Created
November 20, 2013 06:01
-
-
Save c0d3inj3cT/7558454 to your computer and use it in GitHub Desktop.
This code can be used for hooking the IAT. In this particular example, I overwrite the function pointer of Sleep() imported from Kernel32.dll in the IAT of the main executable image. Sleep function is called two times in the code, both before and after hooking the IAT to confirm that it was hooked successfully.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| This code will hook the IAT by overwriting the function pointer of Sleep() imported from Kernel32.dll | |
| It can be modified to hook any other function in the IAT | |
| */ | |
| #include <stdio.h> | |
| #include <windows.h> | |
| void spoofedfunction(DWORD); | |
| int main(int argc, char **argv) | |
| { | |
| IMAGE_DOS_HEADER *pDOSHeader; | |
| IMAGE_NT_HEADERS *pNTHeader; | |
| IMAGE_IMPORT_DESCRIPTOR *ImportDirectory; | |
| DWORD *OriginalFirstThunk; | |
| DWORD *FirstThunk; | |
| DWORD *address; | |
| DWORD *func_address; | |
| char *modulename=""; | |
| DWORD overwrite; | |
| char *name; | |
| char *func_name="Sleep"; | |
| HANDLE hHandle; | |
| DWORD oldProtect; | |
| DWORD PEHeaderOffset; | |
| int i=0; | |
| hHandle = GetModuleHandle(NULL); | |
| if(hHandle == NULL) | |
| { | |
| printf("there was an error in retrieving the handle\n"); | |
| exit(0); | |
| } | |
| pDOSHeader = (IMAGE_DOS_HEADER *) hHandle; | |
| PEHeaderOffset = (DWORD) pDOSHeader->e_lfanew; | |
| pNTHeader = (IMAGE_NT_HEADERS *) ((DWORD) hHandle + PEHeaderOffset); | |
| ImportDirectory = (IMAGE_IMPORT_DESCRIPTOR *) ((DWORD) pNTHeader->OptionalHeader.DataDirectory[1].VirtualAddress + (DWORD) hHandle); | |
| modulename = (char *)(ImportDirectory->Name + (DWORD) hHandle); | |
| while(strcmp(modulename, "KERNEL32.dll") != 0) | |
| { | |
| ImportDirectory++; | |
| modulename = (char *)(ImportDirectory->Name + (DWORD) hHandle); | |
| } | |
| printf("Module name is: %s\n", modulename); | |
| OriginalFirstThunk = (DWORD *)((DWORD) ImportDirectory->OriginalFirstThunk + (DWORD) hHandle); | |
| FirstThunk = (DWORD *)((DWORD) ImportDirectory->FirstThunk + (DWORD) hHandle); | |
| printf("Original First Thunk: %p\n", OriginalFirstThunk); | |
| printf("First Thunk: %p\n", FirstThunk); | |
| while(*(OriginalFirstThunk+i) != 0x00000000) | |
| { | |
| name = (char *) (*(OriginalFirstThunk+i) + (DWORD) hHandle + 0x2); | |
| if(strcmp(name, func_name) == 0) | |
| { | |
| address=OriginalFirstThunk+i; | |
| break; | |
| } | |
| i++; | |
| } | |
| func_address = FirstThunk - OriginalFirstThunk + address; | |
| printf("function pointer is stored at: %p\n", func_address); | |
| printf("Sleep before hooking\n"); | |
| Sleep(2000); | |
| VirtualProtect(func_address, 0x4, 0x40, &oldProtect); | |
| overwrite = (DWORD) spoofedfunction; | |
| WriteProcessMemory(0xffffffff, func_address, &overwrite, 0x4, NULL); | |
| VirtualProtect(func_address, 0x4, 0x20, &oldProtect); | |
| printf("Sleep after hooking\n"); | |
| Sleep(2000); | |
| return 0; | |
| } | |
| void spoofedfunction(DWORD a) | |
| { | |
| printf("From inside the hooked function\n"); | |
| SleepEx(a, 0); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment