Vtable hooking/Vmt hooking

[SirKinky]

What's good, it's @Lehsyrus again with some new shit for you. This tutorial is leeched. This is to go together along with the A.V.A SDK I put in the source code section. As I said, this is LEECHED. Credits are all to EddyK from another site that no one needs to ever care about because MPGH is sexy.

------------------------------
----Vtable/Vmt hooking---
------------------------------

Lately I've been learning about Vtable/VMT hooking and I've been trying to get it working for a hack in APB (UE3). I haven't completely figured it out yet, but I decided to compile what I learn into a tutorial, to help others get started.

Now I see you wondering: Why make a tutorial when you don't fully understand what you are doing yet? Personally I think this is a perfect time to write a tutorial, because being new to vtable hooking, I can more easily understand the problems newbies will run into. See it as a tutorial written by a newbie for newbies. I am also hoping that more experienced members will correct me if I post any wrong or misleading information.

For now, just a short textual introduction to VMTs, but eventually I want this to be a full tutorial with code examples and pictures

What is a VMT/Vtable?

Whenever a class defines a virtual function (or method), most compilers add a hidden member variable to the class which points to a so called virtual method table (VMT or Vtable). This VMT is basically an array of pointers to (virtual) functions. At runtime these pointers will be set to point to the right function, because at compile time, it is not yet known if the base function is to be called or a derived one implemented by a class that inherits from the base class.

How do we use a VMT to hook?

There are two ways to use a VMT to hook a function.

In the first we simply replace one of the function pointers in the VMT with one of our own, pointing to a function we want to hook (obviously this needs to have the same signature as the original for proper execution of the program). Note that with this option, all instances of a class (objects) that point to the same virtual table will be affected.

The second option is to copy (or make a new) VMT and set the VMT pointer of an object to our VMT. Obiously we need to have a valid table here, or bad things will happen. So we will need to make sure the new VMT is the same size and points to similar functions. With this option, only the specific instance of a class will be affected.

To make sure the program resumes properly after we complete our hooked code, we call the original function at the end of the hooked function. This means we need to make sure we store a pointer to the original function!

How to get a pointer to a VMT?

In C++ the place where the pointer is stored in a class is compiler dependant. But the MS visual C++ compiler always stores it as the first member or in the first 4 bytes (the size of a pointer) of the class. Now note that this is always a hidden member, so we need to copy the memory of the first 4 bytes of the class into a pointer variable and then we have the pointer to the VMT.

Hooking the unreal engine

Now onto some examples of how to hook into the unreal engine using vtables. I will be using the vmthooks library written by Casual_Hacker over at ************* to abstract the whole hooking process. If you wish to adapt your own feel free to do so.

You will also need an SDK for the game you are hacking (uNrEaL has released alot for the unreal engine).

First we would create a new DLL. The OnAttach function is what will be called when you inject your DLL into the game.

Code:

BOOL WINAPI DllMain ( HMODULE hModule, DWORD dwReason, LPVOID lpReserved )
{
    if ( dwReason == DLL_PROCESS_ATTACH )    
        OnAttach ();
    
    return TRUE;
}

Basic stuff really. Then we will need to declare some global variables and includes that we will be using later one. You can do this in a separate header if you like, or not.

Code:

#pragma once //Header guard
#include <windows.h> // duh
#include "vmthooks.h" //vmt hooking class
#include "SDKheaders.h" //SDK headers

toolkit::VMTHook* hook; //Pointer to the VMTHook class
typedef void (__stdcall *ProcessEvent ) ( UFunction*, void*, void* ); //typedef for the processevent function pointer
ProcessEvent pProcessEvent = NULL; //pointer to original processevent
UFunction *pUFunc                        = NULL; //pointers to processevent arguements
void      *pParms                        = NULL;
void      *pResult                        = NULL;

If you aren't sure what these will be used for, I will get to that later. Next you will need to start by implementing the OnAttach function and the first thing you need to do is find an instance of the object you want to hook. Good classes to hook for the unreal engine are the "HUD class", the "Viewport class" and the "PlayerController". In my example I'll be hooking the viewport class, as it allows engine drawing in postrender.

Code:

UObject* viewport = getViewport(); //get a pointer to the viewport
    hook = new toolkit::VMTHook(viewport); //hook object
    pProcessEvent = hook->GetMethod<tProcessEvent>(60); //save the orginal funtion in global variable
    hook->HookMethod(&ProcessEventHooked, 60); //replace the orginal function with the hooked function

I'll leave it up to you to find the viewport, it shouldn't be hard and there are many ways to do it. (tip: use the object dump (GObjects). Next we hook the object using the VMThook class. This will allow you to manipulate teh vtable. Make sure you store a pointer to the old pProcesEvent. Its at index 60 for APB, not sure about other unreal games.

Then proceed by replacing the Vtable with a copy( Don't modify the orginal or your hack will be much easier to detect) and now replace the pointer at the proper index with a pointer to your own hooked function, which we still need to make.

Code:

void __declspec(naked) ProcessEventHooked ()
{

    __asm mov pCallObject, ecx; //get caller from ecx register and save it in pCallObject

    __asm
    {
        push eax
        mov eax, dword ptr [esp + 0x8]
        mov pUFunc, eax
        mov eax, dword ptr [esp + 0xC]
        mov pParms, eax
        mov eax, dword ptr [esp + 0x10]
        mov pResult, eax
        pop eax        
    } // Manually get the proper parameters for the function

    __asm pushad //Save registers on stack   
    //Do stuff here!
    __asm popad //restore registers from stack
    __asm
    {
        push pResult
        push pParms
        push pUFunc
        call pProcessEvent

        retn 0xC
    } //put parameters on stack and call the orginal function

}

This is an empty template for the a hooked processevent function (thanks lowHertz!). I'll try to explain briefly what goes on here (as far as my understanding of it goes).

__declspec(naked) is a calling convention that basicly leaves it to the programmer to prepare and clean the stack for the function. Don't ask me for details, I basicly c&p this from lowHertz :P.

With the first line we take a pointer from the ECX register, this pointer points to the object that called the function. Since in my method we already have a pointer to the correct object this is not really necessary.

The block that follows is asm for putting the arguments (that the orginal function got called with) into the global variables you declared earlier. You also need these to call the orginal function later.

pushad saves the registers on the stack. So now you can execute whatever code you want and afterwards it restores the registers to their orginal state by popping them off the stack with popad.

The last bit pushes the arguments onto the stack and calls the orginal function, which you stored earlier. If all is well then the orginal function executes properly and the game resumes as it would usually.

[[I]Tfrix]

nice tut, but are Vtable hooking steal undetected?

[Lehsyrus]

nice tut, but are Vtable hooking steal undetected?

To be honest I have no idea, I realized that APB and A.V.A both use UE3 and saw some talk on another site that it was still possible, but this was a few months prior. It might still work, I'm not that in-depth into programming yet to be honest