Friday, 22 November 2013

IAT HOOKING..

/* AUTHOR-- ASHA MALIK */
Ø IAT HOOKING:

IAT hooking is a means to  accesses  code of a binarie's IAT and replaces pointers which point to functions in linked dlls. By this method it is possible to hook a function, e.g. the MessageBoxA function and inject your own implementation for it.In order to understand IAT we need to understand some basic concepts of Portable Executable file format given Below:

1.  The Import Directory:( usually .idata contains information about all the functions imported  by the executable from DLLs)

This information is stored in several data structures. The most important of these are the Import Directory and the Import Address The Windows loader is responsible for loading all of the DLLs that the application uses and mapping them into the process address space. It has to find the addresses of all the imported functions in their various DLLs and make them available for the executable being loaded.
The addresses of functions inside a DLL are not static but change when updated versions of the DLL are released, so applications cannot be built using hardcoded function addresses. Because of this a mechanism had to be developed that allowed for these changes without needing to make numerous alterations to an executable's code at runtime. This was accomplished through the use of an Import Address Table (IAT). This is a table of pointers to the function addresses which is filled in by the windows loader as the DLLs are loaded. By using a pointer table, the loader does not need to change the addresses of imported functions everywhere in the code they are called. All it has to do is add the correct address to a single place in the import table and its work is done.

Import Directory Structure:

It is actually an array of IMAGE_IMPORT_DESCRIPTOR structures. Each structure is 20 bytes and contains information about a DLL which our PE file imports functions from. For example, if our PE file imports functions from 20 different DLLs, there will be 20  IMAGE_IMPORT_DESCRIPTOR structures in this array. There's no field indicating the number of structures in this array. Instead, the final structure has fields filled with zeros.
 



1. OriginalFirstThunk: It   is a DWORD union, may at one time have been a set of flags. However, Microsoft changed its meaning and never bothered to update WINNT.H. This field really contains the RVA of an array of IMAGE_THUNK_DATA structures.
 
 
[By the way, a union is just a redefinition of the same area of memory. The union above doesn't contain 2 DWORDS but only one which could contain either the OriginalFirstThunk data or the Characteristics data.] 
2.TimeDateStamp:member is set to zero unless the executable is bound .
3.Name1: It contains the a pointer (RVA) to the ASCII name of the DLL.
4. FirstThunk: It contains the RVA of an array of DWORD-sized  IMAGE_THUNK_DATA structures - a duplicate of the first array. If the function described is a bound import then FirstThunk contains the actual address of the function instead of an RVA to an IMAGE_THUNK_DATA. These structures are defined thus: 
Each IMAGE_THUNK_DATA is a DWORD union that effectively only has one of 2 values. In the file on disk it either contains the ordinal of the imported function (in which case it will begin with an 8 - see export by ordinal only below) or an RVA to an IMAGE_IMPORT_BY_NAME structure.
 
Once loaded the ones pointed at by FirstThunk are overwritten with the addresses of imported functions - this becomes the Import Address Table.
Steps Involved In IAT Hooking..
1.     Find out the File-offset of PE Header.
 


 
 
 
 

2.     Find Out VA of  IMAGE_IMPORT_DESCRIPTOR Structure.VA=RVA+ Image Base(00005000+00400000=00405000)
 Each Image_Import_Descriptor corresponds to DLL which EXE imports. The Last field of Image_Import_Descriptor structure is First thunk which contain actual addresses of the functions which are there in that particular DLL.We are interested in User32.dll.so VA of First thunk of(Image_Import_Descriptor corresponds to User32.dll)=RVA+imagebase(40000+00005120)
 
 
3.     Now we have functions with its real addresses and we can patch our own code here:
Search for the code cave and write ur own code to hook MessageBox  API,as given below:
Now change the address of IAT function with your code address.
 
Result:
1.       Original Output:
 
1.      Output After Hooking:
 
Video Demonstration:
 
 
 
 
 
 
 


Posted by at No comments:
Subscribe to: Posts (Atom)