Skip to content

fix: improve vtable ownership verification in hasVtable #305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 16, 2025
Merged

fix: improve vtable ownership verification in hasVtable #305

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion src/vtablehook.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,12 +238,29 @@
* \brief VtableHook::hasVtable 对象的虚表已经被覆盖时返回true,否则返回false
* \param obj
* \return
*
* 修复: 不仅检查地址是否在映射表中,还要验证当前对象的 vtable 是否与记录的 ghost vtable 匹配
* 防止地址重用导致误判
*/
bool VtableHook::hasVtable(const void *obj)
{
quintptr **_obj = (quintptr**)(obj);

Check warning on line 247 in src/vtablehook.cpp

View workflow job for this annotation

GitHub Actions / cppcheck 

C-style pointer casting detected. C++ offers four different kinds of casts as replacements: static_cast, const_cast, dynamic_cast and reinterpret_cast. A C-style cast could evaluate to any of those automatically, thus it is considered safer if the programmer explicitly states which kind of cast is expected.

Check warning on line 247 in src/vtablehook.cpp

View workflow job for this annotation

GitHub Actions / static-check / static-check 

C-style pointer casting detected. C++ offers four different kinds of casts as replacements: static_cast, const_cast, dynamic_cast and reinterpret_cast. A C-style cast could evaluate to any of those automatically, thus it is considered safer if the programmer explicitly states which kind of cast is expected.

return objToGhostVfptr.contains(_obj);
// 验证 vtable 是否匹配
quintptr *ghost_vtable = objToGhostVfptr.value(obj);
if (!ghost_vtable) {
return false;
}

// 检查当前对象的 vtable 指针是否指向我们记录的 ghost vtable
if (*_obj != adjustToEntry(ghost_vtable)) {
// vtable 不匹配,说明地址被重用了
qCDebug(vtableHook) << "hasVtable: vtable mismatch! Address reused by different object."
<< "obj:" << QString("0x%1").arg((quintptr)obj, 0, 16);
return false;
}

return true;
}

void VtableHook::resetVtable(const void *obj)
Expand Down
Loading