RTTI(Runtime Type Identification,運行時類型識別）由c++編譯器將對象的類型信息嵌入程序的只讀數據段，以 支持C++的各種操作符在運行時確定（typeid)和檢查(dynamic_cast)一個對象的數據類型。
對微軟的編譯器而言，RTTI和虛表位置在-4的地址構建。

#include <stdio.h> #include <Windows.h> #define VTSIZE 6 #pragma pack(1) class Parent { public:virtual void Fun1() = 0;virtual void Fun2() = 0;virtual void Fun3() = 0;virtual void Fun4() = 0;virtual void Fun5() = 0; };class Child: public Parent { public:void Fun1(){printf("11111\n");}void Fun2(){printf("22222\n");}void Fun3(){printf("33333\n");}void Fun4(){printf("44444\n");}void Fun5(){printf("55555\n");}};typedef struct _JMP_TABLE_ITEM{//UCHAR uPushesi; //backup esi for checkesp push esi, pop esiUCHAR uMoveEaxForFactAddr;DWORD dwFactAddr;UCHAR uPashEaxForFactAddr;//UCHAR uPushad; //0x60//UCHAR uPushfd; //0x9c//UCHAR uJmp;//DWORD dwCheckAddr;//jmp to check function//simulate messagebox exist issue #ifdef DEBUGUCHAR push0;UCHAR zero0;UCHAR push1;UCHAR zero1;UCHAR push2;UCHAR zero2;UCHAR push3;UCHAR zero3;UCHAR tempmoveax;DWORD dwmsgAddr;UCHAR uJmpmsg; //FFDWORD uJmpeaxaddr; UCHAR add;UCHAR esp;UCHAR four; #endif//UCHAR uPopad; //61//UCHAR uPopfd; //9dUCHAR uPopeax; //58UCHAR uJmp22; //FFUCHAR uJmpEax; //EO}JMP_TABLE_ITEM;void CheckFunc(DWORD checkNum) {}void InitFakeVirtualTable(DWORD *pfakevt,JMP_TABLE_ITEM *pJMPTable, DWORD pFactvt, DWORD msgaddr) {DWORD *pvt = (DWORD*)*(DWORD*)pFactvt;for(int i = 0; i < VTSIZE; ++i){*pfakevt = (DWORD)pJMPTable;pJMPTable->uMoveEaxForFactAddr = 0xB8;pJMPTable->dwFactAddr = *(DWORD*)(pvt+i);pJMPTable->uPashEaxForFactAddr = 0x50; //push fact virtual function address//pJMPTable->uPushad = 0x60;//pJMPTable->uPushfd = 0x9C;//pJMPTable->uJmp = 0xE9;//pJMPTable->dwCheckAddr = (DWORD)CheckFunc; #ifdef DEBUGpJMPTable->push0 = 0x6A;pJMPTable->zero0 = 0x0;pJMPTable->push1 = 0x6A;pJMPTable->zero1 = 0x0;pJMPTable->push2 = 0x6A;pJMPTable->zero2 = 0x0;pJMPTable->push3 = 0x6A;pJMPTable->zero3 = 0x0;pJMPTable->tempmoveax = 0xB8;pJMPTable->dwmsgAddr = msgaddr;pJMPTable->uJmpmsg = 0xFF; //FFpJMPTable->uJmpeaxaddr = 0xE0;pJMPTable->add = 0x83;pJMPTable->esp = 0xC4; pJMPTable->four = 0x10; #endif//pJMPTable->uPopad = 0x61;//pJMPTable->uPopfd = 0x9d;pJMPTable->uPopeax = 0x58;pJMPTable->uJmp22 = 0xFF;pJMPTable->uJmpEax = 0xE0;pfakevt++;pJMPTable++;} }void main() {//Fake virtual tableDWORD *pfakeVirtualTable = new DWORD[VTSIZE]();JMP_TABLE_ITEM *pJMPTable = new JMP_TABLE_ITEM[VTSIZE]();DWORD oldprotect = 0;VirtualProtect(pfakeVirtualTable,1024,PAGE_EXECUTE_READWRITE,&oldprotect);//VirtualProtect(pJMPTable,1024,PAGE_EXECUTE_READWRITE,&oldprotect);Parent *pChild = new Child();DWORD ptemp = (DWORD)pChild;//simulate checkfuncHMODULE hNtdll = GetModuleHandleA("user32.dll");DWORD addr = (DWORD)GetProcAddress(hNtdll,"MessageBoxA");InitFakeVirtualTable(pfakeVirtualTable,pJMPTable,ptemp,addr);*(DWORD*)pChild = (DWORD)pfakeVirtualTable;pChild->Fun1();pChild->Fun2();pChild->Fun3();pChild->Fun4();pChild->Fun5();VirtualProtect(pfakeVirtualTable,1024,oldprotect,&oldprotect);//VirtualProtect(pJMPTable,1024,oldprotect,&oldprotect); }

?

《新程序員》：云原生和全面數字化實踐50位技術專家共同創作，文字、視頻、音頻交互閱讀

總結

以上是生活随笔為你收集整理的hook虚表监控虚表的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。