Questions regarding detouring by modifying the virtual table

Posted by Elliott Darfink on Stack Overflow See other posts from Stack Overflow or by Elliott Darfink
Published on 2012-07-11T15:01:26Z Indexed on 2012/07/11 15:15 UTC
Read the original article Hit count: 215

Filed under:
|
|
|
|

I've been practicing detours using the same approach as Microsoft Detours (replace the first five bytes with a jmp and an address). More recently I've been reading about detouring by modifying the virtual table. I would appreciate if someone could shed some light on the subject by mentioning a few pros and cons with this method compared to the one previously mentioned!

I'd also like to ask about patched vtables and objects on the stack. Consider the following situation:

// Class definition
struct Foo
{
 virtual void Call(void) { std::cout << "FooCall\n"; }
};

// If it's GCC, 'this' is passed as the first parameter
void MyCall(Foo * object)
{
 std::cout << "MyCall\n";
}

// In some function
Foo * foo = new Foo; // Allocated on the heap
Foo foo2; // Created on the stack

// Arguments: void ** vtable, uint offset, void * replacement
PatchVTable(*reinterpret_cast<void***>(foo), 0, MyCall);

// Call the methods
foo->Call(); // Outputs: 'MyCall'
foo2.Call(); // Outputs: 'FooCall'

In this case foo->Call() would end up calling MyCall(Foo * object) whilst foo2.Call() call the original function (i.e Foo::Call(void) method). This is because the compiler will try to decide any virtual calls during compile time if possible (correct me if I'm wrong). Does that mean it does not matter if you patch the virtual table or not, as long as you use objects on the stack (not heap allocated)?

© Stack Overflow or respective owner

Related posts about c++

Related posts about gcc