Calling Virtual Functions Directly From The VTable Of A Compiled Executable.
- Owner
- May 22, 2020
- 3 min read
Updated: Nov 12, 2022
The contents of this blog post are my best efforts to help you understand how you can call virtual functions from the Vtables using Vpointers .
Ok amigo, before i show you how to do this, there are certain prerequisites about programming in general you should know,let me give you a quick rundown~
Runtime Polymorphism
Also known as Dynamic Dispatch or Late Binding,
In a nutshell, the compiler decides which function to call associated with the object at Runtime.
In C++, this is implemented by method overriding
What Are Virtual Functions Anyway ?
Virtual Functions are those functions which are associated with the "virtual" keyword, any function which is virtual can have multiple re-definitions in child classes by overriding.
They are used to achieve runtime polymorphism.
Pure virtual functions are the same thing as regular virtual functions with the exception of them, not having a definition .
So using the concept of virtual functions, a pointer of the parent class can be assigned a value of the address of a child class object and it will point to the/call the function in the child class (which is the same virtual function of the parent class,just overwritten )
Consider this piece of code :
class Parent
{
public:
void foo()
{
std::cout << "I'm in parents foo\n";
}
};
class Child:public Parent
{
public:
void foo()
{
std::cout << "I'm in childs foo\n";
}
};
int main()
{
Child c1;
Parent* pptr;
pptr = &c1;
pptr->foo();
}The output of this would be : "I'm in parents foo".
Now see what happens when you add the virtual keyword to foo :
class Parent
{
public:
virtual void foo()
{
std::cout << "I'm in parents foo\n";
}
};
class Child:public Parent
{
public:
void foo()
{
std::cout << "I'm in childs foo\n";
}
};
int main()
{
Child c1;
Parent* pptr;
pptr = &c1;
pptr->foo();
}The output for this would be :"I'm in childs foo"
pretty neat,right?
What are VTables and VPointers?
For every class that has virtual functions, the compiler creates a table called Virtual Table (VTable),
The virtual table contains a list of all virtual function accessible by the class.
You can think of it as an array of pointers to those functions, this array is accessed by the Virtual Pointer (VPointer).
Consider this snippet of code :
class Parent
{
public:
virtual void foo()
{
std::cout << "I'm in parents foo\n";
}
virtual void bar()
{
std::cout << "I'm in parents bar\n";
}
};
class Child:public Parent
{
public:
void foo()
{
std::cout << "I'm in childs foo\n";
}
};
A pictorial visualization of it's VTables would look like this ;
Now,
VPointers are nothing but a member of the class they are associated with, in fact, they increase the size of the class by - sizeof(vpointer);
Note: There exists a VTable of every type, NOT for every instance of that type.
In most compilers the VPointers are usually the the first member of the class.
Fun Fact: In the MSVC compiler the VPointer is stored in the ECX register
Putting It All Into Context
So now we know, about virtual functions, VTables,Vpointers etc, now what?
Well, if you stumble upon the memory location of a class (of a compiled executable) that uses virtual functions you can simply call those functions using function pointers and the index of that virtual function !
For Example:
void foo (int val1, int val2){
using original_fn = void(__thiscall*)(this,int,int);
return (*(original_fn**)this)[15](this,val1,val2);
}Here -
(*(original_fn**)this)is the pointer to the Vtable,
15 is just an index to the array(the VTable, that is).
so,
(*(original_fn**)this)[15](this,val1,val2);is actually calling the 15th virtual function in the Class!
Now using these concepts you can do a lot of cool this, such as *ahem* -
nice cheat bro where did ya paste it from :^)
interesting stuff! keep it up