Reputation: 91
Finding address of the 'vftable' symbol in an .exe file
I am trying to find the address (or offset from base address) of the 'vftable' symbol for the class 'Greeter' by statically analyzing an executable file. While analyzing it dynamically in Visual Studio by adding a breakpoint and disassembling the constructor of the 'Greeter' class, I was able to find the address of the symbol.
00007FF76A891951 lea rcx,[Greeter::`vftable' (07FF76A89ACE0h)]
00007FF76A891958 mov qword ptr [rax],rcx
But this is it's runtime address. I need to find a way to figure out the offset by maybe using a tool like 'dumpbin' or something similar. I know I can figure out the offset by using the address above, but I need a way to automate this, so it will have to be through a tool.
I tried using 'dumpbin' on the exe to disassemble it and find the same instructions of the Greeter class:
0000000140011951: 48 8D 0D 88 93 00 lea rcx,[??_7Greeter@@6B@]
0000000140011958: 48 89 08 mov qword ptr [rax],rcx
So, I set out to try to find references to this symbol ??_7Greeter@@6B@
I tried using 'dumpbin' with the following command:
dumpbin /all ConsoleApplication.obj > cout
I got the following relevant output:
Section length 18, #relocs 3, #linenums 0, checksum 0, selection 6 (pick largest)
Relocation CRC BDB82F45
134 00000008 SECT43 notype External | ??_7Greeter@@6B@ (const Greeter::`vftable')
135 00000000 SECT44 notype Static | .rdata
I also got this output:
SECTION HEADER #43
.rdata name
0 physical address
0 virtual address
18 size of raw data
DA3B file pointer to raw data (0000DA3B to 0000DA52)
DA53 file pointer to relocation table
0 file pointer to line numbers
3 number of relocations
0 number of line numbers
40401040 flags
Initialized Data
COMDAT; sym= "const Greeter::`vftable'" (??_7Greeter@@6B@)
8 byte align
Read Only
RAW DATA #43
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 ........
RELOCATIONS #43
Symbol Symbol
Offset Type Applied To Index Name
-------- ---------------- ----------------- -------- ------
00000000 ADDR64 00000000 00000000 14C ??_R4Greeter@@6B@ (const Greeter::`RTTI Complete Object Locator')
00000008 ADDR64 00000000 00000000 8C ?sayHello@Greeter@@UEAAX_J00@Z (public: virtual void __cdecl Greeter::sayHello(__int64,__int64,__int64))
00000010 ADDR64 00000000 00000000 8D ?initUser@Greeter@@UEAAXXZ (public: virtual void __cdecl Greeter::initUser(void))
Does anybody have any idea how I would go about finding the offset of this symbol? Is there a specific 'dumpbin' option that I need to use to print offset of symbols that are mentioned in the disassembly?
Upvotes: 2
Views: 305
Answers (0)
Related Questions
- Find address of a class member when debugging in VS
- How to find out where the main function in an .exe file is?
- how to get "address of entry point" from exe file in visual c++?
- Disassembly code from visual studio
- Is vftable[0] stores the first virtual function or RTTI Complete Object Locator?
- Dumping VTable Offsets on Windows
- Utilizing the virtual pointer table address seen in Visual Studio debugger
- How do I find out my .exe's entry-point function?
- PE .idata section
- find a particular function in a executable using dumpbin tools family