The previous part is here. In this part, we will investigate more exotic cases of intercepting function calls.

VMT for Case 1

VMT stands for virtual method table. VMT is created by the compiler when the class introduces a virtual method or overrides one from any parent class.

Finding VMT depends on the language and the compiler, so I will not explain it here. For most languages, the first 4 bytes in x86 or 8 bytes in x64 points to VMT. Then you need to know where is pointer to the function is in this table.

Then you need to save this address somewhere. Then write a different address into VMT using the WriteProcessMemory function. After that,