IAT Patching


  • PatchFunction (von Hamtaro):

    Code
    1. _IMAGE_IMPORT_DESCRIPTOR = packed recordcase Integer of0:(Characteristics: DWORD);1:(OriginalFirstThunk:DWORD;TimeDateStamp:DWORD;ForwarderChain: DWORD;Name: DWORD;FirstThunk: DWORD);end;IMAGE_IMPORT_DESCRIPTOR=_IMAGE_IMPORT_DESCRIPTOR;PIMAGE_IMPORT_DESCRIPTOR=^IMAGE_IMPORT_DESCRIPTOR;


    Code
    1. procedure PatchIAT(strMod : Pchar; Alt, Neu : Pointer);varpImportDir : pImage_Import_Descriptor;size : CardinaL;Base : Cardinal;pThunk : PDWORD;beginBase := GetModuleHandle(0);pImportDir := ImageDirectoryEntryToData(Pointer(Base),True,IMAGE_DIRECTORY_ENTRY_IMPORT,size);while pImportDIr^.Name <> 0 Do begin If (lstrcmpiA(Pchar(pImportDir^.Name+ Base),strMod) = 0) then begin pThunk := PDWORD(Base + pImportDir^.FirstThunk); While pThunk^ <> 0 Do begin if DWORD(Alt) = pthunk^ Then begin pthunk^ := Cardinal(Neu); end; Inc(pThunk); end; end; Inc(PImportDir);end;end;




    Eine kleine Modifikation, die die Sache aber viel praktischer macht:


    man will ja nicht immernur die Funktionen der Exe hooken, sondern auch der DLL-Module ;)