Tutorial vTable Hooking / VMT Hook Tutorial

Hexui Undetected CSGO Cheats PUBG Accounts


Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
First of all, the method I'll show you isn't the only way do vmt hooking, there are a few other possibilities to do so (changing vtable pointer, etc) but that isn't the scope of this paper right now.

Before you carry on, make sure you have an exact understanding of a what a virtual method and virtual method table means.


You should also know all this is only usable when your target actually is a virtual function of a class, otherwise it won't be in a virtual method table (there may be no table at all), it will just be in the .text like all the other functions.

I am using battlefield 3 as an example for this tutorial. And I will be hooking one of the games physicsmanager update functions called once per frame so I can call rayquery from the games thread.

This is what physicsmanager class looks like when I haven't done any changes.

Notice that virtual method table pointer will most likely always be at the beginning of the class, that will point to the virtual method table.
Now those virtual methods are nothing more or less than just pointers to those functions - function pointers.

I'll be hooking the 5th function at 0x10 in the virtual method table. If you are one hell of a bright kid you'd have guessed by now that we will just be overwriting that pointer to point to our function - which is correct :)
So I'll overwrite that 0x5AD160 to point to my hook.

Now when that function is called through that class, it will call my function instead, from there we can later call the original function of course.

That's how your hook could look like, obviously you don't necessarily have to have it as a naked function, if you know how to hook thiscall (ps fastcall)
__declspec(naked) void hook()
	// get arguments from registers
	__asm pushad
	__asm pushfd

		// call your functions
	__asm popfd
	__asm popad

	__asm jmp [dwOriginal] // jump back (to 0x5AD160 in my case)
Now there are classes/functions out there that provide you with easy virtual method hooking but I like to do vmt hooking manually :D
dwVtable = *(DWORD*)dwClassPointer;

DWORD oldProt, newProt;
VirtualProtect((void*)dwVtable , 0x400, PAGE_EXECUTE_READWRITE, &oldProt);
*(DWORD*)(dwVtable + 0x10) = (DWORD)&hook; 
VirtualProtect((void*)dwVtable , 0x400, oldProt, &newProt);
// dont forget to save the old address before overwriting
Last edited by a moderator:


Meme Tier VIP
Jul 6, 2013
Nice explanation of vmt hooking this really helped. Good use of the images too.


Dank Tier Donator
Oct 11, 2012
Thanks for sharing helps a lot. I'm trying to do a vtable hook also. Images have been useful.
Community Mods