Hooking via Import Address Table Patching - Hamtaro aka Corvu5

posted 25 Aug 2010, 04:31 by Delphi Basics
This project is a small example of hooking the MessageBoxA api by patching the Import Address Table (IAT). 

Compiled: Delphi 2007 

The hooking code: 
type
  _IMAGE_IMPORT_DESCRIPTOR = packed record
    case Integer of
      0:(Characteristics: DWORD);
      1:(OriginalFirstThunk:DWORD;TimeDateStamp:DWORD;ForwarderChain: DWORD;Name: DWORD;FirstThunk: DWORD);
    end;
  IMAGE_IMPORT_DESCRIPTOR=_IMAGE_IMPORT_DESCRIPTOR;
  PIMAGE_IMPORT_DESCRIPTOR=^IMAGE_IMPORT_DESCRIPTOR;

procedure PatchIAT(strMod : Pchar; Alt, Neu : Pointer);
var
  pImportDir : pImage_Import_Descriptor;
  size : CardinaL;
  Base : Cardinal;
  pThunk : PDWORD;
begin
  Base := GetModuleHandle(nil);
  pImportDir := ImageDirectoryEntryToData(Pointer(Base),True,IMAGE_DIRECTORY_ENTRY_IMPORT,size);
  while pImportDIr^.Name <> 0 Do
  begin
    If (lstrcmpiA(Pchar(pImportDir^.Name+ Base),strMod) = 0) then
    begin
      pThunk := PDWORD(Base + pImportDir^.FirstThunk);
      While pThunk^ <> 0 Do
      begin
        if DWORD(Alt) = pthunk^ Then
        begin
          pthunk^ :=  Cardinal(Neu);
        end;
        Inc(pThunk);
      end;
    end;
    Inc(PImportDir);
  end;
end;

Only Delphi source code is included in the archive.
ċ
HookingViaIATPatching.rar
(3k)
Delphi Basics,
25 Aug 2010, 04:35
Comments