Page 1 of 1

Retrieving overriden function address with madMAPFile

Posted: Thu Aug 23, 2018 9:46 am
by obones
Hello,

I'm doing something a bit tricky here with a running exe which I know has its MAP file embedded by madExcept.
I'm calling methods whose address I have found thanks to madMAPFile, this way:

Code: Select all

SomeMethodPtr := GetMapFileAddress(GetModuleName(0), 'SomeUnit', 'TSomeClass.SomeMethod');
Then I call it this way:

Code: Select all

SomeMethodPtr(ObjectAddress, Param1, Param2, Param3);
I have spared you all the gruesome details for getting the object address, but all in all, it works just fine.
However, if SomeMethod is virtual and the object is an instance of a derived class that overrides SomeMethod, then only the "root" method is called, not the derived one.
This is completely expected because I'm only ever retrieving the address of the base class method and not doing any VMT walkthrough.

Fortunately for me, in my case, there are only a few classes derived from TSomeClass, I know them in advance and know if they have overridden SomeMethod. So I can call GetClassName and find the appropriate entry point to call.

But if as I'm trying to be "future proof", I'm wondering if there was a way to "walk the VMT" of the given object to find the effective address.
Would you have any suggestions?

Re: Retrieving overriden function address with madMAPFile

Posted: Thu Aug 23, 2018 10:52 am
by madshi
I don't know, never tried that. Maybe madExcept.IsValidObject gives you some hints about how to parse an object/class in a low-level way?

Re: Retrieving overriden function address with madMAPFile

Posted: Thu Aug 23, 2018 3:05 pm
by obones
Thanks, that would help indeed.
I know the VMT is in a data section of the exe, but I'm wondering if I can infer its location from some data in the MAP file.
Ah well, too much knots in the brain for too little benefit.

Re: Retrieving overriden function address with madMAPFile

Posted: Thu Aug 23, 2018 3:48 pm
by madshi
madExcept only stores function and method names and line numbers in the resource section. Everything else in the MAP files is discarded. But I don't think there's any VMT information in there, anyway.