IAT (Import Access Table) Hooking

Details
 
By continuing the article Inline Hook DLL, today we will introduce the method of hooking code through the Import Access Table.


 



Import Access Table is a table containing imported calls, called jump, for functions used by the program. These functions are implemented in the libraries referred to by the jumps through references.

The IAT hooking method is used in conjunction with the Inline Hook .dll that we described recently.

So that we can imagine this kind of hooking and know what is good for us, I will describe it in simplicity with an example:

.

Imagine that there is a process running in the system that displays an information message from time to time via the MesageBox. MessageBox is a function that is implemented in user32.dll.
The process calls this function. The call is routed to the Import Access Table as an address call. In IAT, the jump address is then called to the function that points directly to the function in user32.dll.
This calls the process call directly to the function in user32.dll.

Next, we want to write a program that would create files for us somewhere, looking for data ... However, we can attach the program as a library to a running process and map it to the MessageBox function. Whenever a process calls the MessageBox function, it is executed in our pinned .dll library and not in user32.dll.
The mapping is done through the IAT hook, when the call from the process will not direct us to the function in user32.dll, but will be redirected to our function in the infected .dll.


Before IAT hooking:



After IAT hoking:





Source code of infected library C++:

  
#include <windows.h>
#include <iostream>

DWORD SetHook(LPVOID inputMethod, LPVOID outputMethod)
{
    DWORD oldProtection = 0;
    bool resultvirtual;

    ::VirtualProtect(inputMethod, 7, PAGE_EXECUTE_READWRITE, &oldProtection);

    if(resultvirtual == false)
    {
        return 0;
    }

    *(BYTE*)(inputMethod) = 0xE9;
    *(long*)((LPBYTE)inputMethod+1) = ((DWORD)outputMethod - ((DWORD)inputMethod + 5));
    resultvirtual = VirtualProtect(inputMethod, 7, oldProtection, &oldProtection);

    return resultvirtual;
}

NTSTATUS WINAPI HookedCall(HWND a, LPCSTR b, LPCSTR c, UINT d)
{ 
    ::std::cout << "\n\n\n  Hooked \"MessageBoxS\" !\n\n";
    return 0;
}
 
BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
{
    switch (reason)
    {
      case DLL_PROCESS_ATTACH:
           SetHook(GetProcAddress(GetModuleHandleA("user32.dll"), "MessageBoxA"), 
                                 (LPVOID) HookedCall);
        break;
 
      case DLL_PROCESS_DETACH:
        break;
 
      case DLL_THREAD_ATTACH:
        break;
 
      case DLL_THREAD_DETACH:
        break;
    }
 
    return TRUE;
}

 

 


An example of IAT hooking through the inline hooking library is on the video: