Geek Answers Handbook

Finding out the memory structure of objects without debugging a running program?

I am working on developing a program. I use IDA Pro and Decompiler Hex-Rays. I come across pieces of code where I know that there is an object, and there is a method call on the object, but it is shown in a way that I cannot understand. For instance:

if ( (*(*interfacePtr + 24))(interfacePtr, &v23) >= 0 )

I know here that interfacePtr points to an ICLRRuntimeHost object. (C ++, .NET CLR). However ... I have no idea what is on * (* interfacePtr + 24). I can say that this is a method, but how do I understand what is sitting at +24?

+4
source share
2 answers

A class vtable is just a list of function pointers. It contains one pointer for each virtual function, in order: a very, very upper base class, the next base class, a subclass of this., The most derived class.

Example:

 struct A { virtual ~A() {} virtual void foo() = 0; } struct B : public A { virtual void foo() { // do something } virtual void bar() { // do something else } }

The vtable for B will contain in the following order:

  • ~ A
  • Foo
  • bar

(Those for A must be first so that the same virtual table can be used by pieces of code that have a pointer of type A to this object, this code does not know that the underlying object is really B.)

If you are looking for a 32-bit source, the pointers are 4 bytes, so 24 = 4 * 6, you are looking at the 7th virtual function (index starts at 0). If you are on 64-bit, the pointers are 8 bytes, so 24 = 8 * 3, and you are looking for the 4th. Actually, I did not use the IDA "convert to C ++" functionality, so maybe 24 is the 24th entry in the table.

An easy way to confirm: write your own program. Declare a variable of type ICLRRuntimeHost. Call the function you suspect (based on viewing the header file and counting to 7 or 4, depending on the bit or 24, if I misunderstood your example). Look at the generated assembly code and make sure your index is right. (I always disconnect from this kind of thing, so this will provide a check.)

+2
source

Take a look at the definitions of ICLRRuntimeHostVtbl and ICLRRuntimeHostVtbl in mscoree.h

roughly translated into something hex, I would understand, they look like this:

 struct ICLRRuntimeHost { ICLRRuntimeHostVtbl *vtbl; }; struct ICLRRuntimeHostVtbl { _DWORD (*QueryInterface)(ICLRRuntimeHost*, _DWORD*, void**); _DWORD (*AddRef)(ICLRRuntimeHost*); _DWORD (*Release)(ICLRRuntimeHost*); _DWORD (*Start)(ICLRRuntimeHost*); _DWORD (*Stop)(ICLRRuntimeHost*); _DWORD (*SetHostControl)(ICLRRuntimeHost*, void*); _DWORD (*GetCLRControl)(ICLRRuntimeHost*, void**); };

Your interfacePtr variable should be of type: ICLRRuntimeHost, then your code should decompile as follows:

 interfacePtr->GetCLRControl(&v23);
0
source

More articles:


All Articles