Windbg: going from vftable to c++ class

Question

As part of an assignment, I am delving into the world of Internet Explorer, and am trying to figure out exactly what class(es) are being allocated on the heap.

In the mshtml!CEventObj::GenericGetElement() method, the eax register points to an instance of a class, edi points to the object it references, and esi points to the vftable.

This being said, I inserted a breakpoint that would list these registers each time through the function, and they always point to the same vftable.

The vftable in question is mshtml!CBodyElement, but does this actually mean that all these instances are of the CBodyElement, or could they be for classes derived from CBodyElement.

If they are from derived classes, how do I determine the actual classes being allocated ?

Zach Riggle · Accepted Answer · 2014-10-13 21:48:08Z

A derived class will get its own vtable if it overrides any of the virtual functions.

If the derived class does not override any virtual functions, it will use the original vtable.

I would say that your assumption is correct ~90% of the time.

The best that you can do for static type recovery, is to look at the vtable being used.

What you can do to help a bit is to turn one PageHeap with stack tracking (gflags.exe /i iexplore.exe +hpa +ust) and look at the address allocated for the object (!heap -p -a 0xaddress). This will give you a full stack trace to the allocation-site of the object, which is sometimes to determine the type of object (e.g. if a Factory pattern was used).

Finally, there are additional dynamic analysis tricks you can play. I wrote a Pin tool and IDA Python plugin, ida-splode for almost exactly this application. By capturing information at runtime, you can enhance your IDA traces. Below is an example screenshot from the slide deck. The better symbol information you have (or the better fleshed-out your IDB is), the better the information you get.

不及格的程序员-八神

Windbg: going from vftable to c++ class

南来地,北往的,上班的,下岗的,走过路过不要错过!