Microsoft Visual C++ 逆向第二部分:类、方法和RTTI

本文主要是介绍Microsoft Visual C++ 逆向第二部分:类、方法和RTTI，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

Microsoft Visual c++是Win32使用最广泛的编译器，所以Win32逆向工作者熟悉其内部工作方式是很重要的。能够识别编译器生成的粘合代码有助于快速将注意力集中在程序员编写的实际代码上。它还有助于恢复项目的高层结构。在这篇由2部分组成的文章的第二部分(请参阅:第一部分:异常处理)中，我将介绍如何在MSVC中实现c++机制，包括类布局、虚函数、RTTI。假如您熟悉基本的c++和汇编语言。

基本类布局

为了说明下面的内容，让我们思考这个简单的例子:

    class A
    {
      int a1;
    public:
      virtual int A_virt1();
      virtual int A_virt2();
      static void A_static1();
      void A_simple1();
    };

    class B
    {
      int b1;
      int b2;
    public:
      virtual int B_virt1();
      virtual int B_virt2();
    };

    class C: public A, public B
    {
      int c1;
    public:
      virtual int A_virt2();
      virtual int B_virt2();
    };

在大多数情况下，MSVC以以下顺序排列类:

 

1. 虚函数表的指针(_vtable_或_vftable_)，仅当类有虚方法且基类中没有合适的表可以重用时才添加。

2. 基类

3.类成员

虚函数表按虚方法第一次出现的顺序由虚方法的地址组成。重载函数的地址替换基类中函数的地址。

 

因此，我们的三个类的布局将如下所示:

  class A size(8):+---0  | {vfptr}4  | a1+---A's vftable:0  | &A::A_virt14  | &A::A_virt2class B size(12):+---0  | {vfptr}4  | b18  | b2+---B's vftable:0  | &B::B_virt14  | &B::B_virt2class C size(24):+---| +--- (base class A)0  | | {vfptr}4  | | a1| +---| +--- (base class B)8  | | {vfptr}12  | | b116  | | b2| +---20  | c1+---C's vftable for A:0  | &A::A_virt14  | &C::A_virt2C's vftable for B:0  | &B::B_virt14  | &C::B_virt2

The above diagram was produced by the VC8 compiler using an undocumented switch. To see the class layouts produced by the compiler, use: -d1reportSingleClassLayout to see the layout of a single class -d1reportAllClassLayout to see the layouts of all classes (including internal CRT classes) The layouts are dumped to stdout. 

As you can see, C has two vftables, since it has inherited two classes which both already had virtual functions. Address of C::A_virt2 replaces address of A::A_virt2 in C's vftable for A, and C::B_virt2 replaces B::B_virt2 in the other table. 
 

Calling Conventions and Class Methods

All class methods in MSVC by default use _thiscall_ convention. Class instance address (_this_ pointer) is passed as a hidden parameter in the ecx register. In the method body the compiler usually tucks it away immediately in some other register (e.g. esi or edi) and/or stack variable. All further adressing of the class members is done through that register and/or variable. However, when implementing COM classes, _stdcall_ convention is used. The following is an overview of the various class method types. 

1) Static Methods
Static methods do not need a class instance, so they work the same way as common functions. No _this_ pointer is passed to them. Thus it's not possible to reliably distinguish static methods from simple functions. Example: 
 

    A::A_static1();call    A::A_static1

2) Simple Methods
Simple methods need a class instance, so _this_ pointer is passed to them as a hidden first parameter, usually using _thiscall_ convention, i.e. in _ecx_ register. When the base object is not situated at the beginning of the derived class, _this_ pointer needs to be adjusted to point to the actual beginning of the base subobject before calling the function. Example: 
 

    ;pC->A_simple1(1);;esi = pCpush    1mov ecx, esicall    A::A_simple1;pC->B_simple1(2,3);;esi = pClea edi, [esi+8] ;adjust thispush    3push    2mov ecx, edicall    B::B_simple1

As you see, _this_ pointer is adjusted to point to the B subobject before calling B's method. 

3) Virtual Methods
To call a virtual method the compiler first needs to fetch the function address from the _vftable_ and then call the function at that address same way as a simple method (i.e. passing _this_ pointer as an implicit parameter). Example: 
 

    ;pC->A_virt2();esi = pCmov eax, [esi]  ;fetch virtual table pointermov ecx, esicall [eax+4]  ;call second virtual method;pC->B_virt1();edi = pClea edi, [esi+8] ;adjust this pointermov eax, [edi]   ;fetch virtual table pointermov ecx, edicall [eax]       ;call first virtual method

4) Constructors and Destructors
Constructors and destructors work similar to a simple method: they get an implicit _this_ pointer as the first parameter (e.g. ecx in case of _thiscall_ convention). Constructor returns the _this_ pointer in eax, even though formally it has no return value. 
 

RTTI Implementation

RTTI (Run-Time Type Identification) is special compiler-generated information which is used to support C++ operators like dynamic_cast<> and typeid(), and also for C++ exceptions. Due to its nature, RTTI is only required (and generated) for polymorphic classes, i.e. classes with virtual functions. 

MSVC compiler puts a pointer to the structure called "Complete Object Locator" just before the vftable. The structure is called so because it allows compiler to find the location of the complete object from a specific vftable pointer (since a class can have several of them). COL looks like following: 
 

struct RTTICompleteObjectLocator
{DWORD signature; //always zero ?DWORD offset;    //offset of this vtable in the complete classDWORD cdOffset;  //constructor displacement offsetstruct TypeDescriptor* pTypeDescriptor; //TypeDescriptor of the com

这篇关于Microsoft Visual C++ 逆向第二部分:类、方法和RTTI的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---