OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: August 3, 2005 10:46 CDT by halvar .

Hey all,

I am seeing stuff in a (C++) binary that I haven't seen
before and wodered if anyone else has seen this:

Normally in VC++ code the first item in a class's datastruc
is the vtable ptr, so the constructor would set that ptr.
Now which C++ construct would create _two_ vtable ptr's
in the same VC++ class ?

Because I have the following stuff in my target:
mov [esi], offset xyz ; const XYZ::PKChannel::'vftable'{for 'XYZ::IChannelSink'}
mov [esi+4], offset xzz ; const XYZ::PKChannel::'vftable'{for 'XYZ::IPacketChannelSink'}

This is in the XYZ::PKChannel constructor.

I am _suspecting_ this might have to do with multiple
inheritance (as I have 0 clue about that), but I am
quite unsure. Anyone seen/investigated stuff like that
before ?

sp		August 3, 2005 11:19.42 CDT
Hi halvar, I'm pretty sure you guessed right with the multiple inheritance. Using a simple program (two base class Foo and Bar with one virtual function, one derived class FooBar which inherits from both classes) I got the following code in the constructor of FooBar which looks suspiciously like the code you posted (VC++ 2005 / Debug build / No optimizations): text:004115C6 mov eax, [ebp+var_8] .text:004115C9 mov dword ptr [eax], offset vtblFoo .text:004115CF mov eax, [ebp+var_8] .text:004115D2 mov dword ptr [eax+4], offset vtblBar The names of the classes in your code (IChannelSink and IPacketChannelSink) make that even more likely as the names imply that they are interfaces (or abstract base classes in C++) which are used for multiple inheritance.

erlend		August 3, 2005 13:00.04 CDT
Hi, The Itanium C++ ABI (http://www.codesourcery.com/cxx-abi/abi.html) might give some hints on legal vtable constructs and object layout. Chapter 2.5 mentions multiple vtables on multiple inheritance. GCC implements this ABI when compiling C++ code for all architectures. Though VC++ don't implement this ABI, it might at least give some pointers on how OO is implemented.

halvar		August 4, 2005 02:25.19 CDT
Hey SP, Erlend :-) SP: Thanks for testing. The thing that somewhat confuses me is the fact that an invocation of of XYZ::PKChannel::ProcessStatus() from XYZ::PKChannel::OnPacket() looks like this: mov esi, ecx ; ecx is thisptr (...) lea ecx, [esi-4] call XYZ::..... So essentially this means that the thisptr did not point to the beginning of the object ? I seriously need to sit down to work on it some more come mid- August... Erlend: The link helps me a lot, many thanks ! :) (and good to hear from you :)

igorsk		August 4, 2005 04:48.55 CDT
halvar --- The thing that somewhat confuses me is the fact that an invocation of of XYZ::PKChannel::ProcessStatus() from XYZ::PKChannel::OnPacket() looks like this: `mov esi, ecx ; ecx is thisptr (...) lea ecx, [esi-4] call XYZ::.....` --- Considering your first post, it seems that OnPacket() is defined in the interface IPacketChannelSink and ProcessStatus() in IChannelSink. To go from one interface to another, you need to adjust this pointer. The following seems to produce result similar to yours: `class IChannelSink { public: virtual void ProcessStatus() {printf("ProcessStatus");}; }; class IPacketChannelSink { public: virtual void OnPacket() {printf("OnPacket");}; }; class PKChannel: public IChannelSink, public IPacketChannelSink { public: virtual void OnPacket() {ProcessStatus();}; }; void main(void) { PKChannel pkc; pkc.OnPacket(); }` P.S. Compile it with optimizations (/O1 or /O2) to make it use registers instead of local variables.

igorsk		August 4, 2005 05:57.00 CDT
Here are some nice posts from Raymond Chen: The layout of a COM object Adjustor thunks

igorsk		August 4, 2005 06:12.29 CDT
This is probably the last post from me (we really need post editing feature). All the juicy details on the inner workings of C++ in MSVC: http://msdn.microsoft.com/archive/default.asp?url=/archive/en-us/dnarvc/html/jangrayhood.asp For some reason it's missing the pictures, but you can find them in the Japanese version of the article: http://www.microsoft.com/japan/msdn/vs_previous/visualc/techmat/feature/jangrayhood/

halvar		August 4, 2005 09:55.54 CDT
Thanks a bunch. Posting here was a good idea, I have plenty of info to work with now ! :)

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit