I'm trying to reverse engineer some code and run into a common pattern many times, but I'm not sure what could it be. The code was compiled with VC++ 2010 and uses some external CLR components for display (but not for any internals as far as I can tell).
Some pattern I see is in some functions that return an object is that they either:
- do a
InterlockedIncrementonobj_ptr - 12before returning it - check the result of
InterlockedDecrementonobj_ptr - 12and if the result is 0, call*(*(obj_ptr - 24) + 64)(obj_ptr - 24)
It looks like some GC based on reference counting with eager call to the destructor. Can anyone confirm if this is correct, or is it some other system?
If that's right - is there some known interface I can see? I'd like to know if I can assume the places doing Increment before returning the value can be assumed to be some expanded version of 'new' for that type.
Also, where could I find more information about this? It looks like this cannot be a part of the standard object's vtable which I'd expect to be a short pointer at the front. Maybe RTTI... but I couldn't find any good example of its layout. I don't expect any multiple inheritance here that would move the base class further in.
