Linux c vmt hooking
Virtual Method Table Hook
Simple VMT hook implementation for Windows x32/x64.
It intercepts virtual method calls, allowing you to change their behaviour and capturing the class. It also returns a pointer to the original method.
A pointer to the base address of the virtual table. The Virtual Table is the first addressed region of the class, therefore it also refers to object base address.
A pointer to the function that should be called in place of the original virtual method. Some constraints are applied here.
x64 In case of 64 bit, the replacing function must take the object pointer as first argument. This is required by the virtual table as it needs to know which implementation of the method is being called.
x32 Here it is optional wether or not to take the object pointer as a parameter. This happens because in x32 the methods use the __thiscall convention, which keeps the object pointer in ECX register, and the parameters are kept in stack like in __stdcall convention, or __cdecl in case of vararg .
Therefore, if the object pointer is not required, __stdcall should fit. In case you want the object pointer, you can’t declare a function that is not a class member method with __thiscall . A way to override this is using __fastcall convention, Which takes the first and second arguments from ECX and EDX registers respectively, the remaining arguments are passed normally from stack. Simply define the second argument as a DWORD and ignore it.
The position of the desired method in virtual table. It’s not an indexer, so the value must be the precise memory offset from the virtual table base to the method.
i.e. If you want the third method inside a x64 virtual table, dwOffset must be set to 0x10 , whereas the second one would be 0x08 and the first one 0x00 or NULL .
The return value is a pointer to the original method. Can be saved in an explicit __thiscall function pointer that recieves an object pointer and the method arguments. If it’s intended to call the original function at some point. Specially from within pHookMethod , that will end up calling it self recursively, making a stack overflow likely to happen.
For the original function to be called within pHookMethod , it needs to take the object pointer as a parameter, given that the return pointer requires it as an argument.
Источник
Linux c vmt hooking
I’m gonna try to write this as educational as possible, as my intent is to hopefully teach someone something. If you don’t care about that, just skip to the end where I provide a quick explanation and code.
I’ll preface this by saying that I know that some people doesn’t actually believe in the VMT hook detections, even though there’s proof or atleast indications posted all over here that points to it being legit. As an example, look at the start of that .data section of client_panorama.dll and you will see a bunch of globals that are the xor’ed addresses of the vtables from some classes.
For those of you who do though, this might be useful for y’all.
It’s also worth keeping in mind that this method is NOT for FSN only, I’m just using it as it is a good example to show this method on. It can also be used for a few other functions that you might be helpful.
I wrote this up a while ago and decided I wanted to post it now, since hopefully it can make someone learn something new, or atleast inspire them to try to think outside the box for stuff like this.
Reversing/finding the method we’ll be using
So, the FrameStageNotify function that you wanna hook is at index 37 of CHLClient. This vtable is in client_panorama.dll. One approach to this would be looking at the actual function and trying to find work-arounds by hooking functions that FSN calls and so on. But I’m not gonna bother with that. Instead we are gonna be hooking the actual FSN more or less normally.
Taking help from the SDK:
First thing you might wanna do is look into where and how FSN is called. Lets start by looking around in the leaked or released source engine sdks.
You will quickly find that the only place this is called is from the a wrapper function in engine https://github.com/VSES/SourceEngine. _int.cpp#L1716
Interesting, the only place FSN is called from is from the engine itself. This might’ve changed though, so lets look into it on CSGO.
Reversing with IDA, WinDbg and ReClass:
First of all lets find the FrameStageNotify function in a fresh client_panorama binary. Open up Class Informer or the «Names Window» (Shift-F4) in IDA and search for CHLClient.
In class informer it should be pretty straight forward, but if you use the names window you want to look for 
Double click this and it’ll bring you to the address in .rdata which has all of the functions of the vtable listed. We know that FSN is index 37 and that an absolute address is 4 bytes in x86. To find the function we can either count to the 37th-function in the vtable, or preferebly hit ? in ida to bring up the calculator and do 37 * 4: 
Now press G to open the jump to address menu, enter the start of the vtable and add the offset of the function
Go to the function it brings us to, and you’ll see a switch statement that goes up to 7. This is definitely correct.
Copy the address of the function (exclude the 1 of the start of it, the binary has a base of 0x10000000 in ida).
Go on and open csgo and debugger of choice, I’m going to be using WinDbg. Attach to csgo and place a breakpoint on FSN.
| 0:068> bp client_panorama + 238160 0:068> g |
| 0:000> ? 07c3cbd2 — engine Evaluate expression: 838610 = 000ccbd2 |
| 0:000> ? engine + 888958 Evaluate expression: 138381656 = 083f8958 |
slap that calculated address into ReClass and we’ll see what’s up. You will see that it points to an address in client_panorama, probably the CHLClient class. Make it a pointer and look what it points to and yes! We can see that it is the CHLClient class thanks to the RTTI information of the vtbl 
Summary
Let’s take a step back and think. A global in engine.dll points to the address of the CHLClient class in client_panorama.dll. If we copy the CHLClient class and make the pointer in engine.dll point to our own class instead, with our own vtable we can hook any calls to CHLClient that gets done from engine. There is a slight problem though, this means the thisptr that gets passed will not be the actual thisptr of the real CHLClient class. Lets fix that by making the functions in our own CHLClient class point to shellcode which sets the ECX register (First argument, the thisptr is passed in ECX with __thiscall and __fastcall) to the address of the real CHLClient class object. For each function in the vtable we want to write a shellcode that boils down to
Now to hook a function in there, we just replace that address it jumps to in our shellcode.
Conclusion and code
FSN is called from engine, along with a few other CHLClient functions. We can replace the class object that engine calls the functions from and in that way hook all calls from engine into CHLClient. Fix the thisptr by doing a jumptable which sets ecx correctly. Putting this into code gives us something like this:
Источник
Linux c vmt hooking
Lately I’ve been learning about Vtable/VMT hooking and I’ve been trying to get it working for a hack in APB (UE3). I haven’t completely figured it out yet, but I decided to compile what I learn into a tutorial, to help others get started.
Now I see you wondering: Why make a tutorial when you don’t fully understand what you are doing yet? Personally I think this is a perfect time to write a tutorial, because being new to vtable hooking, I can more easily understand the problems newbies will run into. See it as a tutorial written by a newbie for newbies. I am also hoping that more experienced members will correct me if I post any wrong or misleading information.
For now, just a short textual introduction to VMTs, but eventually I want this to be a full tutorial with code examples and pictures
What is a VMT/Vtable?
Whenever a class defines a virtual function (or method), most compilers add a hidden member variable to the class which points to a so called virtual method table (VMT or Vtable). This VMT is basically an array of pointers to (virtual) functions. At runtime these pointers will be set to point to the right function, because at compile time, it is not yet known if the base function is to be called or a derived one implemented by a class that inherits from the base class.
How do we use a VMT to hook?
There are two ways to use a VMT to hook a function.
In the first we simply replace one of the function pointers in the VMT with one of our own, pointing to a function we want to hook (obviously this needs to have the same signature as the original for proper execution of the program). Note that with this option, all instances of a class (objects) that point to the same virtual table will be affected.
The second option is to copy (or make a new) VMT and set the VMT pointer of an object to our VMT. Obiously we need to have a valid table here, or bad things will happen. So we will need to make sure the new VMT is the same size and points to similar functions. With this option, only the specific instance of a class will be affected.
To make sure the program resumes properly after we complete our hooked code, we call the original function at the end of the hooked function. This means we need to make sure we store a pointer to the original function!
How to get a pointer to a VMT?
In C++ the place where the pointer is stored in a class is compiler dependant. But the MS visual C++ compiler always stores it as the first member or in the first 4 bytes (the size of a pointer) of the class. Now note that this is always a hidden member, so we need to copy the memory of the first 4 bytes of the class into a pointer variable and then we have the pointer to the VMT.
Hooking the unreal engine
Now onto some examples of how to hook into the unreal engine using vtables. I will be using the vmthooks library written by Casual_Hacker over at GameDeception to abstract the whole hooking process. If you wish to adapt your own feel free to do so.
You will also need an SDK for the game you are hacking (uNrEaL has released alot for the unreal engine).
First we would create a new DLL. The OnAttach function is what will be called when you inject your DLL into the game.
Basic stuff really. Then we will need to declare some global variables and includes that we will be using later one. You can do this in a separate header if you like, or not.
If you aren’t sure what these will be used for, I will get to that later. Next you will need to start by implementing the OnAttach function and the first thing you need to do is find an instance of the object you want to hook. Good classes to hook for the unreal engine are the «HUD class», the «Viewport class» and the «PlayerController». In my example I’ll be hooking the viewport class, as it allows engine drawing in postrender.
I’ll leave it up to you to find the viewport, it shouldn’t be hard and there are many ways to do it. (tip: use the object dump (GObjects). Next we hook the object using the VMThook class. This will allow you to manipulate teh vtable. Make sure you store a pointer to the old pProcesEvent. Its at index 60 for APB, not sure about other unreal games.
Then proceed by replacing the Vtable with a copy( Don’t modify the orginal or your hack will be much easier to detect) and now replace the pointer at the proper index with a pointer to your own hooked function, which we still need to make.
This is an empty template for the a hooked processevent function (thanks lowHertz!). I’ll try to explain briefly what goes on here (as far as my understanding of it goes).
__declspec(naked) is a calling convention that basicly leaves it to the programmer to prepare and clean the stack for the function. Don’t ask me for details, I basicly c&p this from lowHertz :P.
With the first line we take a pointer from the ECX register, this pointer points to the object that called the function. Since in my method we already have a pointer to the correct object this is not really necessary.
The block that follows is asm for putting the arguments (that the orginal function got called with) into the global variables you declared earlier. You also need these to call the orginal function later.
pushad saves the registers on the stack. So now you can execute whatever code you want and afterwards it restores the registers to their orginal state by popping them off the stack with popad.
The last bit pushes the arguments onto the stack and calls the orginal function, which you stored earlier. If all is well then the orginal function executes properly and the game resumes as it would usually.
Источник
Thread: Vtable hooking/Vmt hooking
Thread Tools
Display
Vtable hooking/Vmt hooking
What’s good, it’s @Lehsyrus again with some new shit for you. This tutorial is leeched. This is to go together along with the A.V.A SDK I put in the source code section. As I said, this is LEECHED. Credits are all to EddyK from another site that no one needs to ever care about because MPGH is sexy.
Lately I’ve been learning about Vtable/VMT hooking and I’ve been trying to get it working for a hack in APB (UE3). I haven’t completely figured it out yet, but I decided to compile what I learn into a tutorial, to help others get started.
Now I see you wondering: Why make a tutorial when you don’t fully understand what you are doing yet? Personally I think this is a perfect time to write a tutorial, because being new to vtable hooking, I can more easily understand the problems newbies will run into. See it as a tutorial written by a newbie for newbies. I am also hoping that more experienced members will correct me if I post any wrong or misleading information.
For now, just a short textual introduction to VMTs, but eventually I want this to be a full tutorial with code examples and pictures
What is a VMT/Vtable?
Whenever a class defines a virtual function (or method), most compilers add a hidden member variable to the class which points to a so called virtual method table (VMT or Vtable). This VMT is basically an array of pointers to (virtual) functions. At runtime these pointers will be set to point to the right function, because at compile time, it is not yet known if the base function is to be called or a derived one implemented by a class that inherits from the base class.
How do we use a VMT to hook?
There are two ways to use a VMT to hook a function.
In the first we simply replace one of the function pointers in the VMT with one of our own, pointing to a function we want to hook (obviously this needs to have the same signature as the original for proper execution of the program). Note that with this option, all instances of a class (objects) that point to the same virtual table will be affected.
The second option is to copy (or make a new) VMT and set the VMT pointer of an object to our VMT. Obiously we need to have a valid table here, or bad things will happen. So we will need to make sure the new VMT is the same size and points to similar functions. With this option, only the specific instance of a class will be affected.
To make sure the program resumes properly after we complete our hooked code, we call the original function at the end of the hooked function. This means we need to make sure we store a pointer to the original function!
How to get a pointer to a VMT?
In C++ the place where the pointer is stored in a class is compiler dependant. But the MS visual C++ compiler always stores it as the first member or in the first 4 bytes (the size of a pointer) of the class. Now note that this is always a hidden member, so we need to copy the memory of the first 4 bytes of the class into a pointer variable and then we have the pointer to the VMT.
Hooking the unreal engine
Now onto some examples of how to hook into the unreal engine using vtables. I will be using the vmthooks library written by Casual_Hacker over at ************* to abstract the whole hooking process. If you wish to adapt your own feel free to do so.
You will also need an SDK for the game you are hacking (uNrEaL has released alot for the unreal engine).
First we would create a new DLL. The OnAttach function is what will be called when you inject your DLL into the game.
Basic stuff really. Then we will need to declare some global variables and includes that we will be using later one. You can do this in a separate header if you like, or not.
If you aren’t sure what these will be used for, I will get to that later. Next you will need to start by implementing the OnAttach function and the first thing you need to do is find an instance of the object you want to hook. Good classes to hook for the unreal engine are the «HUD class», the «Viewport class» and the «PlayerController». In my example I’ll be hooking the viewport class, as it allows engine drawing in postrender.
I’ll leave it up to you to find the viewport, it shouldn’t be hard and there are many ways to do it. (tip: use the object dump (GObjects). Next we hook the object using the VMThook class. This will allow you to manipulate teh vtable. Make sure you store a pointer to the old pProcesEvent. Its at index 60 for APB, not sure about other unreal games.
Then proceed by replacing the Vtable with a copy( Don’t modify the orginal or your hack will be much easier to detect) and now replace the pointer at the proper index with a pointer to your own hooked function, which we still need to make.
This is an empty template for the a hooked processevent function (thanks lowHertz!). I’ll try to explain briefly what goes on here (as far as my understanding of it goes).
__declspec(naked) is a calling convention that basicly leaves it to the programmer to prepare and clean the stack for the function. Don’t ask me for details, I basicly c&p this from lowHertz :P.
With the first line we take a pointer from the ECX register, this pointer points to the object that called the function. Since in my method we already have a pointer to the correct object this is not really necessary.
The block that follows is asm for putting the arguments (that the orginal function got called with) into the global variables you declared earlier. You also need these to call the orginal function later.
pushad saves the registers on the stack. So now you can execute whatever code you want and afterwards it restores the registers to their orginal state by popping them off the stack with popad.
The last bit pushes the arguments onto the stack and calls the orginal function, which you stored earlier. If all is well then the orginal function executes properly and the game resumes as it would usually.
Источник
