11--Virtual function of the technology of C + + disassembly and reverse analysis

• Mechanism of virtual function

When a virtual function is defined in a class, the compiler saves the first address of all virtual functions in the class in an Address table, which is called the virtual function Address Table . The compiler also adds a virtual table pointer to the class.

Example:

There is no action in the constructor of the Cvirtual class, but let's look inside the constructor, or there is an operation that assigns an initial value:

This address points to an array:

The contents of these arrays are pointers to virtual functions:

It is worth noting that if there is no virtual pointer exists, then the cvirtual size is 4 bytes. With this pointer exists is 8 bytes.

In this example, an empty constructor is used, but the compiler itself inserts the code and implements the initialization of the virtual table. If we do not provide any constructors, then the compiler will provide a default constructor to initialize the virtual table.

when the function is called, the virtual table is accessed indirectly, the address of the corresponding virtual function is obtained, and the execution is invoked. This indirection of access through a virtual table occurs only when a virtual function is called with a pointer or reference to the object. It is not necessary to look up table access when using an object to invoke its own virtual function directly. Because it has been explicitly called by its own member function, it does not constitute polymorphism at all .

Example:

When a virtual function is called directly from an object, it is passed directly to the virtual function using the object's address as an implicit parameter:

This virtual function does not differ from the normal member function at this time. The reason to implicitly pass the address of an object is to be able to accurately apply the data members contained in the object.

But if you make a polymorphic, the invocation is different:

Because you don't actually know what the specific type the PCV pointer is pointing to, it is necessary to find the virtual function of the real object pointed to in the virtual table.

The initialization of a virtual table pointer is a sufficient condition to determine that a function is a constructor.

How do destructors operate on virtual tables? Before considering this question, let us first know why destructors use virtual functions:

If the virtual functions of the parent and child classes are as follows:

After we execute the delete pointer, it is the following process:

That is, only the virtual function of the parent class is called. And if the destructor is set to virtual:

is the following invocation process:

Delete Deletes the pointer when the virtual function of the subclass is called, and the virtual function of the parent class is called inside the child class. Before calling the virtual function of the parent class, the ECX pointer still retains the first address of the subclass object:

The destructor of the subclass calls its own virtual member function:

The destructor for the parent class is then called:

There is no indirection in the destructor of the parent class, and the Show1 and Show2 are called directly:

However, there is one step in the virtual destructor of a subclass or parent class: Assigning the first address of the virtual table of the current class to the virtual table pointer. This is to prevent a virtual table from being taken to a non-self when a virtual function is called in a destructor . Why do you do this? To illustrate:

Call A's constructor first:

Class A fills the virtual table:

To call a virtual function:

After calling the constructor of a, continue to execute the remainder of B's constructor, in order to be able to invoke the Func2 of B normally, you must restore the virtual table :

The same in the destructor.

• Recognition of virtual function

11--Virtual function of the technology of C + + disassembly and reverse analysis