Tutorial vTable Hooking / VMT Hook Tutorial

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
19,938
76
First of all, the method I'll show you isn't the only way do vmt hooking, there are a few other possibilities to do so (changing vtable pointer, etc) but that isn't the scope of this paper right now.

Before you carry on, make sure you have an exact understanding of a what a virtual method and virtual method table means.

https://en.wikipedia.org/wiki/Virtual_function
https://en.wikipedia.org/wiki/Virtual_method_table

You should also know all this is only usable when your target actually is a virtual function of a class, otherwise it won't be in a virtual method table (there may be no table at all), it will just be in the .text like all the other functions.

I am using battlefield 3 as an example for this tutorial. And I will be hooking one of the games physicsmanager update functions called once per frame so I can call rayquery from the games thread.

This is what physicsmanager class looks like when I haven't done any changes.



Notice that virtual method table pointer will most likely always be at the beginning of the class, that will point to the virtual method table.
Now those virtual methods are nothing more or less than just pointers to those functions - function pointers.

I'll be hooking the 5th function at 0x10 in the virtual method table. If you are one hell of a bright kid you'd have guessed by now that we will just be overwriting that pointer to point to our function - which is correct :)
So I'll overwrite that 0x5AD160 to point to my hook.



Now when that function is called through that class, it will call my function instead, from there we can later call the original function of course.

That's how your hook could look like, obviously you don't necessarily have to have it as a naked function, if you know how to hook thiscall (ps fastcall)
C++:
__declspec(naked) void hook()
{
	// get arguments from registers
	__asm pushad
	__asm pushfd

	{
		// call your functions
	}
	__asm popfd
	__asm popad

	__asm jmp [dwOriginal] // jump back (to 0x5AD160 in my case)
}
Now there are classes/functions out there that provide you with easy virtual method hooking but I like to do vmt hooking manually :D
C++:
dwVtable = *(DWORD*)dwClassPointer;

DWORD oldProt, newProt;
VirtualProtect((void*)dwVtable , 0x400, PAGE_EXECUTE_READWRITE, &oldProt);
*(DWORD*)(dwVtable + 0x10) = (DWORD)&hook; 
VirtualProtect((void*)dwVtable , 0x400, oldProt, &newProt);
// dont forget to save the old address before overwriting
Cheers..
 
Last edited by a moderator:

NTvalk

Hacker
Meme Tier VIP
Jul 6, 2013
499
3,108
8
Nice explanation of vmt hooking this really helped. Good use of the images too.
 

TastyHorror

Coder
Dank Tier Donator
Nobleman
Oct 11, 2012
179
2,268
8
Thanks for sharing helps a lot. I'm trying to do a vtable hook also. Images have been useful.
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods