I would like to know how to change the address of Test which is in the virtual table with that of HackedVTable.
void HackedVtable()
{
cout << "Hacked V-Table" << endl;
}
class Base
{
public:
virtual Test() { cout <<"base"; }
virtual Test1() { cout << "Test 1"; }
void *prt;
Base(){}
};
class Derived : public Base
{
public:
Test()
{
cout <<"derived";
}
};
int main()
{
Base b1;
b1.Test(); // how to change this so that `HackedVtable` should be called instead of `Test`?
return 0;
}
This works for 32-bit MSVC builds (it's a very simplified version of some production code that's been in use for well over a year). Note that your replacement method must explicitly specify the this parameter (pointer).
// you can get the VTable location either by dereferencing the
// first pointer in the object or by analyzing the compiled binary.
unsigned long VTableLocation = 0U;
// then you have to figure out which slot the function is in. this is easy
// since they're in the same order as they are declared in the class definition.
// just make sure to update the index if 1) the function declarations are
// re-ordered and/or 2) virtual methods are added/removed from any base type.
unsigned VTableOffset = 0U;
typedef void (__thiscall Base::*FunctionType)(const Base*);
FunctionType* vtable = reinterpret_cast<FunctionType*>(VTableLocation);
bool hooked = false;
HANDLE process = ::GetCurrentProcess();
DWORD protection = PAGE_READWRITE;
DWORD oldProtection;
if ( ::VirtualProtectEx( process, &vtable[VTableOffset], sizeof(int), protection, &oldProtection ) )
{
vtable[VTableOffset] = static_cast<FunctionType>(&ReplacementMethod);
if ( ::VirtualProtectEx( process, &vtable[VTableOffset], sizeof(int), oldProtection, &oldProtection ) )
hooked = true;
}
The V-Table is an implementation detail.
The compiler is not required to use one (it just happens to be the easiest way to implement virtual functions). But saying that each compiler can (and does) implement it slightly differently as a result there is no answer to your question.
If you ask how do I hack a vtable for a program built with:
Compiler <X> Version <Y> Build <Z>
Then somebody may know the answer.
void HackedVtable()
{
cout << "Hacked V-Table" << endl;
}
class Base
{
public:
virtual Test() { cout <<"base"; }
virtual Test1() { cout << "Test 1"; }
void *prt;
Base(){}
};
class Derived:public Base
{
public:
Test()
{
cout <<"derived";
}
};
typedef void (*FUNPTR)();
typedef struct
{
FUNPTR funptr;
} VTable;
int main()
{
Base b1;
Base *b1ptr = &b;
VTable vtable;
vtable.funptr = HackedVtable;
VTable *vptr = &vtable;
memcpy ( &b1, &vptr, sizeof(long) );
b1ptr->Test();
//b1.Test(); // how to change this so that HackedVtable() should be called instead of Test()
return 0;
}
Under Mac OS X 10.10.3 + gcc 4.8.3, following code works well.
void HackedVtable()
{
cout << "Hacked V-Table" << endl;
}
class Base
{
public:
virtual void Test() { cout << "base" << endl; }
virtual void Test1() { cout << "Test 1" << endl; }
void *prt;
Base(){}
};
class Derived : public Base
{
public:
void Test()
{
cout << "derived" << endl;
}
};
int main()
{
Base b1;
Base* pb1 = &b1;
*(*(void***)pb1) = (void*) HackedVtable;
pb1->Test();
//It works for all the Base instance
Base b2;
Base* pb2 = &b2;
pb2->Test();
//But Derived's virtual function table is separated from Base's
Derived d1;
Derived* pd1 = &d1;
pd1->Test();
*(*(void***)pd1) = (void*) HackedVtable;
pd1->Test();
return 0;
}
Its output:
$ g++ h.cpp; ./a.out
Hacked V-Table
Hacked V-Table
derived
Hacked V-Table
I test the same code under Ubuntu 12.04 + g++ 4.9.0. However, it does not work and arises segmentation fault.
It seems Linux assigns the virtual function table in a read only area (e.g. rodata) to forbid hacking.
I don't think there is a portable way. Mostly because of compiler optimization and different architecture ABI between every target.
But C++ provides you with that exact same capability, why not use it?
void HackedVtable()
{
cout << "Hacked V-Table" << endl;
}
class Base
{
public:
virtual Test() { cout <<"base"; }
virtual Test1() { cout << "Test 1"; }
void *prt;
Base(){}
};
class Derived : public Base
{
public:
Test()
{
HackedVtable(); // <-- NOTE
}
};
int main()
{
Derived b1; // <-- NOTE
b1.Test();
return 0;
}
Another way to achieve the same thing is by cheking similar code:
GObject:
http://en.wikipedia.org/wiki/Gobject
GLib:
http://en.wikipedia.org/wiki/GLib
Vala:
http://en.wikipedia.org/wiki/Vala_%28programming_language%29
Those guys wanted to work with a object and class oriented programming language, but "C++", didn't fit their requisites. Then , they took "plain C", and simulate objects withn records & pointers, including Virtual Method Tables. Eventually got a similar language called "Vala", their own "C++" alike language (with their own V.M.T.).
Another related links:
http://en.wikipedia.org/wiki/Virtual_method_table
http://www.artima.com/insidejvm/ed2/jvmP.html
Cheers.
well its quite easy to figure out. Find hte VTAble pointer (In visual studio its the first 4/8 bytes). Then step into a normal call of Test (into the assembler) and you'll see it jump to the Vtable and then to your test function. To override test just replace the pointer where you jumped from in the VTable.
This is usually called "virtual table hooking" or something like that.
If you are going to use it much, then I suggest the SourceHook library. It was developed for hacking closed source game engines in game mods. For instance, it was used in The Dark Mod before idTech4 became open source.
I don't think the vTable is in read only area because is it dynamically populated. The only way it can fail is when the compiler is absolutely sure which implementation will be called in compile time and skip the vTable lookup with direct function call(de-virtualization).
EDIT: As #groovyspaceman pointed out, I see that I used wrong wording. The vTable class member pointer is mutable, the vTable itself is compiler generated and it depends on the system and the compiler if it can, or cannot be modified.
Related
I'm having a problem making a a virtual call when using virtual inheritance.
Below is sample compilable code that demonstrates a code which works when there is no virtual inheritance used, and also code which will fail on runtime when virtual inheritance is used.
BASE CLASSES
Here are base calsses for both cases:
#include <iostream>
class Base
{
public:
Base() { }
virtual ~Base() { }
// we need to make this bad call a good one!
virtual void bad_call(void* ptr)
{
Base* pThis = static_cast<Base*>(ptr);
pThis->f();
}
protected:
virtual void f() { std::cout << x << std::endl; }
int x = 0;
};
class Midle1 :
virtual public Base
{
public:
Midle1() { }
~Midle1() override { }
};
class Midle2 :
virtual public Base
{
public:
Midle2() { }
~Midle2() override { }
};
CASE 1 GOOD
Here is a case which makes no use of virtual inheritance (just normal inheritance), where both bad_call and good_call virtual functions work:
class GoodDerived :
public Base
{
public:
GoodDerived()
{
}
~GoodDerived() override
{
}
void good_call(void* ptr)
{
GoodDerived* pThis = static_cast<GoodDerived*>(ptr);
pThis->f();
}
void f() override
{
++x;
std::cout << x << std::endl;
}
};
int main()
{
GoodDerived good_derived;
good_derived.good_call(&good_derived); // OK, will print 1
good_derived.bad_call(&good_derived); // OK, will print 2
std::cin.get();
return 0;
}
CASE 2 BAD
And here is a case which will make use of virtual inheritance, the good_call function will succeed, but bad_call one will fail with "access violation reading location"
class BadDerived :
public Midle1,
public Midle2
{
public:
BadDerived() { }
~BadDerived() override { }
void good_call(void* ptr)
{
BadDerived* pThis = static_cast<BadDerived*>(ptr);
pThis->f();
}
void f() override
{
++x;
std::cout << x << std::endl;
}
};
int main()
{
BadDerived bad_derived;
bad_derived.good_call(&bad_derived); // OK, will print 1
bad_derived.bad_call(&bad_derived); // ERROR: causes access violation
std::cin.get();
return 0;
}
QUESTION
This second case is a simple code that demonstrated the issue I'm having right now in my project, and I need assistance on how to solve this, why is virtual inheritance causing troubles?
Why first case works just fine but second one does not?
The basic problem is that you're casting a pointer to void * and then casting it to a different pointer type. That doesn't work in general -- after casting a pointer to void *, the only useful thing you can do with it is cast it back to the EXACT SAME POINTER TYPE. If you want to cast to any other pointer type (reliably) you need to first cast back to the same original type.
I need assistance on how to solve this
Don't use void * here -- void * is a C solution that should never be used in C++. Change your virtual bad_call method to take a Base * as an argument not a void *. Then everything 'just works' and you don't need any of the static_casts at all. If you need to override bad_call in your Dervied class, it also needs to take a Base * argument, so you'll need to use dynamic_cast<Derived *>(ptr) there to get back the original Derived *, but that's not a big deal -- that's precisely what dynamic_cast exists for.
Make your call:
bad_derived.bad_call(static_cast<Base*>(&bad_derived));
You want to point to the Base part of the object but when using virtual inheritance there is no guarantee about where that will be located.
Let's decompose this, step by step.
&bad_derived: A pointer to BadDerived with pointer value pointing to an object with type BadDervived.
bad_derived.bad_call(&bad_derived): Implicitly converts &bad_derived to a pointer to void* with pointer value pointing to an object with type BadDervived.
Base* pThis = static_cast<Base*>(ptr);: Cast from a void* to Base*. Note that ptr has pointer value pointing to an object with type BadDervived, but BadDerived is not pointer-interconvertable with Base, thus pThis has type Base* but has pointer value pointing to an object with type BadDervived.
pThis->f();: Access the value of a BadDerived object using a glvalue (here a dereferenced pointer) of type Base, violates the strict-aliasing-rule. Undefined Behaviour.
I want to share a solution that makes this design possible (with the help of other answers and comments).
All the code remains same except adding a templated static mehtod to base class which will deduce void to correct type:
Here is modified Base class with helper template static function:
added a comment about CALLBACK also.
class Base
{
public:
Base() { }
virtual ~Base() { }
// this is example CALLBACK from Window API but templated
// The callback is registered with Windows in RegisterClassEx btw.
template<typename DERIVED_CLASS>
static void make_call(void* ptr)
{
DERIVED_CLASS* pThis = static_cast<DERIVED_CLASS*>(ptr);
pThis->bad_call(static_cast<Base*>(pThis));
}
// we need to make this bad call a good one!
virtual void bad_call(void* ptr)
{
Base* pThis = static_cast<Base*>(ptr);
pThis->f();
}
protected:
virtual void f() { std::cout << x << std::endl; }
int x = 0;
};
And here is how we invoke bad_call problematic function:
int main()
{
BadDerived bad_derived;
bad_derived.good_call(&bad_derived); // OK, will print 1
// HACA!!!
bad_derived.make_call<BadDerived>(&bad_derived); // OK will print 2
std::cin.get();
return 0;
}
This why I like C++ so much, everything is possible...
I have a base class Base, with many derived classes (eg. Derived1, Derived2). Base has a pure virtual function fn, which is called many times using a Base pointer. Every time the function is called, I need to do some extra logging and related stuff. In particular, I use BOOST_CURRENT_FUNCTION in the derived-class functions to find out which function was called. Is there a way to know this information before calling the function, so that I do not have to rewrite the bookkeeping code in every derived function?
Edit: I wish to avoid writing __PRETTY_FUNCTION__ in each derived function.
#include <iostream>
using namespace std;
class Base {
public:
virtual void fn() = 0;
};
class Derived1:public Base {
public:
void fn() {
cout<<__PRETTY_FUNCTION__<<endl;
}
};
class Derived2:public Base {
public:
void fn() {
cout<<__PRETTY_FUNCTION__<<endl;
}
};
int main()
{
int choice =0;
Base *ptr1 = nullptr;
cout<<"Choose 0/1: "<<endl;
cin>>choice;
if(choice == 0) {
ptr1 = new Derived1;
}else {
ptr1 = new Derived2;
}
//********CAN I WRITE SOMETHING HERE, TO GIVE THE SAME RESULT?
ptr1->fn();
}
No, it cannot be. C++ does not support this kind of introspection. __PRETTY_FUNCTION__ is all you're gonna get.
From your description it seems you migth have a design issue. Have you considered using the template method design patter? The idea is to have your base class implement the common functionality and through virtual functions implement the specifics in your derived classes.
One idea is to implement the base pure virtual function and call it in each derived override. In the base one you increment a static counter. Something like:
#include <iostream>
#include <memory>
struct Base
{
static size_t counter;
virtual void f() = 0;
virtual ~Base() = default;
};
size_t Base::counter{0};
void Base::f() // IMPLEMENTATION, yes it's possible to implement a pure virtual function
{
++counter;
}
struct Derived1: Base
{
void f() override
{
Base::f(); // increment the counter
std::cout << "Derived1::f()\n";
}
};
struct Derived2: Base
{
void f() override
{
Base::f(); // increment the counter
std::cout << "Derived2::f()\n";
}
};
int main()
{
std::unique_ptr<Base> pBase1{new Derived1};
std::unique_ptr<Base> pBase2{new Derived2};
pBase1->f();
pBase1->f();
pBase2->f();
std::cout << Base::counter << std::endl; // outputs 3
}
Live on Wandbox
If I'm not wrong I believe this is an instance of the Template Method design pattern mentioned by #LordDosias. There is no other intrinsic way of getting this information out from the language, as C++ does not have genuine runtime reflection capabilities.
Well, aside from wrapping your macro in another macro that is smaller/shorter/does more, there is nothing that will provide the name of a function for you.
#define WHERE cout << __PRETTY_FUNCTION__ << endl
...
void fn() {
WHERE;
}
This also means you can turn on/off the tracing trivially:
#if TRACING
#define WHERE cout << __PRETTY_FUNCTION__ << endl
#else
#define WHERE
#endif
(You may want to wrap that in do { ... } while(0) in both sides to avoid problems if you were to put a WHERE inside an if, or some such, and still want it to work correctly when when it's "nothing")
The simplest answer is that, since C++ doesn't have auxiliary methods, you have to split the implementation of fn into a utility wrapper and the virtual function proper:
class Base {
protected:
virtual void fn_impl() = 0;
public:
void fn() { fn_impl(); }
};
class BaseWithLogging: public Base {
public:
void fn(); {
/* do logging */
fn_impl();
}
};
If you want the logs to capture the exact identity of the virtual (function name, file, line number, ...) which is actually, then there is no workaround for that; the boilerplate has to go into the function.
The crusty old preprocessor can be of help. E.g. simple-minded illustration:
#define LOG (cout<<__PRETTY_FUNCTION__<<endl)
and then you just have
LOG;
at the beginning of the function.
I have the following code:
class Pet {
public:
virtual string speak() const { return ""; }
};
class Dog : public Pet {
public:
string speak() const { return "Bark!"; }
};
int main() {
Dog ralph;
Pet* p1 = &ralph;
Pet& p2 = ralph;
Pet p3;
// Late binding for both:
cout << "p1->speak() = " << p1->speak() <<endl;
cout << "p2.speak() = " << p2.speak() << endl;
// Early binding (probably):
cout << "p3.speak() = " << p3.speak() << endl;
}
I have been asked to determine whether the compiler uses early or late binding for the final function call. I have searched online but have found nothing to help me. Can someone tell me how I would carry out this task?
You can look at the disassembly, to see whether it appears to be redirecting through a vtable.
The clue is whether it calls directly to the address of the function (early binding) or calls a computed address (late binding). The other possibility is that the function is inlined, which you can consider to be early binding.
Of course the standard doesn't dictate the implementation details, there may be other possibilities, but that covers "normal" implementations.
You can always use hack :D
//...
Pet p3;
memset(&p3, 0, sizeof(p3));
//...
If compiler does use vtbl pointer, guess what will gonna happen :>
p3.speak() // here
Look at the generated code. E.g. in Visual Studio you can set a breakpoint, then right-click and select "Go To Disassembly".
It uses early binding. You have an object of type P3. While it is a base class with a virtual function definition, the type is concrete and known at compile time, so it doesn't have to consider the virtual function mapping to derived classes.
This is much the same as if you called speak() in the Pet constructor - even when making derived objects, when the base class constructor is executing the type of the object is that of the base so the function would not use the v-table, it would call the base type's version.
Basically, early binding is compile time binding and late binding is run-time binding. Run time binding is only used in instances where the compiler doesn't have enough type information at compile time to resolve the call.
In fact the compiler has no obligation to use either one particularly, just to make sure that the right function is called. In this case, your object is of the concrete type Pet, so as long as Pet::speak is called the compiler is "doing the right thing".
Now, given that the compiler can statically see the type of the object, I suspect that most compilers will optimize away the virtual call but there is no requirement that they do so.
If you want to know what your particular compiler is doing the only way is to consult its documentation, source code, or the generated disassembly.
I just thought of a way to tell at runtime, without guesswork. You can simply override the vptr of your polymorphic classes with 0 and see if the method is called or if you get a segmentation fault. This is what I get for my example:
Concrete: Base
Concrete: Derived
Pointer: Base
Pointer: Derived
DELETING VPTR!
Concrete: Base
Concrete: Derived
Segmentation fault
Where Concrete: T means that calling the virtual member function of T through a concrete type was successful. Analogously, Pointer: T says that calling the member function of T through a Base pointer was successful.
For reference, this is my test program:
#include <iostream>
#include <string.h>
struct Base {
unsigned x;
Base() : x(0xEFBEADDEu) {
}
virtual void foo() const {
std::cout << "Base" << std::endl;
}
};
struct Derived : Base {
unsigned y;
Derived() : Base(), y(0xEFCDAB89u) {
}
void foo() const {
std::cout << "Derived" << std::endl;
}
};
template <typename T>
void dump(T* p) {
for (unsigned i = 0; i < sizeof(T); i++) {
std::cout << std::hex << (unsigned)(reinterpret_cast<unsigned char*>(p)[i]);
}
std::cout << std::endl;
}
void callfoo(Base* b) {
b->foo();
}
int main() {
Base b;
Derived d;
dump(&b);
dump(&d);
std::cout << "Concrete: ";
b.foo();
std::cout << "Concrete: ";
d.foo();
std::cout << "Pointer: ";
callfoo(&b);
std::cout << "Pointer: ";
callfoo(&d);
std::cout << "DELETING VPTR!" << std::endl;
memset(&b,0,6);
memset(&d,0,6);
std::cout << "Concrete: ";
b.foo();
std::cout << "Concrete: ";
d.foo();
std::cout << "Pointer: ";
callfoo(&b);
std::cout << "Pointer: ";
callfoo(&d);
return 0;
}
could somebody explain the output of the code.
#include <iostream>
using namespace std;
class First {
public:
int a;
First() {};
First(int a) {
this->a = a;
}
int getA() {
return a;
}
virtual int getB() {
cout << "getB() from super class..." << endl;
return 0;
}
};
class Second : public First {
public:
int b;
Second(int b) {
this->b = b;
}
int getB() {
cout << "getB() from child class..." << endl;
return b;
}
};
int main() {
First* t = new Second(2);
First* cTest = dynamic_cast<First*>(t);
cout << cTest->getB() << endl;
}
I expected the method of the super class would be called because of the casting to First.
thanks in advance
regards sebastian
The function getB() is virtual in the base class, so you get the derived implementation no matter whether you have a pointer-to-base or pointer-to-derived.
(That's the whole purpose of polymorphism.)
A dynamic cast up the hierarchy doesn't change the fundamental fact that you're still pointing at a B. In particular, it doesn't change the vtable used to find the implementation of getB() that will be used.
Typically, you only need dynamic_cast() to go down an inheritance hierarchy, not up.
There only exists one object, and that is of type Second.
To get the behaviour you are looking for, you are going to have to create a copy and slice it:
First cTest = static_cast<First>(*t);
cout << cTest.getB() << endl;
You aren't changing anything with your cast. You are casting a First* to a First*, which is simply an assignment. Since t is a Second with = new Second(2), you have overridden the virtual table with the child's entries, so it will call the child's methods rather than the parents.
cTest is simply a pointer-to-First which points to the exact same object that t does, because cTest and t contain the same memory address, at which exists a Second object, which is why the Second's method is called.
Suppose that I have the following structure of classes. I want to be able to determine of what class type the element in my Animal vector is, so that I may perform subclass-specific methods on it. The example below should demonstrate:
#include <iostream>
#include <vector>
using namespace std;
class Animal {
public:
int foodcount;
Animal() {
foodcount = 0;
cout << "An animal was created.\n";
}
virtual ~Animal() {
cout << "An animal was destroyed.\n";
}
};
class Lion : public Animal {
public:
Lion() {
cout << "A lion was created.\n";
}
virtual ~Lion() {
cout << "A lion was destroyed.\n";
}
void chowMeat(int howmuch) {
foodcount += howmuch;
}
};
class Butterfly : public Animal {
public:
Butterfly() {
cout << "A butterfly was created.\n";
}
virtual ~Butterfly() {
cout << "A butterfly was destroyed.\n";
}
void drinkNectar(int howmuch) {
foodcount += howmuch;
}
};
int main() {
Animal* A = new Lion();
Animal* B = new Butterfly();
vector<Animal*> v;
v.push_back(A);
v.push_back(B);
// a little later
for (int i=0; i<v.size(); i++) {
if (v[i] is a Lion) v[i]->chowMeat(); // will not work of course
if (v[i] is a Butterfly) v[i]->drinkNectar(); // will not work of course
}
std::cin.get();
return 0;
}
Obviously the marked code won't work, but how do I do what I want to do? Is there a workaround or a design principle that I should follow but am not? I've looked into dynamic_cast but understand that is unpretty. So how should I do it correctly?
In Java, I would do this:
if (v.get(i).getClass() == Lion.class) {
((Lion)v.get(i)).chowMeat();
}
if (v.get(i).getClass() == Butterfly.class) {
((Butterfly)v.get(i)).drinkNectar();
}
Ideally you would add a virtual function to the base class, void eat(int quantity) and override that function in the derived classes.
In this case, it might even make sense to make the function non-virtual and implement it in the base class, since both derived classes do the exact same thing.
Barring that, you can use dynamic_cast to test the dynamic type of the object:
if (Lion* lion = dynamic_cast<Lion*>(v[i])) {
lion->chowMeat(42);
}
else if (Butterfly* butterfly = dynamic_cast<Butterfly*>(v[i])) {
butterfly->drinkNectar(42);
}
// etc.
(On a different note, you'll want to be very careful using naked pointers in C++; it's very difficult to write correct code where you manage resources manually. In your example, you haven't freed the objects pointed to by A and B and have thus leaked them. Consider using smart pointers, like shared_ptr, to manage your resources automatically.)
What is the purpose of the loop? Is it to consume food? In that case, add a virtual void consumeFood(int howMuch) to your base class, and override that in your derived classes.
If the example is genuinely representative, a virtual function would solve your immediate problem much more neatly.
In any event, the simplest answer, if your classes have virtual functions, is to use dynamic_cast to check whether an object is of a given type. For example:
for (int i=0; i<v.size(); i++) {
if (Lion *lion = dynamic_cast<Lion *>(v[i]))
lion->chowMeat();
else if(Butterfly *butterfly = dynamic_cast<Butterfly *>(v[i]))
butterfly->drinkNectar();
}
It is built in to the language, and is just the thing for checking whether a pointer to base actually points to an object of a more derived type.
The other option is to have some kind of virtual GetType function in your base class, which you override per class to return something (an integer, an object, whatever) that uniquely identifies that class. Then you call this function at runtime, and examine the result to find out what sort of object is being pointed at.
dynamic_cast has the advantage of being built in to the language, and requires no effort on your part to support. Using one's own function has more predictable performance characteristics across a wide range of compilers and allows one to store data other than simply what type the object really is -- but you do have to write it all yourself.
Why not eat()?
class Animal {
public:
int foodcount;
Animal() {
foodcount = 0;
cout << "An animal was created.\n";
}
virtual ~Animal() {
cout << "An animal was destroyed.\n";
}
virtual void eat(int howMuch) {
foodcount += howmuch;
}
};
class Lion : public Animal {
public:
virtual void eat(int howmuch) {
Animal::eat(howmuch + 19);
}
};
class Butterfly : public Animal {
void eat(int howmuch) {
Animal::eat(howmuch / 1000);
}
};
class Tribble: public Animal
{
void eat(int howmuch) {
throw DontFeedTribles();
}
};
int main() {
std::auto_ptr<Animal> A = new Lion();
std::auto_ptr<Animal> B = new Butterfly();
vector<Animal*> menagerie;
menagerie.push_back(A.get());
menagerie.push_back(B.get());
BOOST_FOREACH(Animal* animal, menagerie)
{
animal->eat(10000);
}
std::cin.get();
return 0;
}