Overriding C++ virtual functions at run time (opens in new tab)

(blog.visionappster.com)

59 pointstopiolli5y ago38 comments

38 comments

> The C++ standard does not specify how virtual functions should be implemented. In practice, however, compilers generate a virtual function table and place a pointer to it as the first member of a class.

wishful thinking: https://gcc.godbolt.org/z/qWEe9r

badsectoracula5y ago

Not sure what you are trying to show, the object still has a vtable and is placed as the first member (and in your example, only) of the class, so that quote is correct.

Obviously if you enable optimizations and one of those optimizations is avoiding the virtual call when the compiler thinks it isn't necessary, then sure you wont get a virtual call everywhere.

But if your code is relying on implementation assumptions like having a vtable at the start of a class, then it should also make sure that this assumption holds by not trying to work around it (e.g. via final) and using compiler options that control that optimization (e.g. GCC has -fno-devirtualize).

It doesn't make much sense to both try and take advantage of implementation details and work against taking advantage of implementation details at the same time.

MaulingMonkey5y ago

The article talks about vtable patching in scenarios where you might not be able to recompile the original target, which limits your ability to add unusual flags like -fno-devirtualize, or remove common optimization flags like -O3.

Which doesn't make the technique completely useless, but raising this "obvious" important caveat - that it's likely to be an imperfect patch on it's own - when the article completely fails to do so, is worthwhile. I promise you there's C++ programmers out there who weren't aware of how aggressive optimizers can be.

1 more reply

jcelerier5y ago

> Not sure what you are trying to show, the object still has a vtable and is placed as the first member (and in your example, only) of the class, so that quote is correct.

I would not say that it is correct - the "object"'s actual existence is only through the interpretation that is made of it by the functions that work on your bytes. There's no struct definition in compiled code, only functions that do something with memory at a given offset. I won't go as far as to say that "objects" don't exist once your code leaves C++'s abstract machine to enter the compiled code world... but quite close.

With that said, 4 out of these 5 functions completely (and rightfully) disregard the vtable so if you're relying on that behaviour to be in place consistently to, say, fix a security issue in a given binary... you're in for some surprises.

1 more reply

leni5365y ago

In other words if your program relies on undefined behavior then make sure you look at your compiler's documentation and then you might be able to make it implementation defined.

1 more reply

topiolliOP5y ago

Cool. Is this due to "final" and the fact that the compiler can figure out the target at compile time?

MaulingMonkey5y ago

One call site (the one that takes bar&) relies on the final to devirtualize. The other call sites merely rely on the compiler being able to determine the exact type involved at compile time to devirtualize.

bregma5y ago

We were overriding non-virtual functions at run time in the 8-bit days. Even in the feature article's case it would be easier and more reliable to patch the GOT (since he's using ELF on Linux).

It's hardly news but I guess it makes this common cracking technique more accessible.

saagarjha5y ago

Patching the GOT doesn't work for internal function calls, though.

mehrdada5y ago

As you might imagine, overwriting vtables in memory is a common technique to hijack control flow and making your program execute attacker's code in an exploit.

saagarjha5y ago

Patching function pointers in general is very desirable thing to be able to do when writing these kinds of things. vtables are interesting because unlike normal C function pointers they can only be used in a standards-compliant manner in a few very limited ways, so if you’re implementing control flow verification you can really ratchet up the security for these. For normal C function pointers, sadly, the best you can do is usually very little, if anything at all. Especially because the use of non-compliant constructs like forging ordinary function pointers is extremely common in things like language runtimes.

Someone5y ago

In Objective-C, that’s called “method swizzling”, and better supported by the runtime. See https://nshipster.com/method-swizzling/

And of course, Common Lisp has “change-class” (https://www.snellman.net/blog/archive/2015-07-27-use-cases-f..., discussed at https://news.ycombinator.com/item?id=734025) and Smalltalk has “become:” (https://gbracha.blogspot.com/2009/07/miracle-of-become.html. Short discussion at https://news.ycombinator.com/item?id=734025)

jamesu5y ago

Had to go a step further in a project and patch static functions in a codebase with no source. It’s certainly enlightening how much you can do with just a symbol map and type info.

I don’t think the articles vtable layout is entirely accurate for gcc though - usually you’ll get 2 destructors at the start of the vtable (assuming the first virtual func declared is the destructor).

greesil5y ago

Are you willing to share any info on how you got stuck with this project, and what this "codebase" was? Can you call it a codebase is it doesn't have source code?

topiolliOP5y ago

I really cannot recall which library it was exactly. I worked on a project that had many proprietary dependencies. It might have been a GenICam camera driver that caused us a lot of other headaches as well.

Google2345y ago

I would guess a normal project that involves this would be making a hack for a video game

1 more reply

The_rationalist5y ago

I was wondering whether such a thing is possible for JVM based languages and it turns out it is: https://stackoverflow.com/questions/8273685/is-it-possible-t...

danmg5y ago

In Java, you can write an agent and intercept when the bytecode for a class is loaded by the JVM by the Class Loader.

ASM is just a bytecode reader/writer/visitor library that can then modify it. You could also just do it statically by having the bytecode you want injected ready to go in an array or resource.

   if (className.equals("a/b/c/d$e"))
       return fixedClassBytecode;
   else
       return bytecode;

It's possible to create custom loaders (e.g., loading a class from an encrypted zip-file, or one that creates custom bytecode on the fly) and things which are trying to obfuscate what they're doing will have custom loaders, but this is a choke point that every class that's read in and instantiated must pass through.

MaxBarraclough5y ago

So, is it possible? I get the impression you can create a new class using a bytecode-manipulation library, but that's not the same as modifying an existing class at runtime.

I believe classes, once loaded by the JVM, cannot be changed. https://stackoverflow.com/a/43653466/

CHY8725y ago

It's generally possible to rewrite loaded classes. Some changes are possible (e.g. replacing a method's body), others are not (adding new methods). The state of the art library for doing this at the application layer is ByteBuddy https://github.com/raphw/byte-buddy#changing-existing-classe... but this functionality is used by plenty of tooling - profilers such as YourKit rewrite methods to add telemetry - I've seen some security libraries attempt to add additional security related hooks.

1 more reply

ppg6775y ago

FDO compilation will often de-virtualize and remove vtable indirection.

rurban5y ago

AutoCad does this in their ObjectARX technology, with a fixed compiler version, to support user or vendor provided plugins to extend classes. At runtime. For decades.

bitwize5y ago

And this is why despite trying real hard several times, they couldn't remove Autolisp completely...

rootlocus5y ago

This all fine and well for single public inheritance. Multiple inheritance and virtual inheritance don't generate layouts this simple.

j / k navigate · click thread line to collapse

38 comments

jcelerier5y ago

wishful thinking: https://gcc.godbolt.org/z/qWEe9r

badsectoracula5y ago

Not sure what you are trying to show, the object still has a vtable and is placed as the first member (and in your example, only) of the class, so that quote is correct.

Obviously if you enable optimizations and one of those optimizations is avoiding the virtual call when the compiler thinks it isn't necessary, then sure you wont get a virtual call everywhere.

It doesn't make much sense to both try and take advantage of implementation details and work against taking advantage of implementation details at the same time.

MaulingMonkey5y ago

1 more reply

jcelerier5y ago

> Not sure what you are trying to show, the object still has a vtable and is placed as the first member (and in your example, only) of the class, so that quote is correct.

1 more reply

leni5365y ago

In other words if your program relies on undefined behavior then make sure you look at your compiler's documentation and then you might be able to make it implementation defined.

1 more reply

topiolliOP5y ago

Cool. Is this due to "final" and the fact that the compiler can figure out the target at compile time?

MaulingMonkey5y ago

bregma5y ago

We were overriding non-virtual functions at run time in the 8-bit days. Even in the feature article's case it would be easier and more reliable to patch the GOT (since he's using ELF on Linux).

It's hardly news but I guess it makes this common cracking technique more accessible.

saagarjha5y ago

Patching the GOT doesn't work for internal function calls, though.

mehrdada5y ago

As you might imagine, overwriting vtables in memory is a common technique to hijack control flow and making your program execute attacker's code in an exploit.

saagarjha5y ago

Someone5y ago

In Objective-C, that’s called “method swizzling”, and better supported by the runtime. See https://nshipster.com/method-swizzling/

jamesu5y ago

Had to go a step further in a project and patch static functions in a codebase with no source. It’s certainly enlightening how much you can do with just a symbol map and type info.

greesil5y ago

Are you willing to share any info on how you got stuck with this project, and what this "codebase" was? Can you call it a codebase is it doesn't have source code?

topiolliOP5y ago

Google2345y ago

I would guess a normal project that involves this would be making a hack for a video game

1 more reply

The_rationalist5y ago

I was wondering whether such a thing is possible for JVM based languages and it turns out it is: https://stackoverflow.com/questions/8273685/is-it-possible-t...

danmg5y ago

In Java, you can write an agent and intercept when the bytecode for a class is loaded by the JVM by the Class Loader.

ASM is just a bytecode reader/writer/visitor library that can then modify it. You could also just do it statically by having the bytecode you want injected ready to go in an array or resource.

   if (className.equals("a/b/c/d$e"))
       return fixedClassBytecode;
   else
       return bytecode;

MaxBarraclough5y ago

So, is it possible? I get the impression you can create a new class using a bytecode-manipulation library, but that's not the same as modifying an existing class at runtime.

I believe classes, once loaded by the JVM, cannot be changed. https://stackoverflow.com/a/43653466/

CHY8725y ago

1 more reply

ppg6775y ago

FDO compilation will often de-virtualize and remove vtable indirection.

rurban5y ago

AutoCad does this in their ObjectARX technology, with a fixed compiler version, to support user or vendor provided plugins to extend classes. At runtime. For decades.

bitwize5y ago

And this is why despite trying real hard several times, they couldn't remove Autolisp completely...

rootlocus5y ago

This all fine and well for single public inheritance. Multiple inheritance and virtual inheritance don't generate layouts this simple.

j / k navigate · click thread line to collapse