Skip to content

C plus plus class analysis

Jump to bottom
Simon Sokolov edited this page Jul 12, 2021 · 3 revisions

Phrank can detect C++ classes.

  1. First phrank detect virtual tables.
  2. Then phrank detects constructors and destructors, that use detected virtual tables.
  3. Then phrank determines C++ classes' sizes.
  4. Finally phrank determines inheritance amond C++ classes.

Phrank can detect inheritance among C++ classes.

  • Constructors and destructors, that call constructors and destructors respectively, are of child-parent classes.
  • Constructors and destructors, that write several virtual tables to the same offset, are of child-parent classes.

Assumptions, under which phrank determines inheritance and which cdtor is constructor, and which is destructor:

  • Only constructors and destructors write virtual tables to objects (meaning virtual tables do not change in C++ objects during runtime).
  • Destructors have only 1 argument (this pointer). Virtual destructors have exactly 2 arguments (this pointer and free flag).
  • Last written virtual table to each offset in constructor is main virtual table. Another one (if exist) is a virtual table of parent class.
  • Same goes for destructors, only in backwards order.
  • Destructor only calls destructors of parent classes (with this pointer as arg 0), constructors - only constructors of parent classes.
  • C++ class can have several constructors and only one destructor.
  • Virtual table can belong to exactly one C++ class.
  • Constructors and destructors can belong to exactly one C++ class.
  • Constructors cannot have negative offsets to this pointers.
Clone this wiki locally