Virtual Method Tables

R5AC is ensuring that VMTP's are pointing within expected bounds, and that read-only VMT related data has not been tampered with.

Here is an example of how this detection might look like.

//

Everytime sub_1DCDD1 is called, the detection VTP_GetFilesystemInterface is executed.

char __fastcall sub_1DCDD1()
{ 
  FilesystemInterface = (__int64 *)R5::VTP_GetFilesystemInterface(); // Everytime this 
  *((_QWORD *)v2 + 16) = FilesystemInterface;
  gpFileSystemInterface[0] = FilesystemInterface;
  return 1;
}