Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Virtual vs. Nonvirtual Functions
Дальше: Conclusion
shows the IDA Pro disassembly using the new operator implemented as an imported function. Since this is the new operator and not a regular function, it has an unusual function name. IDA Pro identifies the function properly as the new operator and labels it as such. Similarly, a delete operator is called when heap-allocated objects are to be freed., we’re looking at an object stored on the stack. The offset moved into location var_10 is the vtable. The compiler here shows some strange behavior by putting different offsets into the same location twice in a row. The instruction at ❶ is useless, because the second offset at ❷ will overwrite what is stored at ❶.
If we were to look at the offsets for this code, we would see that they are the vtables for the two classes. The first offset is the vtable for the parent class, and the second offset is the vtable for the class of the object being created.
Назад: Virtual vs. Nonvirtual Functions
Дальше: Conclusion
, we’re looking at an object stored on the stack. The offset moved into location var_10 is the vtable. The compiler here shows some strange behavior by putting different offsets into the same location twice in a row. The instruction at ❶ is useless, because the second offset at ❷ will overwrite what is stored at ❶.
If we were to look at the offsets for this code, we would see that they are the vtables for the two classes. The first offset is the vtable for the parent class, and the second offset is the vtable for the class of the object being created.
Войти в систему
Войти с помощью соц. сетей:
