The realization analysis of the principle of the virtual function table (when we replace the function in the virtual table address [n], then we control the implementation of the virtual function)

Principle Analysis

When a virtual function is called, the compiler-generated code calls a function such as the virtual table address [0] (param1, param2). The function name is not already being called.

When we change the function implementation in the virtual table address [n] to another function, we control the implementation of the virtual function.

Experiment

According to the principle of virtual table, experiment to modify the virtual function table entry address of your program.

When the compiler-generated code executes a virtual function A, it executes the non-virtual function B that we define ourselves.

Knowledge points

* Use union assignment to bypass compiler functions and variable strongly-assigned value restrictions

* Execution of class member function pointers

* Modify and restore your own code snippet properties

* Positioning and reading and writing of virtual function table entries

Experiment Code

[CPP]View PlainCopy

2. virtual void Fnfoo (); < CC ' s Fnfoo
4. typedef VOID (CC::* Pfn_fnfoo) ();
8. typedef Union UN_FUNCTION_PT
10. {
12. Pfn_fnfoo PFN;
14. int ifunaddr;
16. }un_function_pt;
20. void Fnreplacevirtualfunction ()
22. {
24. /// Replace the virtual table function experiment
26. /// through experiments, there are 2 cc virtual functions
28. /// virtual function 1 cc destructor
30. /// virtual function 2 Cc::fnfoo
34. ////We will replace the Cc::fnfoo in the virtual table with Fnnewvirtualfunction ()
38. int ivirtualtbladdr = 0; ///< cc virtual function table address
40. int ivirtualfunctionaddr_cc_fnfoo = 0; ///< Address of the Cc::fnfoo object method
42. Un_function_pt UNFUNPT; ///< for int to fun*, bypassing compiler restrictions
44. DWORD dwoldprotect = 0;
48. ca* PCA = new CC ();
52. IVIRTUALTBLADDR = * ((int*) PCA);
54. Ivirtualfunctionaddr_cc_fnfoo = * ((int*) ivirtualtbladdr + 1);
58. /// The original function of executing cc.fnfoo virtual function
60. UNFUNPT.IFUNADDR = Ivirtualfunctionaddr_cc_fnfoo;
62. (((cc*) PCA)->*UNFUNPT.PFN) ();
66. /// manual execution of PCA Fnnewfunctionsamedefineasfnfoo
68. /// Let CC instance execute our own specified CC class member function
70. /// must be a function of the same parameter return value as the CC class already has
72. UNFUNPT.PFN = &CC::fnNewFunctionSameDefineAsfnFoo;
74. (((cc*) PCA)->*UNFUNPT.PFN) ();
78. //Make memory writable
80. if (VirtualProtect ((void*) ivirtualtbladdr, 8, Page_execute_readwrite, &dwoldprotect))
82. {
84. /// replace the Cc::fnfoo in the virtual table as Cc::fnnewfunctionsamedefineasfnfoo
86. UNFUNPT.PFN = &CC::fnNewFunctionSameDefineAsfnFoo;
90. ///< does not release the write limit 0x0040 the code snippet, it C05
92. * ((int*) ivirtualtbladdr + 1) = unfunpt.ifunaddr;
96. //Reprotect
98. VirtualProtect ((void*) ivirtualtbladdr, 8, Dwoldprotect, NULL);
102. /// execute Pca->fnfoo becomes the execution Pca->fnnewfunctionsamedefineasfnfoo
104. Pca->fnfoo ();
108. //OK has executed the function of our own specified CC and cc::fnfoo with the same parameter return value.
110. /// This function can be a non-virtual function
112. }
114. }

[CPP]View PlainCopy

2. Classtest.h:interface for the Cclasstest class.
4. //
6. //////////////////////////////////////////////////////////////////////
10. #if!defined (Afx_classtest_h__d794cc4b_d79e_4a61_9d5a_95110788ae39__included_)
12. #define Afx_classtest_h__d794cc4b_d79e_4a61_9d5a_95110788ae39__included_
16. #if _msc_ver > 1000
18. #pragma once
20. #endif//_msc_ver > 1000
24. #include <iostream>
28. Using namespace std;
32. Class CA
34. {
36. Public
38. CA ();
40. virtual ~ca ();
42. virtual void Fnfoo ();
44. };
48. Class CB: Public CA
50. {
52. Public
54. CB ();
56. virtual ~CB ();
58. virtual void Fnfoo ();
60. };
64. Class CC: Public CB
66. {
68. Public
70. CC ();
72. virtual ~cc ();
74. virtual void Fnfoo ();
76. void Fnnewfunctionsamedefineasfnfoo ();
78. };
84. #endif//!defined (AFX_CLASSTEST_H__D794CC4B_D79E_4A61_9D5A_95110788AE39__INCLUDED_)

[CPP]View PlainCopy

2. ClassTest.cpp:implementation of the Cclasstest class.
4. //
6. //////////////////////////////////////////////////////////////////////
10. #include "ClassTest.h"
14. //////////////////////////////////////////////////////////////////////
16. Ca
18. //////////////////////////////////////////////////////////////////////
22. CA::CA ()
24. {
26. cout << "CA::CA" << Endl;
28. }
32. Ca::~ca ()
34. {
36. cout << "Ca::~ca" << Endl;
38. }
42. void Ca::fnfoo ()
44. {
46. cout << "Ca::fnfoo" << Endl;
48. }
52. //////////////////////////////////////////////////////////////////////
54. Cb
56. //////////////////////////////////////////////////////////////////////
60. CB::CB ()
62. {
64. cout << "CB::CB" << Endl;
66. }
70. CB::~CB ()
72. {
74. cout << "CB::~CB" << Endl;
76. }
80. void Cb::fnfoo ()
82. {
84. cout << "Cb::fnfoo" << Endl;
86. }
90. //////////////////////////////////////////////////////////////////////
92. Cc
94. //////////////////////////////////////////////////////////////////////
98. CC::CC ()
100. {
102. cout << "cc::cc" << Endl;
104. }
108. CC::~CC ()
110. {
112. cout << "cc::~cc" << Endl;
114. }
118. void Cc::fnfoo ()
120. {
122. cout << "Cc::fnfoo" << Endl;
124. }
128. void Cc::fnnewfunctionsamedefineasfnfoo ()
130. {
132. ///A function to replace the same parameter of the virtual function with the return value
134. cout << "Cc::fnnewfunctionsamedefineasfnfoo" << Endl;
136. }

Implementation effect [CPP]View PlainCopy

1. Ca::ca
2. Cb::cb
3. Cc::cc
4. Cc::fnfoo
5. Cc::fnnewfunctionsamedefineasfnfoo
6. Cc::fnnewfunctionsamedefineasfnfoo

http://blog.csdn.net/lostspeed/article/details/50359445

The realization analysis of the principle of the virtual function table (when we replace the function in the virtual table address [n], then we control the implementation of the virtual function)