How to Identify Virtual Table Functions with the VTBL IDA Pro Plugin

VTBL is an IDA script which identifies all the virtual tables found in any module of a native process. The virtual tables can be related to a COM or a C++ class. Unlike other tools, ours does not depend on a specific compiler to obtain a virtual table. This makes it an essential tool for reverse engineers.

The script works on all IDA versions. To use it, you must:

  1. Use IDA to disassembly the module you want to analyze.
  2. Load the “VTBL.IDC” script from File -> Script File or by using the ALT F7 shortcut.
  3. VTBL.EXE will be executed.
  4. Select the process you want to analyze.
  5. Enable the suspension of the process if you want to intercept the process from the beginning.
  6. Select the module you want to analyze. It must be the same module you disassemble in step one.
  7. Once the analysis is over, select the virtual table to obtain its cross reference. The tool displays the number of functions the virtual table contains.
  8. Hook the selected virtual table
  9. Close the VTBL.EXE dialog
  10. Both, the disassembled code and the IDA output window will display all processed cross references.

We tried the tool out on Notepad++.exe. See video below. We used open source software so we could compare the results with the original source code.

We ran Notepad++.exe, selected the Notepad++.exe module and waited until all the virtual tables had been analyzed. The tool displays a list of virtual tables with the following format: VTBL_X1_X2_X3, where X1 is the index, X2 the start address, and X3 the function count. We hooked the virtual table with “CD” in the index field.

After the process we closed VTDL.EXE and analyzed the results with IDA Pro.

Prerequisites

  1. Deviare Hooking Engine
  2. Compile the VTBL_Code\Helper\Helperhelper.vcproj
  3. Open the Visual Studio 2010 project
  4. Change the Form1.cs DLL imports to point to the helper.dll and DeviareCOM.dll
  5. Compile the project
  6. Open VLTB.idc and modify the full paths of DeviareTest.exe and CrossRef.dat

Source Code

VTBL is available as vtbl-ida-pro-plugin.

Related Services

  1. Reverse Engineering
  2. Interception and Filter Drivers Services

If you like this article, you might also like:

  1. Instrumenting Direct3D Applications to Capture Video and Calculate FPS
  2. Injecting a DLL in a Modern UI Metro Application
  3. SQL Server Interception and SQL Injection Attack Prevention
  4. Reverse Engineering and The Cloud
  • Ivan

    Hi,

    Where is VLTB.idc ? I don’t see it on github.

    Can you tell how it works in details ?

    Thanks

    • http://blog.databigbang.com/ Sebastian Wain

      It is uploaded on Github now. I just forgot to add it.

  • bynop

    hi ,

    can u upload VLTB.idc? or send it to my email bynop#foxmail.com thx!

    • http://blog.databigbang.com/ Sebastian Wain

      I just forgot to add it. It is available on Github now.

  • redp

    > ours does not depend on a specific compiler to obtain a virtual table
    actually this is not good – you could get classes names from compiler-specific RTTI or from CRuntimeClass for MFC. And then it even possibly to identify functions in this VTBL (using some external database for standard classes like Qt/MFC etc)
    See for example my old ida pro plugin for MFC based apps reversing: http://cyrplw.svn.sourceforge.net/viewvc/cyrplw/mfc/

    • bynop

      thanks for your project,but how to use it?can u give a tutorial,or a bin. cause i cant compile your sources in my VS~~~

      • redp

        use vs2008
        I am too lazy to write doc :-)

        • bynop

          iid.c is not standard C format , compile cant recognize it~~ BTW:I also use VS2008

          • redp

            just now checked version in svn with vs2008 & ida 6.2 sdk – all building ok

    • http://blog.databigbang.com/ Sebastian Wain

      In this article we assume zero information, that’s the advantage. With RTTI or any other extra information like PDB is easier.

  • joe

    completly dont understand what is good in your implementation, not useful for malware cause not safe to run it on working machine

    • http://blog.databigbang.com/ Sebastian Wain

      I didn’t understand your question. The article is not related to malware, it is related to hooking virtual tables on COM/C++.

  • oxr3

    Port for IDA pro linux! I hate it when seeing all these aweomse plugins running on IDA Win