Whenever a class declares a virtual function or is derived directly or indirectly from a class which declares a virtual function, the complier adds an extra hidden member variable which points to the virtual table. A virtual table is nothing but an array of pointers to the virtual functions. The entries in the virtual table are changed at run time to point to the correct function.Consider the following class :
- class Base
{
public :
Base() { }
~Base() { }
virtual void VirtualFunc() { cout << "Base::VirtualFunc()" << endl ; }
};
Base defines a trivial virtual function VirtualFunc(). Let us derive a new class 'Derived' from 'Base'.
- class Derived : public Base
{
public :
Derived() { }
~CDerived() { }
void VirtualFunc() { cout << "Derived::VirtualFunc()" << endl ; }
};
0064FDE0 84 30 41 00 E8 FD 64 „0A.èýd 0064FDE7 00 54 30 41 00 28 FE .T0A.(þ 0064FDEE 64 00 CF 10 40 00 01 d.Ï.@.. 0064FDF5 00 00 00 38 FE 64 00 ...8þd. 0064FDFC D9 27 40 00 01 00 00 Ù'@.... 0064FE03 00 48 02 76 00 98 02 .H.v.˜. 0064FE0A 76 00 68 F1 59 81 48 v.hñY.H |
The first four bytes are pointer to the virtual table. The virtual table itself contains pointers to the virtual functions of the object. In our case, it is a pointer to VirtualFunc().
Memory layout of the virtual table is :
00413084 32 10 40 00 FF FF FF 2.@.ÿÿÿ 0041308B FF DE 2D 40 00 EB 2D ÿÞ-@.ë- 00413092 40 00 00 00 00 00 FF @.....ÿ 00413099 FF FF FF 00 00 00 00 ÿÿÿ.... |
The first four bytes are pointer to VirtualFunc(). With this information, we can tweak an object and make it do weird things !! (just for fun)
Let us change the virtual table pointer and point it to our own table !!!.
- ////////////////////////////////////////// Modify.cpp ///////////////////////////////////////////////////
#include "iostream.h"
#include "memory.h"
//Pointer to a function returning void
typedef void (*PFN)();
typedef struct
{
PFN Fn;
} VTable;
//The function which will replace VirtualFunc
void ModifyFunc() { cout << " Modified the vitual table !!!" << endl ; }
int main()
{
Derived DerivedObj;
Base *pBase = &DerivedObj;
//Create our own virtual table
VTable MyOwnTable;
//Point Fn to ModifyFunc
MyOwnTable.Fn = ModifyFunc;
//Holder for pointer to virtual table
VTable *pVTable = &MyOwnTable;
//Modify the virtual table pointer by changing the first 4 bytes (assuming a long holds a pointer)
memcpy(&DerivedObj, &pVTable , sizeof(long));
//Call the virtual function
pBase->VirtualFunc();
//Strange !! ModifyFunc() is called ... enjoy playing :)
return 0;
}