I am writing code to capture IAT on Windows. I can change the address of the target function in IAT (Kernel32! GetCurrentProcessId), however later in the program, when the hooked function is called Kernel32, GetCurrentProcessId is called instead of the hook call.
When debugging a process, I can see the source IAT address for the kernel! GetCurrentProcessId:
GetCurrentProcessId Address: 7C8099C0
The function I want to change is:
MyGetCurrentProcessId Address: 100118BB
I connect the address thunkIAT-> u1.Function and change it from 7C8099C0 to 100118BB, however, as I mentioned earlier, when GetCurrentProcessId () is called in the program, the Kernel32 function is called (and not the one I entered).
Part of the code to execute the hook:
if(strcmp(apiName,(char*)(*nameData).Name)==0) { DBG_PRINT2("[processImportDescriptor]: found match for %s\n", apiName); VirtualProtect( &thunkIAT->u1.Function, // start addres of the zone to "unlock" 0x010, // size to protect PAGE_EXECUTE_READWRITE, // new permission &dwOldProtect // old permission ); procPtr = MyGetCurrentProcessId; thunkIAT->u1.Function = (DWORD)procPtr; DBG_PRINT2("MyGetCurrentProcessId() address: %08X\n", MyGetCurrentProcessId); DBG_PRINT2("procPtr address: %08X\n", procPtr); DBG_PRINT2("thunkIAT->u1.Function address: %08X\n", thunkIAT->u1.Function); VirtualProtect( &thunkIAT->u1.Function, // start addres of the zone to "relock" 0x0010, // size to protect dwOldProtect, // new permission &dwOldProtect2 // old permission ); }
Any thoughts? Thanks.
Chris source share