2

I'm reversing some assembly code and I'm consistently coming across certain structures that have an address at the very beginning of the structure.

This address seems to be a pointer to the beginning of an array of function addresses related to that specific structure.

I've also noticed that the first function in the array is usually related to deallocated/cleaning up of the structure.

Does anyone know what this type of structuring is called? I'd like to learn how this works

Joseph Jones
  • 187
  • 3
  • 10
  • You might be looking at a pointer to a vtable (virtual table). – NathanOliver Jan 03 '19 at 14:18
  • Virtual table. For virtual functions. Such as a destructor or user-defined virtual function. As these are run-time dependent. Try reverse-engineering of a class/struct that has no virtual functions. See the difference. Or also interesting: inheritance with virtual tables. – Neijwiert Jan 03 '19 at 14:18
  • [How do objects work in x86 at the assembly level?](https://stackoverflow.com/q/33556511) shows how the vtable works, with x86 examples of compiler-generated code. – Peter Cordes Jan 03 '19 at 14:22
  • Would the first function in the vtable be the destructor? – Joseph Jones Jan 03 '19 at 14:27
  • 1
    It's implementation dependent. Linux and Windows implement their vtable in exactly the opposite order (it depends on the order of declaration IIRC). – Matthieu Brucher Jan 03 '19 at 14:28

1 Answers1

3

That's the "vtable" a.k.a. "virtual method table".

Ken Thomases
  • 88,520
  • 7
  • 116
  • 154