VTBL is an IDA script which identifies all the virtual tables found in any module of a native process. The virtual tables can be related to a COM or a C++ class. Unlike other tools, ours does not depend on a specific compiler to obtain a virtual table. This makes it an essential tool for reverse engineers.
The script works on all IDA versions. To use it, you must:
- Use IDA to disassembly the module you want to analyze.
- Load the “VTBL.IDC” script from File -> Script File or by using the ALT F7 shortcut.
- VTBL.EXE will be executed.
- Select the process you want to analyze.
- Enable the suspension of the process if you want to intercept the process from the beginning.
- Select the module you want to analyze. It must be the same module you disassemble in step one.
- Once the analysis is over, select the virtual table to obtain its cross reference. The tool displays the number of functions the virtual table contains.
- Hook the selected virtual table
- Close the VTBL.EXE dialog
- Both, the disassembled code and the IDA output window will display all processed cross references.
We tried the tool out on Notepad++.exe. See video below. We used open source software so we could compare the results with the original source code.
We ran Notepad++.exe, selected the Notepad++.exe module and waited until all the virtual tables had been analyzed. The tool displays a list of virtual tables with the following format: VTBL_X1_X2_X3, where X1 is the index, X2 the start address, and X3 the function count. We hooked the virtual table with “CD” in the index field.
After the process we closed VTDL.EXE and analyzed the results with IDA Pro.
Prerequisites
- Deviare Hooking Engine
- Compile the VTBL_Code\Helper\Helperhelper.vcproj
- Open the Visual Studio 2010 project
- Change the Form1.cs DLL imports to point to the helper.dll and DeviareCOM.dll
- Compile the project
- Open VLTB.idc and modify the full paths of DeviareTest.exe and CrossRef.dat
Source Code
VTBL is available as vtbl-ida-pro-plugin.
Hi,
Where is VLTB.idc ? I don’t see it on github.
Can you tell how it works in details ?
Thanks
hi ,
can u upload VLTB.idc? or send it to my email bynop#foxmail.com thx!
> ours does not depend on a specific compiler to obtain a virtual table
actually this is not good – you could get classes names from compiler-specific RTTI or from CRuntimeClass for MFC. And then it even possibly to identify functions in this VTBL (using some external database for standard classes like Qt/MFC etc)
See for example my old ida pro plugin for MFC based apps reversing: http://cyrplw.svn.sourceforge.net/viewvc/cyrplw/mfc/
It is uploaded on Github now. I just forgot to add it.
I just forgot to add it. It is available on Github now.
thanks for your project,but how to use it?can u give a tutorial,or a bin. cause i cant compile your sources in my VS~~~
use vs2008
I am too lazy to write doc 🙂
iid.c is not standard C format , compile cant recognize it~~ BTW:I also use VS2008
just now checked version in svn with vs2008 & ida 6.2 sdk – all building ok
completly dont understand what is good in your implementation, not useful for malware cause not safe to run it on working machine
I didn’t understand your question. The article is not related to malware, it is related to hooking virtual tables on COM/C++.
In this article we assume zero information, that’s the advantage. With RTTI or any other extra information like PDB is easier.