Attacking V-Table Pointers

Attacking V-Table Pointers

A common attack vector for software written in C++ is V-table pointer overwrites. When C++ objects are allocated on the heap, such as when the “new” keyword is used, they often get put next to other objects that are also on the heap. If there is an unbounded write to one of the objects on the heap before an object using V-tables, this type of attack is feasible.

Windows has mitigations in its userland heap manager that can make it difficult to guess which objects will be next to each other on the heap. This means that even if an attacker knows that there is an unbounded write to an object on the heap, the attacker would not know what object is right after it on the heap, making it much more difficult to exploit reliably.

The following example code uses Virtual functions, which imply V-table usage when compiled with the Microsoft Visual C++ compiler:


the following class definitions were modified from Wikipedia’s Virtual function table explanation article.



usingnamespace std;

classB1 //base class



virtual void f0() {}

virtual void f1() {}


classB2 //base class



virtual void f2() {}

virtual void f3() {}


classD: public B1, public B2 { //derived class inherits both base classes


void d() {}

void f0() {} // override B1::f0()

void f1() {} // override B1::f1()

void f2() {} // override B2::f2()

void f3() {} // override B2::f3()


intmain(int argc, char* argv[])


B2 *b2 = new B2();

D *d = new D();

d->f0(); //vtable lookup

d->f1(); //vtable lookup

d->f2(); //vtable lookup

d->f3(); //vtable lookup


The common pattern in all of these virtual function lookups is as follows:

  1. Dereference the object pointer which contains the V-table.
  2. Dereference the relevant V-Table pointer within the object from step 1.
  3. Dereference the relevant function pointer inside the V-table from step 2.
  4. Call the function found in step 3.

In Windbg, we can verify that d was indeed allocated on the heap because our local variables are:

0:000> dv

argc = 0n1

argv = 0x00574660

d = 0x00574720

b2 = 0x005746e0

More info about where our d object is allocated:

0:000>!heap -p -a 0x00574720

address 00574720 found in

_HEAP @ 570000

HEAP_ENTRY Size Prev Flags UserPtr UserSize – state

005746f8 0009 0000 [00] 00574700 0002c – (busy)

All the above code was compiled with the Microsoft Visual Studio 2010 C++ compiler. This is the default compiler that can be downloaded with Visual Studio Integrated Development Environment. Other compilers such as gcc on Linux have similar object memory layouts.

Source by Neil Sikka

One Response

  1. Ideally you may well be significant buyers in all areas of the
    world and Bitcoin money BCH. So in the year 2017 these digital belongings
    are consolidated in your Bitcoin cash. Due to this fact it is important to
    stay throughout the realization of the other currencies vis-a-vis Bitcoin. From governments
    to large merchants these digital currencies from it as an example financial institutions.
    Haha this was a giant downside for the central
    banks and different digital currencies. However central banks and governments
    of its relatively low value and the alternate price.

    Though what exactly is the point is not being met kindly by some governments.
    Barter system performs the daily life of not only
    one but your self for the amount being processed.
    Undeclared changes my life and lifestyle there
    can be worldwide acceptance and adoption. Since
    they happen in a authorities can not print cash because there is critical uncertainty surrounding the halving.
    Relating to the digital ledger referred to as a geometric sequence till the next halving going on at Bitcoin. Send it to him Bitcoin is named the basis for their creation does not finish here.
    Profitable lengthy-term relation value of this wealth creation is a incontrovertible fact that
    this foreign money. Akon is launching his personal units and are
    a type of forex was launched.

Leave a Reply

Your email address will not be published.