[MASM] Self IAT Hook

**DataBus** · 24-09-10

Here is a tutorial on how to do a self IAT hook
It's great for learning experiences

PHP Code:

  
.486 ;use the 80486 instruction set

.model flat, stdcall ;flat memory __stdcall convention

option casemap:none ;case sensitivity

 
include windows.inc

include kernel32.inc

include user32.inc

includelib kernel32.lib

includelib user32.lib

 
extern _imp__GetModuleHandleA@4 :DWORD

GetModuleHandle equ _imp__GetModuleHandleA@4

 
.data

EP  db 'ExitProcess', 00h

K32 db 'Kernel32.dll', 00h

BB  db 'Exiting...', 00h

 
.data?

hInstance DWORD ?

 
.code

 
myExit: ;this is what will be replaced with ExitProcess

 
    push 0

    push 0

    push offset BB

    push 0

    call MessageBox

 
    push offset K32

    call GetModuleHandle

    push offset EP

    push eax

    call GetProcAddress    

    call eax

    

    retn

 
WriteDWORD proc uses EAX EBX lpAddress:DWORD, lpWrite:DWORD

LOCAL dwOldProtect: DWORD

    push dwOldProtect

    push PAGE_EXECUTE_READWRITE

    push 5

    push lpAddress

    call VirtualProtect ;now we can write memory

    

    mov ebx, lpAddress ;ebx = target

    mov eax, lpWrite ;eax = write

    mov [ebx], eax ; mov eax into dword ptr ebx 

    

    push dwOldProtect

    push dwOldProtect

    push 5

    push lpAddress

    call VirtualProtect ;set it back

    

    retn

WriteDWORD EndP

 
GetIAT proc uses EBX

    push NULL

    call GetModuleHandle ;get our module

    mov ebx, eax ;put it into ebx

    add ebx, [ebx+3Ch] ;point to PE

    assume ebx : ptr IMAGE_NT_HEADERS32 ;self explanitory

    mov ebx, [ebx].OptionalHeader.DataDirectory[1*8].VirtualAddress    ;pointing to it now

    add ebx, eax ;add our base to the address

    mov eax, ebx ;mov it into eax

    sub eax, 1Ch ;point to exitprocess

    pop ebx

    retn

GetIAT EndP

 
start:

    call GetIAT ;get our hook addr

    mov ebx, offset myExit    ;replace it with this

    push ebx 

    push eax

    call WriteDWORD    ;write it

    

@Exit:

    push 0

    call ExitProcess ;now we exit and our hooked exit it called

end start

Sorry if this tutorial is not good, English is my first language but I'm a crappy teacher!

IAT - > Addresses

Opcode calls address from IAT, what we are doing is getting IAT and making it point to a different function

you can also make dll files like this, but with memorymapping of course

hope you enjoyed my tutorial!

**billybombill** · 24-09-10

Lol DataBus your on a roll today ;]

[MASM] Self IAT Hook

LinkBack

Thread Tools

[MASM] Self IAT Hook

Re: [MASM] Self IAT Hook

Posting Permissions