Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[MASM] Self IAT Hook

D

DataBus

Newbie Spellweaver
10 Happy Years
Joined
Sep 24, 2010
Messages
45
Reaction score
51
Here is a tutorial on how to do a self IAT hook
It's great for learning experiences

PHP: 
.486 ;use the 80486 instruction set
.model flat, stdcall ;flat memory __stdcall convention
option casemap:none ;case sensitivity

include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib

extern _imp__GetModuleHandleA@4 :DWORD
GetModuleHandle equ _imp__GetModuleHandleA@4

.data
EP  db 'ExitProcess', 00h
K32 db 'Kernel32.dll', 00h
BB  db 'Exiting...', 00h

.data?
hInstance DWORD ?

.code

myExit: ;this is what will be replaced with ExitProcess

	push 0
	push 0
	push offset BB
	push 0
	call MessageBox

	push offset K32
	call GetModuleHandle
	push offset EP
	push eax
	call GetProcAddress	
	call eax
	
	retn

WriteDWORD proc uses EAX EBX lpAddress:DWORD, lpWrite:DWORD
LOCAL dwOldProtect: DWORD
	push dwOldProtect
	push PAGE_EXECUTE_READWRITE
	push 5
	push lpAddress
	call VirtualProtect ;now we can write memory
	
	mov ebx, lpAddress ;ebx = target
	mov eax, lpWrite ;eax = write
	mov [ebx], eax ; mov eax into dword ptr ebx 
	
	push dwOldProtect
	push dwOldProtect
	push 5
	push lpAddress
	call VirtualProtect ;set it back
	
	retn
WriteDWORD EndP

GetIAT proc uses EBX
	push NULL
	call GetModuleHandle ;get our module
	mov ebx, eax ;put it into ebx
	add ebx, [ebx+3Ch] ;point to PE
	assume ebx : ptr IMAGE_NT_HEADERS32 ;self explanitory
	mov ebx, [ebx].OptionalHeader.DataDirectory[1*8].VirtualAddress	;pointing to it now
	add ebx, eax ;add our base to the address
	mov eax, ebx ;mov it into eax
	sub eax, 1Ch ;point to exitprocess
	pop ebx
	retn
GetIAT EndP

start:
	call GetIAT ;get our hook addr
	mov ebx, offset myExit	;replace it with this
	push ebx 
	push eax
	call WriteDWORD	;write it
	
@Exit:
	push 0
	call ExitProcess ;now we exit and our hooked exit it called
end start

Sorry if this tutorial is not good, English is my first language but I'm a crappy teacher!

IAT - > Addresses

Opcode calls address from IAT, what we are doing is getting IAT and making it point to a different function

you can also make dll files like this, but with memorymapping of course

hope you enjoyed my tutorial!
 
The Best DDoS Protected Servers
You must log in or register to reply here.

About Us

RaGEZONE® is a website dedicated to the development of massively multiplayer online role-playing games (MMORPGs).

Online statistics

Members online
192
Guests online
6,159
Total visitors
6,351
Totals may include hidden visitors.

Forum statistics

Threads
429,034
Messages
4,589,959
Members
280,360
Latest member
benvaiter
Most visitors online was 8830 , on 6 Feb 2024

RaGEZONE Sponsor

    HyperFilter
Back
Top