Reputation: 3418
how to hook a Windows API function inside the IAT of a running process and replace it with a dummy function?
My goal is to perform an IAT hook. I want to replace LoadLibraryA (LLA) with my own function ModifiedLLA.
I dug my way through the PE format, and I was able to locate the function names for each imported DLL file.
Consider this will be my replacement function:
DWORD ModifiedLLA(char* str){
printf("test\n");
return 0;
}
Consider the following code inside the main function:
...
//IAT & ILTs have been assigned previously
//Declare pointer to our own function
DWORD(WINAPI *procPtr)(char*);
procPtr = ModifiedLLA;
while(ilt->u1.AddressOfData){
namedata = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)imagebase +
(DWORD)ilt->u1.AddressOfData);
//We have found the LoadLibraryA function.
if(strcmp(namedata->Name, "LoadLibraryA") == 0){
//Here we must replace the original LoadLibraryA with procPtr;
break;
}
ilt++;
alt++;
}
...
The question is "how I can assign procPtr to the LLA address"?
I read that when the IMAGE_ORDINAL_FLAG is not set, the address of LoadLibraryA becomes iat->u1.Function + namedata.
However, I am not sure what data type I should cast (DWORD_PTR)namedata + (DWORD)iat->u1.Function to. I tried to cast it to a DWORD_PTR. When I try to assign procPtr to the address, I get errors, such as:
invalid type argument of unary ‘*’ (have ‘DWORD_PTR’ {aka ‘long long unsigned int’})
Upvotes: 0
Views: 472
Answers (1)
Reputation: 3418
I found the answer. Apparently it's as easy as iat->u1.Function = (ULONGLONG)procPtr
Thus, the code becomes:
//IAT & ILTs have been assigned previously
//Declare pointer to our own function
DWORD(WINAPI *procPtr)(char*);
procPtr = ModifiedLLA;
while(ilt->u1.AddressOfData){
namedata = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)imagebase +
(DWORD)ilt->u1.AddressOfData);
//We have found the LoadLibraryA function.
if(strcmp(namedata->Name, "LoadLibraryA") == 0){
iat->u1.Function = (ULONGLONG)procPtr;
break;
}
ilt++;
alt++;
}
...
I hope this will help some other folks as well.
Upvotes: 1
Related Questions
- How can I hook Windows functions in C/C++?
- Hooking API Calls in Current Process?
- C - Calling functions from external process without exported functions
- How to hook an exe function?
- system wide api hook
- Hook api call in a parent process
- Windows API Hook C++
- Call external function(from one exe to another)
- API Hooking which takes effect across entire process - both EXE and DLLs
- how can i hook a Api function from system dll?