Skip to content

Instantly share code, notes, and snippets.

@c0d3inj3cT
Created November 20, 2013 06:01
Show Gist options
  • Save c0d3inj3cT/7558454 to your computer and use it in GitHub Desktop.
Save c0d3inj3cT/7558454 to your computer and use it in GitHub Desktop.
This code can be used for hooking the IAT. In this particular example, I overwrite the function pointer of Sleep() imported from Kernel32.dll in the IAT of the main executable image. Sleep function is called two times in the code, both before and after hooking the IAT to confirm that it was hooked successfully.
/*
This code will hook the IAT by overwriting the function pointer of Sleep() imported from Kernel32.dll
It can be modified to hook any other function in the IAT
*/
#include <stdio.h>
#include <windows.h>
void spoofedfunction(DWORD);
int main(int argc, char **argv)
{
IMAGE_DOS_HEADER *pDOSHeader;
IMAGE_NT_HEADERS *pNTHeader;
IMAGE_IMPORT_DESCRIPTOR *ImportDirectory;
DWORD *OriginalFirstThunk;
DWORD *FirstThunk;
DWORD *address;
DWORD *func_address;
char *modulename="";
DWORD overwrite;
char *name;
char *func_name="Sleep";
HANDLE hHandle;
DWORD oldProtect;
DWORD PEHeaderOffset;
int i=0;
hHandle = GetModuleHandle(NULL);
if(hHandle == NULL)
{
printf("there was an error in retrieving the handle\n");
exit(0);
}
pDOSHeader = (IMAGE_DOS_HEADER *) hHandle;
PEHeaderOffset = (DWORD) pDOSHeader->e_lfanew;
pNTHeader = (IMAGE_NT_HEADERS *) ((DWORD) hHandle + PEHeaderOffset);
ImportDirectory = (IMAGE_IMPORT_DESCRIPTOR *) ((DWORD) pNTHeader->OptionalHeader.DataDirectory[1].VirtualAddress + (DWORD) hHandle);
modulename = (char *)(ImportDirectory->Name + (DWORD) hHandle);
while(strcmp(modulename, "KERNEL32.dll") != 0)
{
ImportDirectory++;
modulename = (char *)(ImportDirectory->Name + (DWORD) hHandle);
}
printf("Module name is: %s\n", modulename);
OriginalFirstThunk = (DWORD *)((DWORD) ImportDirectory->OriginalFirstThunk + (DWORD) hHandle);
FirstThunk = (DWORD *)((DWORD) ImportDirectory->FirstThunk + (DWORD) hHandle);
printf("Original First Thunk: %p\n", OriginalFirstThunk);
printf("First Thunk: %p\n", FirstThunk);
while(*(OriginalFirstThunk+i) != 0x00000000)
{
name = (char *) (*(OriginalFirstThunk+i) + (DWORD) hHandle + 0x2);
if(strcmp(name, func_name) == 0)
{
address=OriginalFirstThunk+i;
break;
}
i++;
}
func_address = FirstThunk - OriginalFirstThunk + address;
printf("function pointer is stored at: %p\n", func_address);
printf("Sleep before hooking\n");
Sleep(2000);
VirtualProtect(func_address, 0x4, 0x40, &oldProtect);
overwrite = (DWORD) spoofedfunction;
WriteProcessMemory(0xffffffff, func_address, &overwrite, 0x4, NULL);
VirtualProtect(func_address, 0x4, 0x20, &oldProtect);
printf("Sleep after hooking\n");
Sleep(2000);
return 0;
}
void spoofedfunction(DWORD a)
{
printf("From inside the hooked function\n");
SleepEx(a, 0);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment