Virtual Method Tables

R5AC is ensuring that VMTP's are pointing within expected bounds, and that read-only VMT related data has not been tampered with.

 

Here is an example of how this detection might look like.

char __fastcall sub_1DCDD1()
{

  // ...
  FilesystemInterface = (__int64 *)R5::VTP_GetFilesystemInterface();
  *((_QWORD *)v2 + 16) = FilesystemInterface;
  gpFileSystemInterface[0] = FilesystemInterface;
  return 1;
}