-------------------------------------------------------------------
Hey, I saw your article on Sandsprite on IAT Hooking, it's good but I
had a quick question about your example code. How did you get the
address of strcmp in the IAT? Your comment is "disasm and get
address" but I'm not sure what to disassemble. Also, is there a more
dynamic way of finding this address at run time, as opposed to hard
coding the address in?
Thanks,
Zachary
-------------------------------------------------------------------
Hi Zachary,
I got the IAT address in the sample by disassembling the
target exe file and seeing at what offset it was expecting
the strcmp function pointer to reside at.
You can find this dynamically at runtime by parsing the
files pe import table. I have some VB code on my site
to do this in the open source section or I am sure there
are some examples in your language of choice on the web.
You can also get this address using a tool such as lordpe
which is a pe file viewer where you would get a file listing
such as
->Import Table
1. ImageImportDescriptor:
OriginalFirstThunk: 0x0000207C
TimeDateStamp: 0x00000000 (GMT: Thu Jan 01 00:00:00 1970)
ForwarderChain: 0x00000000
Name: 0x000020DC ("MSVCRT.dll")
FirstThunk: 0x00002000
Ordinal/Hint API name
------------ ---------------------------------------
0x0083 "__setusermatherr"
0x026B "gets"
0x029E "printf"
0x00D3 "_exit"
0x0048 "_XcptFilter"
0x0249 "exit"
0x0064 "__p___initenv"
0x0058 "__getmainargs"
0x010F "_initterm"
0x02B8 "strcmp"
With the information above we know that the applications import
table starts at RVA 0x2000. The exes image base is 0x400000
so the first function pointer held in the import table will be
at memory virutal address 0x402000.
Each pointer is a 4 byte number and strcmp is 9 entries
past the start of the table. That means strcmp pointer will
live at table base + 36 decimal (or 0x24 in hex)
therefore final pointer address in table for strcmp is
0x402024 which we then see in teh source as:
int *thunk = (int*)0x402024 ; //disasm and get address
parsing pe from scratch is not a small job but good to
learn. This is why i used hardcoded offset in sample
for primer.
Good luck
-Dave
iat_hook.zip_IAT_hook iat_iat hook_iat_sample_vb中 iat的例子
版权申诉
99 浏览量
2022-09-14
16:56:08
上传
评论
收藏 31KB ZIP 举报
Kinonoyomeo
- 粉丝: 74
- 资源: 1万+
最新资源
- 基于MFC的校园导航程序(使用最短路径dijkstra算法).rar
- Android Studio android APP 视频作为视图背景需要源代码或想了解其实现原理的可以私心我
- com.ZeroneGames.GreenProject.apk
- Python自动化开发入门教程
- 4399GameSem_116_13955_207551_6.apk
- python 3.9.19源码编译包
- php-8.2.18-Win32-vs16-x64.rar
- 字节跳动青训营-抖音项目
- SQL资料手册,语句教程,高级查询语句语法
- 上位机和串口建立 Modbus 协议进行数据传输,并使用 Mysql 数据库存储,能够实现实时温湿度显示和动态变化曲线,历史数据
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈