C + + virtual function: Virtual pointer, virtual table, virtual function entry address

Source: Internet
Author: User

Test procedure:
TEST.c
#include "stdio.h" #include "String.h" Class Gsvirtual{public:void GSV (char *src) {char buf[200];strcpy (BUF,SRC); Vir2 () ;} virtual void Vir1 () {printf ("Vir1");} virtual void Vir2 () {printf ("Vir2");}}; int main (int argc,char *argv[]) {gsvirtual TEST;TEST.GSV (argv[1]); return 0;}
Compile under Linux: $g + +-o vtabletest./vtabletest.c See disassembly of Vtabletest under Ida, find key function Point GSV (char *src):

The function calls the virtual function Vir2 (), although GSV shows only one argument, but in fact there is another parameter: virtual pointer, when viewing the call GSV, the parameters in the stack can be found, there are two parameters into the stack:
Then we go back to the GSV function, where the current stack frame space is allocated first:. text:08048538
. text:08048539 E5 mov ebp, esp
. text:0804853b Bayi EC F8 xx xx sub ESP, 0f8h
Then, copy the first parameter to the current stack frame: Note that this parameter is the address of the virtual pointer (typically in the stack frame of the previous function). text:08048541 8B mov eax, [E BP+ARG_0]//arg0=8
. text:08048544, FF FF FF mov [EBP+VAR_DC], eax//var_dc=-0xdc
After that, the function allocates the position of the function in the stack frame of the local variable, then executes strcpy (BUF,SRC) and then calls the virtual function Vir2 (), we mainly analyze this piece of code:. text:08048576 8B FF FF FF mov eax, [EBP+VAR_DC]//Assign a virtual pointer address to EAX
. text:0804857c 8B mov eax, [EAX]//Extract virtual table entry address in virtual pointer memory address, generally in. rodata. Te xt:0804857e C0 add eax, 4//Because the call is Vir2 (), the virtual function address is offset from the location in the virtual table 4*1 bytes
. text:08048581 8B mov edx, [EAX]//extract VIR2 () The entry address of the virtual function
. text:08048583 8B FF FF FF mov eax, [EBP+VAR_DC]
. text:08048589. mov [ESP], EAX//virtual pointer continues into the stack and can be considered as a parameter for the next function call
. text:0804858c FF D2 call edx//Invoke Vir2 ()
In Linux, debug with GDB: After the breakpoint at 0x8048576, view the relevant memory information:
You can see from the assembler code under IDA that both Ebp+8 and EBP-0XDC store virtual pointer addresses 0XBFFFF2DC virtual pointers to address 0x80486c8 in the stack frame of the previous function, that is, the virtual table address in the virtual table stores the entry address of each virtual function sequentially.
0X80485A2 and 0x80485b6 are the addresses of virtual functions Vir1 () and Vir2 () respectively:
Finally, the test program has a buffer overflow vulnerability, under GS protection, you can hijack the control flow by overwriting the virtual table pointer.

C + + virtual function: Virtual pointer, virtual table, virtual function entry address

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.