Finding the constructor by scanning memory for the vtable

In Looking for leaked objects by their vtable, we used the object's constructor to locate the vtable, and then scanned the heap for the vtable to find the leaked object. But you can run this technique in reverse, too.

Suppose you found an object and you want to find its constructor. This is not a problem if you have the source code, but if you are doing some reverse-engineering for application compatibility purposes, you don't have the luxury of the application source code. You may have figured out that the application fails because the byte at offset 0x50 is zero, but on the previous version of Windows, it was nonzero. You want to find out who sets the byte at offset 0x50, so that you can see why it is setting it to zero instead of a nonzero value.

If the object has a vtable, you can scan the code segments for a copy of the vtable. It will show up in an instruction like

mov dword ptr [reg], vtable_address

This is almost certainly the object's constructor, setting up the object vtable as part of construction. You can set a breakpoint here to break when the object is constructed, and then you can set a write breakpoint on offset 0x50 to see where its value is seto.

Comments (5)
  1. Joshua says:

    And then you find one instance 50000 instructions down a recursive function with a CMC in the 800s. Isn't aggressive in lining wonderful?

  2. Young Money says:

    From what I have seen, in some compiler implementations, it could also be the object's destructor.

    [True, it could be in the destructor of a derived object that does not use the novtable optimization in its base class. -Raymond]
  3. Foone says:

    I'm actually using this technique for static analysis on an old microsoft application. I know how the compiler outputs vtable settings (they're always a MOV EAX,ECX then a MOV [EAX], OFFSET CONTANT), so I built scripts to locate all the constructors and then pull their vtable entries from the binary. With this I can easily discover which functions in the binary correspond to which classes.

  4. 640k says:

    How about surface RT?

    [It's harder on non-x86 due to the lack of a "load register with pointer-sized immediate" instruction. -Raymond]
  5. voo says:

    I don't think you do, but I just wanted to say: Please don't evaluate the popularity of your posts by the comment count. While a post such as this one will always get less comments than many others, I find these posts often very insightful – I just don't have anything to comment on.

Comments are closed.

Skip to main content