How to Identify Virtual Table Functions with the VTBL IDA Pro Plugin

VTBL is an IDA script which identifies all the virtual tables found in any module of a native process. The virtual tables can be related to a COM or a C++ class. Unlike other tools, ours does not depend on a specific compiler to obtain a virtual table. This makes it an essential tool for reverse engineers.

The script works on all IDA versions. To use it, you must:

  1. Use IDA to disassembly the module you want to analyze.
  2. Load the “VTBL.IDC” script from File -> Script File or by using the ALT F7 shortcut.
  3. VTBL.EXE will be executed.
  4. Select the process you want to analyze.
  5. Enable the suspension of the process if you want to intercept the process from the beginning.
  6. Select the module you want to analyze. It must be the same module you disassemble in step one.
  7. Once the analysis is over, select the virtual table to obtain its cross reference. The tool displays the number of functions the virtual table contains.
  8. Hook the selected virtual table
  9. Close the VTBL.EXE dialog
  10. Both, the disassembled code and the IDA output window will display all processed cross references.

We tried the tool out on Notepad++.exe. See video below. We used open source software so we could compare the results with the original source code.

We ran Notepad++.exe, selected the Notepad++.exe module and waited until all the virtual tables had been analyzed. The tool displays a list of virtual tables with the following format: VTBL_X1_X2_X3, where X1 is the index, X2 the start address, and X3 the function count. We hooked the virtual table with “CD” in the index field.

After the process we closed VTDL.EXE and analyzed the results with IDA Pro.

Prerequisites

  1. Deviare Hooking Engine
  2. Compile the VTBL_Code\Helper\Helperhelper.vcproj
  3. Open the Visual Studio 2010 project
  4. Change the Form1.cs DLL imports to point to the helper.dll and DeviareCOM.dll
  5. Compile the project
  6. Open VLTB.idc and modify the full paths of DeviareTest.exe and CrossRef.dat

Source Code

VTBL is available as vtbl-ida-pro-plugin.

Related Services

  1. Reverse Engineering
  2. Interception and Filter Drivers Services

If you like this article, you might also like:

  1. Instrumenting Direct3D Applications to Capture Video and Calculate FPS
  2. Injecting a DLL in a Modern UI Metro Application
  3. SQL Server Interception and SQL Injection Attack Prevention
  4. Reverse Engineering and The Cloud
  • Ivan

    Hi,

    Where is VLTB.idc ? I don’t see it on github.

    Can you tell how it works in details ?

    Thanks

    • http://blog.databigbang.com/ Sebastian Wain

      It is uploaded on Github now. I just forgot to add it.

    • SEO commenting

      It is uploaded on Github now. I just forgot to add it.
      ganoderma

  • bynop

    hi ,

    can u upload VLTB.idc? or send it to my email bynop#foxmail.com thx!

    • http://blog.databigbang.com/ Sebastian Wain

      I just forgot to add it. It is available on Github now.

  • redp

    > ours does not depend on a specific compiler to obtain a virtual table
    actually this is not good – you could get classes names from compiler-specific RTTI or from CRuntimeClass for MFC. And then it even possibly to identify functions in this VTBL (using some external database for standard classes like Qt/MFC etc)
    See for example my old ida pro plugin for MFC based apps reversing: http://cyrplw.svn.sourceforge.net/viewvc/cyrplw/mfc/

    • bynop

      thanks for your project,but how to use it?can u give a tutorial,or a bin. cause i cant compile your sources in my VS~~~

      • redp

        use vs2008
        I am too lazy to write doc :-)

        • bynop

          iid.c is not standard C format , compile cant recognize it~~ BTW:I also use VS2008

          • redp

            just now checked version in svn with vs2008 & ida 6.2 sdk – all building ok

    • http://blog.databigbang.com/ Sebastian Wain

      In this article we assume zero information, that’s the advantage. With RTTI or any other extra information like PDB is easier.

  • joe

    completly dont understand what is good in your implementation, not useful for malware cause not safe to run it on working machine

    • http://blog.databigbang.com/ Sebastian Wain

      I didn’t understand your question. The article is not related to malware, it is related to hooking virtual tables on COM/C++.

    • SEO commenting

      The article is not related to malware, it is related to hooking virtual tables on COM/C++.

      ganoderma

  • oxr3

    Port for IDA pro linux! I hate it when seeing all these aweomse plugins running on IDA Win

  • mena99260

    In this article we assume zero information, that’s the advantage. With RTTI or any other extra information like PDB is easier.

    social marketing

  • Imtiaz Ali

    .Deviare2.dll to the Lib directory inside the project..
    http://buysoundcloudfollowersnow.wordpress.com/

  • Imtiaz Ali

    ! I hate it when seeing all these aweomse plugins running.
    USA PVA Hotmail accounts

  • Imtiaz Ali

    t when seeing all these aweomse plugins running.
    παθολογοι

  • Imtiaz Ali

    you could get classes names from compiler-specific RTTI or from CRuntimeClass for MF..
    aspen
    dental

    ..

  • Ashar Arain

    I’ve a undertaking that I am simply now operating on, and I have been at the look out for such info..

    sell diamond engagement ring

  • Imtiaz Ali

    basic interception: you can intercept an anonymous function by specifying its address.,,.

    what is
    dedicated hosting

  • Ashar Arain

    In the case of a retailer wanting insight into its customers, it needs to make sense of its customers’ comments on social media networks, he said….
    free credit report gov

  • Sikandar Mughal

    Much knowledge about this issue, and so much passion. You also know how to make people rally behind it.. neuroflexyn

  • imtiaz

    I didn’t understand your question. The article is not related to malwar.
    car rental jaipur to
    delhi

  • imtiaz

    afterward its up to other viewers that they will assist, so here it happens. rebelmouse.com I just thought it may be an idea to post incase anyone ..
    business to business email leads

  • imtiaz

    Bilderrahmen oder Ihr Passepartout auch in Sondergrößen. Sonderformate
    bei Wechselrahmen, rahmenlosen Bildhaltern oder Passepartouts sind
    jederzeit möglich, wir liefern Ihnen jedes gewünschte Format.
    email addresses list

  • imtiaz

    We got on your own web site in addition to move through a number of submit.
    business emails

  • peterseo

    you could get classes names from compiler-specific RTTI or from
    CRuntimeClass for MFC. And then it even possibly to identify functions
    in this VTBL (using some external database for standard classes..
    optin email marketing

  • https://twitter.com/SeoComenting John SEO

    If you are interested in the finest vets inside Shropshire you then need Playground Issa. This leading veterinary service can provide your pets every one of the health care they want…
    gramichicago.com

  • https://twitter.com/SeoComenting John SEO

    If you are interested in the finest vets inside Shropshire you then need
    Playground Issa. This leading veterinary service can provide your pets
    every one of the health care they want…
    salvia for sale

  • https://twitter.com/SeoComenting CanadiaN WeB HosT

    Casey Anderson speak about the Governor’s proposed budget and
    specifically Higher Education funding during this year’s Legislative
    Session.
    top blogging sites

  • https://www.fiverr.com/blackman111 Black Men

    After the process we closed VTDL.EXE and analyzed the results with IDA Pro.auto news

  • https://www.facebook.com/ SEO Worker

    I know your expertise on this. I must say we should have an online discussion on this. Writing only comments will close the discussion straight away! And will restrict the benefits from this information.
    targeted opt in email lists

  • imtiiz seo

    understand what is good in your implementation, not useful for malware cause not safe to run it on working machine..

    taxi for delhi jaipur

  • robinseo

    your best written post, its informative and your writing style helped me to ..
    Backlinks

  • Daniel

    It VTBL update to new version of “Deviare Hooking Engine”?

    When I try to compile VTBL[1], I get two errors:

    Form1.cs(63,21): error CS1061: ‘Nektra.Deviare2.NktSpyMgr’ does not contain a definition for ‘LicenseKey’ and no extension method ‘LicenseKey’ accepting a first argument of type ‘Nektra.Deviare2.NktSpyMgr’ could be found (are you missing a using directive or an assembly reference?)

    Form1.cs(187,32): error CS1501: No overload for method ‘CreateHookForAddress’ takes 4 arguments

    Can you help me?

    [1] https://github.com/nektra/vtbl-ida-pro-plugin/tree/master/VTBL

  • Sami Jaws

    This program is a diet plan with a whole-food approach to weight loss and overall healthy life style

    The E-Factor Diet PDF

  • imtiiz seo

    plan with a whole-food approach to weight loss and overall healthy life style..
    rodents

  • robinjack529

    We Are A
    Full-Service Provider Of High Quality Backlinks That Help Boost Traffic,
    Increase Rankings, And Build Authority. With Years Of Experience We Know
    Exactly What Type Of Manual Dofollow Blog Comments It Takes To Quickly
    Increase Your Online Visibility

    backlinks service

  • robinjack529

    And Build Authority. With Years Of Experience We Know
    Exactly What Type
    online pharmacy no prescription
    Of Manual Dofollow Blog Comments It Takes To Quickly
    Increase Your Online Visibilit

  • Slami Saka

    Thank you for helping people get the information they need.

    Ancient Secrets Of Kings scam

  • AJ seo1

    Authority. With Years Of Experience We Know
    Exactly What Type.
    living room ideas

    • AJ seo1

      SEO-Optimierung, Social Media Marketing (SMM) oder Responsive Webdesign sind dabei keine Fremdwörte..
      business insurance coverage

  • AJ seo1

    With Years Of Experience We Know
    Exactly What Type…
    vector logo

  • anasqureshi

    its informative and your writing style helped me to read it till end
    Ultrasound Technician
    Online schools

  • maaz seo

    Authority. With Years Of Experience We Know
    Exactly What Type.
    taxi from delhi to jaipur

  • maaz seo

    Thank you for helping people get the information they need.

    packers and movers pune to hyderabad

  • maaz seo

    Full-Service Provider Of High Quality Backlinks That Help Boost Traffic,
    Increase Rankings

    used car dealerships in idaho falls

  • robinjack529

    The us. At an organic and natural health core.. You are doing a great
    job by spreading these information on the web. Thanks a lot for sharing
    these precious knowledge here
    Low
    OBL backlinks < 100

  • Slami Saka

    Diabetes Destroyer Review is a revolutionary natural product designed to eliminate diabetes symptoms, so as to enable

    suffering patients lead normal lives. by Ricky Everret, a diabetic who was able to conquer the condition,

    https://www.youtube.com/embed/SSjazV8La-k

  • robinjack529

    .I am pretty much pleased with your good work.You put really
    very helpful information. Keep it up. Keep blogging. Looking to reading
    your next pos

    Check This Out

  • loferboy

    Hey what a brilliant post I have come across and believe me I have been
    searching out for this similar kind of post for past a week and hardly
    came across this. Thank you very much and will look for more postings
    from you.
    additional info

  • roshan seo

    I am pretty much pleased with your good work.You put really
    very helpful information. Keep it up. Keep bloggin.
    movers and packers pune

  • roshan seo

    This program is a diet plan with a whole-food approach to weight loss and overall healthy life style
    gurgaon to jaipur cab

  • roshan seo

    whole-food approach to weight loss and overall healthy life style

    bike transport pune

  • Slami Saka

    Thanks for sharing nice information with us. i like your post and all you share with us is uptodate and quite informative,

    Bar Brothers Review

  • roshan seo

    plan with a whole-food approach to weight loss and overall healthy life style

    gurgaon to jaipur cab

  • ayeshakhan

    A very awesome blog post. We are really grateful for your blog post. You
    will find a lot of approaches after visiting your post. I was exactly
    searching for. Thanks for such post and please keep it up. Great work…..
    rebel mouse

  • Slami Saka

    Thanks for sharing nice information with us. i like your post and all you share with us is uptodate and quite informative,

    i would like to bookmark the page so i can come here again to read you, as you have done a wonderful job.

    Bar Brothers System review

  • https://www.fiverr.com/blackman111 BlackMen

    We used open source software so we could compare the results with the original source code.m88