IAT Patching


  • PatchFunction (von Hamtaro):

    Code
    _IMAGE_IMPORT_DESCRIPTOR = packed recordcase Integer of0:(Characteristics: DWORD);1:(OriginalFirstThunk:DWORD;TimeDateStamp:DWORD;ForwarderChain: DWORD;Name: DWORD;FirstThunk: DWORD);end;IMAGE_IMPORT_DESCRIPTOR=_IMAGE_IMPORT_DESCRIPTOR;PIMAGE_IMPORT_DESCRIPTOR=^IMAGE_IMPORT_DESCRIPTOR;


    Code
    procedure PatchIAT(strMod : Pchar; Alt, Neu : Pointer);varpImportDir : pImage_Import_Descriptor;size : CardinaL;Base : Cardinal;pThunk : PDWORD;beginBase := GetModuleHandle(0);pImportDir := ImageDirectoryEntryToData(Pointer(Base),True,IMAGE_DIRECTORY_ENTRY_IMPORT,size);while pImportDIr^.Name <> 0 Do begin  If (lstrcmpiA(Pchar(pImportDir^.Name+ Base),strMod) = 0) then begin    pThunk := PDWORD(Base + pImportDir^.FirstThunk);    While pThunk^ <> 0 Do begin      if DWORD(Alt) = pthunk^ Then begin        pthunk^ :=  Cardinal(Neu);      end;    Inc(pThunk);    end;  end;  Inc(PImportDir);end;end;




    Eine kleine Modifikation, die die Sache aber viel praktischer macht:


    man will ja nicht immernur die Funktionen der Exe hooken, sondern auch der DLL-Module ;)