[source]D3D9: Finding the VirtualTable without signatures

**.::SCHiM::.** · 05-19-2011

A little function that searches your applications memory for the VirtualTable of the DevicePointer.

This function finds the device pointer's vtable by scanning for the following logic:

Code:

Vtable.DWORD1 > Vtable.DWORD2 & Vtable.DWORD3
Vtable.DWORD2 > Vtable.DWORD3
Vtable.DWORD1 < Vtable.DWORD4
Vtable.DWORD5 > Vtable.DWORD4
etc...etc... &&
Vtable[0x3] == Vtable[0x7] == Vtable[0x..] == ... etc... etc

This method is not 100% successful all the time. However I've tested it on 7 games and only in 1 game it returned a wrong pointer (DragonAge 2)
You should check the pointer that is returned though. You could do this by checking if the vtable function pointers point to functions(see if they begin with the standard windows prologue code: mov ebp, esp)

This function is also slow, it may take up to 5 seconds for it to return (depending on how high a memory location the Vtable is located)

Code:

#include <windows.h>
#include <iostream>
#include <string.h>

#pragma comment(lib, "VtableScan.lib")

extern "C"{
	DWORD _stdcall ScanTable();
}
int MainThread();

BOOL APIENTRY DllMain( HANDLE hModule, DWORD  fdwReason, LPVOID lpReserved ){

	if( fdwReason == DLL_PROCESS_ATTACH){
       CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&MainThread, NULL, NULL, NULL);
	   return TRUE;
	}

    return TRUE;
}

int MainThread(){

	while(!GetModuleHandle("d3d9.dll")){
         Sleep(1000);
	}

	DWORD Vtable = ScanTable();    // returns the vtable (or something that looks like it)

	char buffer[10] = "";
	std::string OutString = "Vtable Location: 0x";
    sprintf(&buffer[0],"%x",Vtable);
    OutString += buffer;
	
	MessageBox(NULL, OutString.c_str(), "SCHiM", MB_OK);   // output 
    

return 0;
}

Virs:

Jotti
Virscan

**whit** · 05-19-2011

This is pretty neat, ill give it a look
Good job

**♪~ ᕕ(ᐛ)ᕗ** · 05-19-2011

Epic shit dude! Thanks a lot!
Are u a mathematical genius or something?

**crex** · 05-19-2011

Well done!!!

**proman98** · 05-19-2011

Nice work very usefull

**melih52** · 05-19-2011

Thank you for it.

**.::SCHiM::.** · 05-20-2011

Thanks for all the responses, post back if it works. If it doesn't I'll see what I can do

**VirtualDUDE** · 05-20-2011

Makes everything I've made, look ridiculously easy :P

**Hell_Demon** · 05-20-2011

any reason for using this over a sigscan? <:

**.::SCHiM::.** · 05-20-2011

Originally Posted by Hell_Demon

any reason for using this over a sigscan? <:

Not in particular, but signature scans have to be updated every once in a while. This wont need an update, and even if it will need one in the future, it can be done in 5/10 minutes

EDIT: Now that I think about it, you could make an automatic updater. So this won't need to be updated manually

**Jason** · 05-20-2011

Fuck off Cookie. Stop ruining good threads.

@schim, looks fantastic mate.

**Stephen** · 05-20-2011

Amazing Job.

Thread: [source]D3D9: Finding the VirtualTable without signatures

Thread Tools

Display

[source]D3D9: Finding the VirtualTable without signatures

The Following 5 Users Say Thank You to .::SCHiM::. For This Useful Post:

The Following User Says Thank You to Jason For This Useful Post: