- Joined
- Sep 24, 2010
- Messages
- 45
- Reaction score
- 51
Here is a tutorial on how to do a self IAT hook
It's great for learning experiences
Sorry if this tutorial is not good, English is my first language but I'm a crappy teacher!
IAT - > Addresses
Opcode calls address from IAT, what we are doing is getting IAT and making it point to a different function
you can also make dll files like this, but with memorymapping of course
hope you enjoyed my tutorial!
It's great for learning experiences
PHP:
.486 ;use the 80486 instruction set
.model flat, stdcall ;flat memory __stdcall convention
option casemap:none ;case sensitivity
include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
extern _imp__GetModuleHandleA@4 :DWORD
GetModuleHandle equ _imp__GetModuleHandleA@4
.data
EP db 'ExitProcess', 00h
K32 db 'Kernel32.dll', 00h
BB db 'Exiting...', 00h
.data?
hInstance DWORD ?
.code
myExit: ;this is what will be replaced with ExitProcess
push 0
push 0
push offset BB
push 0
call MessageBox
push offset K32
call GetModuleHandle
push offset EP
push eax
call GetProcAddress
call eax
retn
WriteDWORD proc uses EAX EBX lpAddress:DWORD, lpWrite:DWORD
LOCAL dwOldProtect: DWORD
push dwOldProtect
push PAGE_EXECUTE_READWRITE
push 5
push lpAddress
call VirtualProtect ;now we can write memory
mov ebx, lpAddress ;ebx = target
mov eax, lpWrite ;eax = write
mov [ebx], eax ; mov eax into dword ptr ebx
push dwOldProtect
push dwOldProtect
push 5
push lpAddress
call VirtualProtect ;set it back
retn
WriteDWORD EndP
GetIAT proc uses EBX
push NULL
call GetModuleHandle ;get our module
mov ebx, eax ;put it into ebx
add ebx, [ebx+3Ch] ;point to PE
assume ebx : ptr IMAGE_NT_HEADERS32 ;self explanitory
mov ebx, [ebx].OptionalHeader.DataDirectory[1*8].VirtualAddress ;pointing to it now
add ebx, eax ;add our base to the address
mov eax, ebx ;mov it into eax
sub eax, 1Ch ;point to exitprocess
pop ebx
retn
GetIAT EndP
start:
call GetIAT ;get our hook addr
mov ebx, offset myExit ;replace it with this
push ebx
push eax
call WriteDWORD ;write it
@Exit:
push 0
call ExitProcess ;now we exit and our hooked exit it called
end start
Sorry if this tutorial is not good, English is my first language but I'm a crappy teacher!
IAT - > Addresses
Opcode calls address from IAT, what we are doing is getting IAT and making it point to a different function
you can also make dll files like this, but with memorymapping of course
hope you enjoyed my tutorial!