Tutorial How to Hook vTable Functions

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
After finding a VTable in Minesweeper, and getting help from Spock on dealing with them I’ve decided to write up this thread regarding them, how they look, and how hooking them works. The source code posted will be minimal, and it is expected that you have a strong understanding of C++ and a good understanding of assembly and inner memory. Another good thing to really understand is pointers.

Inside memory you can spot VTables when you’re using structure dissect with CE or ReClass. Let’s use the playerent class in AssaultCube. When looking at 0x0, there is a pointer. If you expand it, there are a bunch more pointers, and if you expand those you will likely see a bunch of garbage. That is because the end pointer is actually a function! At 0x0 is a VTable for the playerent class, as in the source they use a few virtual functions. There is another further down that’s inside of a class. The Weapon class is the base for all of the weapons. It uses a large amount of virtual functions, and is fairly easy to reverse since the AssaultCube source is readily available.

So in memory, it goes Pointer to VTable -> List of pointers that contain the addresses of functions -> Functions.

This is how VTable hooking works.



Each pointer to a function has a value that is the address of its function. If you were to change that address, when the function is called it would go to the new address instead. Do you see where I’m going with this?



What we can do is replace the pointer value with the address of our function, then in our function jump back to the original function.

Simple!


Further reading:
https://guidedhacking.com/showthread.php?3979-vTable-VMT-hooking
https://s0beit.me/reverse-engineering/how-vtable-hooking-works-detecting-it/
https://en.wikipedia.org/wiki/Virtual_function
https://en.wikipedia.org/wiki/Virtual_method_table
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Hey man, this was very informative. Thanks for sharing! :D
No problem! I always thought that VTable hooking was a super advanced crazy hard method, and having learned how it actually works it's surprisingly simple. Thought it might help others realize that as well :)
 

Obsta

Jr.Hacker
Meme Tier VIP
Jan 27, 2014
394
2,978
17
Never had to use this before but the concept is very easy to understand if you are familiar with the layout of memory(As you said). Good stuff.
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
Just a side tip: You may replace the whole vtable pointer as well. Just walk the original table, copy the entries and not swap the virtual method pointer but the whole vtable pointer to point to your copied table. This can have some advantages on some occasions
 
Last edited:
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods