator enabled
    Reputation
    1147
    Join Date
    Sep 2013
    Posts
    960
    Thanks G/R
    140/415
    Trade Feedback
    0 (0%)

    Are vTable pointers always located inside a module?

    Assuming the standard VC++ vTable layout:

    Code:
      Heap-Addr           TableAddr
    +-----------+       +-----------+
    | TableAddr | ----> | Funcion-1 | ----> Exec region of module
    +-----------+       +-----------+
    | a         |       | Funcion-2 | ----> Exec region of module
    +-----------+       +-----------+
    | b         |       | Funcion-3 | ----> Exec region of module
    +-----------+       +-----------+
    | c         |       |    ...    |
    +-----------+       +-----------+
    Is TableAddr guaranteed to always be inside a module or can it be anywhere in the address space, if so, what are the conditions that would make TableAddr be outside a module.

    For clarity: A module is any .exe or .dll which has read-only or executable regions of memory allowing functions to be called. From my experience I've only seen TableAddr reside inside read-only sections of modules.

    These ads disappear when you log in.

  2. #2
    namreeb's Avatar Elite User
    CoreCoins User
    Reputation
    553
    Join Date
    Sep 2008
    Posts
    972
    Thanks G/R
    5/152
    Trade Feedback
    0 (0%)
    I don't believe it is strictly guaranteed. You could obviously replace it yourself if you wanted to. So, no, I would say not always.

  3. Thanks Torpedoes (1 members gave Thanks to namreeb for this useful post)
  4. #3
    DarkLinux's Avatar ★ Elder ★ CoreCoins User Authenticator enabled
    Reputation
    1412
    Join Date
    May 2010
    Posts
    1,621
    Thanks G/R
    134/415
    Trade Feedback
    15 (100%)
    I would think all function pointers in the table would be within the module. They are your functions that your calling, if your calling someone else's functions from another dll they will be exported and in your import table (can also be hooked the same way). I dont think you will find a vtable address pointing to an exported entry but I could be wrong. A program could map in some asm/shell code, but a compiler would not make a vtable entry for it at run time. I cant really think of any reason that it would not be within the module. It can be easy for a game to check a vtable for modifications, as the table is static and will always be the same in the .data section. You could create your own vtable, copy everything over and then hook. Its still easy to check if a table has been changed but then your not changing anything in the .data section, only the pointer that is on the heap. A little safer but nothing is undetected. I would love to know more about your question, its really open ended.
    Last edited by DarkLinux; 10-11-2015 at 12:20 PM.

  5. Thanks Torpedoes (1 members gave Thanks to DarkLinux for this useful post)
  6. #4
    Torpedoes's Avatar ★ Elder ★ Doomsayer
    CoreCoins User Authenticator enabled
    Reputation
    1147
    Join Date
    Sep 2013
    Posts
    960
    Thanks G/R
    140/415
    Trade Feedback
    0 (0%)
    Originally Posted by DarkLinux View Post
    I would love to know more about your question, its really open ended.
    Thanks for your input. This is mainly a research project at the moment but I'm working on a general purposes VTable scanner. One of the things I do is snapshot the address space of the game and analyze it. But if VTable pointers always reside within a module then all I'll need to do is snapshot the modules along with the regions I want to scan, greatly reducing the amount of memory I use. Depending on the size I may even be able to process this information on the GPU. The results of this would be pretty useful as it shows you the locations of all polymorphic classes in the game and they can be sorted and identified based on the VTable address. This combined with some code-path analysis will provide me with some really cool reverse engineering strategies.
    Last edited by Torpedoes; 10-11-2015 at 01:11 PM.

  7. #5
    wraithZX's Avatar Master Sergeant
    Reputation
    43
    Join Date
    May 2007
    Posts
    122
    Thanks G/R
    0/1
    Trade Feedback
    1 (100%)
    Cross-referencing vtable entries to find equivalent functionality for polymorphic types is *very* useful. I use runtime vtable analysis for most of my gamebinary-update-resistant code - the vtables are always mapped to a region of module memory as they're constant data prepopulated inside the module. The OS's executable loader will update the RVA's when starting up the app.

    It's especially useful for determining things like name/position functions for other types - once you determine one of them, you can backtrack, find the vtable index, and all other classes derived from the same base object share the same index regardless of if you've detected the function correctly. Sticking with the position as an example, you can find the vtable index for GetPosition for a player object, work out that it's 16, and then items/units/gameobjects etc. are all using the same index even if you didn't get a definite match on pattern analysis for their GetPosition functions.

    Obviously it's a bit more complicated than that, but it's the gist of it.

Similar Threads

  1. [Selling] Vengeance WoW 2.4.3 GOLD / Ares WoW GOLD - ALWAYS Cheapest on the MARKET
    By LoveOne in forum WoW Private Server Buy Sell Trade
    Replies: 0
    Last Post: 04-25-2016, 02:46 PM
  2. [Question] Where are the HMAC seeds located at?
    By adapa in forum WoW Memory Editing
    Replies: 0
    Last Post: 09-21-2011, 06:40 PM
  3. Can't thigure it out why pointer always changes
    By Marikafka in forum WoW Memory Editing
    Replies: 2
    Last Post: 02-18-2010, 11:51 AM
  4. [Request/help] Locate a model! Are you expert enough?
    By Xel in forum WoW ME Questions and Requests
    Replies: 3
    Last Post: 07-09-2009, 04:38 AM
  5. [Question] Where are mounts located?
    By Schiffer4 in forum WoW ME Questions and Requests
    Replies: 1
    Last Post: 12-04-2008, 11:06 PM
All times are GMT -5. The time now is 10:04 PM. Powered by vBulletin® Version 4.2.3
Copyright © 2020 vBulletin Solutions, Inc. All rights reserved. Digital Point modules: Sphinx-based search