Jump to content
Nytro

[MASM] IAT Hook

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[MASM] IAT Hook

Author: steve10120

; steve10120@ic0de.org

; #########################################################################

      .586
      .model flat, stdcall
      option casemap :none   ; case sensitive

; #########################################################################
      include \masm32\include\windows.inc
      include \masm32\include\user32.inc
      include \masm32\include\kernel32.inc
      include \masm32\include\comdlg32.inc

      includelib \masm32\lib\user32.lib
      includelib \masm32\lib\kernel32.lib
      includelib \masm32\lib\comdlg32.lib

; #########################################################################  
.data
    szDLL db "user32.dll",0
    szAPI db "MessageBoxA",0
    szHooked db "API Hooked",0
    szText db "Hello World!",0
    szCaption db "http://ic0de.org",0

.data?
    dwOldProtect dd ?
    pMessageBoxA dd ?

.code

HookIAT proc inModule:DWORD, inHookProc:DWORD, inOriginalFunction:DWORD

    PUSH ESI
    PUSH EDI
    MOV EDI, inModule
    ASSUME EDI:PTR IMAGE_DOS_HEADER
    CMP [EDI].e_magic, IMAGE_DOS_SIGNATURE
    JNE CodeFail
    ADD EDI, DWORD PTR[EDI+03Ch]
    ASSUME EDI:PTR IMAGE_NT_HEADERS
    CMP [EDI].Signature, IMAGE_NT_SIGNATURE
    JNE CodeFail
    MOV EDI, [EDI].OptionalHeader.DataDirectory[8].VirtualAddress
    ADD EDI, inModule
    ASSUME EDI:PTR IMAGE_IMPORT_DESCRIPTOR

ImportLoop:
    CMP [EDI].FirstThunk, 0
    Je OriginalThunk
    MOV ESI, [EDI].FirstThunk
    JMP ContinueMain
OriginalThunk:
    MOV ESI, [EDI].OriginalFirstThunk
ContinueMain:
    ADD ESI, inModule

ThunkLoop:
    MOV EAX, [inOriginalFunction]
    MOV [pMessageBoxA], EAX
    CMP DWORD PTR[ESI], EAX
    JNE ContinueThunks    
    MOV EBX, [inHookProc]
    invoke VirtualProtect, ESI, 4, PAGE_EXECUTE_READWRITE, OFFSET dwOldProtect
    MOV DWORD PTR[ESI], EBX
    XOR EAX, EAX
    INC EAX

ContinueThunks:
    ADD ESI, 4
    CMP DWORD PTR[ESI], 0
    JNE ThunkLoop


    ADD EDI, sizeof(IMAGE_IMPORT_DESCRIPTOR)
    CMP [EDI].Name1, 0
    JNE ImportLoop


CodeFail:   
    XOR EAX, EAX
HookEnd:
    POP EDI
    POP ESI
    MOV ESP, EBP
    POP EBP
    RETN 0Ch

HookIAT endp

MessageBoxAHookProc proc hWindow:DWORD, lpszText:DWORD, lpszCaption:DWORD, uStyle:DWORD

    PUSH 0
    PUSH OFFSET szCaption
    PUSH OFFSET szHooked
    PUSH 0
    CALL [pMessageBoxA]

    MOV ESP, EBP
    POP EBP
    RETN 010h   
MessageBoxAHookProc endp

start:
    invoke LoadLibraryA, OFFSET szDLL
    TEST EAX, EAX
    JE EndMain
    invoke GetProcAddress, EAX, OFFSET szAPI
    TEST EAX, EAX
    JE EndMain
    MOV EBX, EAX
    invoke GetModuleHandleA, NULL
    TEST EAX, EAX
    JE EndMain
    invoke HookIAT, EAX, OFFSET MessageBoxAHookProc, EBX

    invoke MessageBoxA, 0, OFFSET szText, OFFSET szAPI, 0

EndMain:
    RETN
end start

Sursa: ic0de.org

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...