VTBL is an IDA script which identifies all the virtual tables found in any module of a native process. The virtual tables can be related to a COM or a C++ class. Unlike other tools, ours does not depend on a specific compiler to obtain a virtual table. This makes it an essential tool for reverse engineers.
The script works on all IDA versions. To use it, you must:
- Use IDA to disassembly the module you want to analyze.
- Load the “VTBL.IDC” script from File -> Script File or by using the ALT F7 shortcut.
- VTBL.EXE will be executed.
- Select the process you want to analyze.
- Enable the suspension of the process if you want to intercept the process from the beginning.
- Select the module you want to analyze. It must be the same module you disassemble in step one.
- Once the analysis is over, select the virtual table to obtain its cross reference. The tool displays the number of functions the virtual table contains.
- Hook the selected virtual table
- Close the VTBL.EXE dialog
- Both, the disassembled code and the IDA output window will display all processed cross references.
We tried the tool out on Notepad++.exe. See video below. We used open source software so we could compare the results with the original source code.
We ran Notepad++.exe, selected the Notepad++.exe module and waited until all the virtual tables had been analyzed. The tool displays a list of virtual tables with the following format: VTBL_X1_X2_X3, where X1 is the index, X2 the start address, and X3 the function count. We hooked the virtual table with “CD” in the index field.
After the process we closed VTDL.EXE and analyzed the results with IDA Pro.
- Deviare Hooking Engine
- Compile the VTBL_Code\Helper\Helperhelper.vcproj
- Open the Visual Studio 2010 project
- Change the Form1.cs DLL imports to point to the helper.dll and DeviareCOM.dll
- Compile the project
- Open VLTB.idc and modify the full paths of DeviareTest.exe and CrossRef.dat
VTBL is available as vtbl-ida-pro-plugin.