[source]D3D9: Finding the VirtualTable without signatures

A little function that searches your applications memory for the VirtualTable of the DevicePointer.

This function finds the device pointer's vtable by scanning for the following logic:

Code:

Vtable.DWORD1 > Vtable.DWORD2 & Vtable.DWORD3
Vtable.DWORD2 > Vtable.DWORD3
Vtable.DWORD1 < Vtable.DWORD4
Vtable.DWORD5 > Vtable.DWORD4
etc...etc... &&
Vtable[0x3] == Vtable[0x7] == Vtable[0x..] == ... etc... etc

This method is not 100% successful all the time. However I've tested it on 7 games and only in 1 game it returned a wrong pointer (DragonAge 2)
You should check the pointer that is returned though. You could do this by checking if the vtable function pointers point to functions(see if they begin with the standard windows prologue code: mov ebp, esp)

This function is also slow, it may take up to 5 seconds for it to return (depending on how high a memory location the Vtable is located)

Code:

#include <windows.h>
#include <iostream>
#include <string.h>

#pragma comment(lib, "VtableScan.lib")

extern "C"{
	DWORD _stdcall ScanTable();
}
int MainThread();

BOOL APIENTRY DllMain( HANDLE hModule, DWORD  fdwReason, LPVOID lpReserved ){

	if( fdwReason == DLL_PROCESS_ATTACH){
       CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&MainThread, NULL, NULL, NULL);
	   return TRUE;
	}

    return TRUE;
}

int MainThread(){

	while(!GetModuleHandle("d3d9.dll")){
         Sleep(1000);
	}

	DWORD Vtable = ScanTable();    // returns the vtable (or something that looks like it)

	char buffer[10] = "";
	std::string OutString = "Vtable Location: 0x";
    sprintf(&buffer[0],"%x",Vtable);
    OutString += buffer;
	
	MessageBox(NULL, OutString.c_str(), "SCHiM", MB_OK);   // output 
    

return 0;
}

Virs:

Jotti
Virscan

[source]D3D9: Finding the VirtualTable without signatures

Post a Reply

Tags for this Thread