So far I only talked about kernel hooks, but you can do some hooking in userland also. Today I’m going to show you the simpler of the two userland hooking processes is called Import Address Table hooking (IAT).
When an application wants to use a function that is located in a DLL (kernel32,user32…) For example MessageBoxA, the application must get the address of the function. We do this through an IAT.
So what we’re going to do is, create a DLL with our fake function, load it into the target and when the target application calls the original function, our function is going to get executed instead of the original.
In my example, we are going to hook MessageBoxA. MessageBoxA is located in user32.dll, so fire up your dissembler (In my case IDA) And find the full prototype. In our case it’s going to be:
int __stdcall MessageBoxA(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType)
It’s very important that you have the exact same prototype as the original one!
Now go create an application that calls MessageBox, and dissemble it. I’m going to use OllyDbg. The call to MessageBoxA is going to look this way: “CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ” Now look in the window before the Hex View, you are going to see something like: “DS:[0042428C]=7E45058A (USER32.MessageBoxA)” 0042428C is what we need. It’s the pointer to the function.
Now it’s time to create our DLL. First lets make our fake function.
int __stdcall NewMessageBoxA(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType)
{
char real[200];
sprintf(real,”Inside hooked MessageBoxA.\n\nText=%s\nTitle=%s”, lpText, lpCaption);
MessageBox(NULL,real,”Real values”,MB_OK);return MessageBoxA(hWnd,”Fake much”,”Fake”,uType);
}
It’s going to show us the real values, and then we are going to return what we want! Also, you may want to make the function fail. To do so, get the value when the function doesn’t succeed, use MSDN for that.
Now we want to get MessageBoxA address, to do so, we are going to use GetModuleHandle/GetProcAddress. Like this:
OrigAddress = (int)GetProcAddress(GetModuleHandle(“user32.dll”), “MessageBoxA”);
Now we must point the original function to our fake one, so when the real one is called, our fake one is getting executed. We do this this way:
OurAddress = (int)NewMessageBoxA ;
This is pretty much it. It wasn’t that hard was it? Of course this is not the full code, if you want the source code, you can download it at the end of this post.
This method is not perfect. I’m going to quote a passage from the book “Rootkits:Subverting the windows kenel” (The picture came from there to.)
Here we go: “Some applications do late-demand binding. With late-demand binding, function addresses are not resolved until the function is called. This reduces the amount of memory the application will use. These functions may not have addresses in the IAT when your rootkit attempts to hook them. Also, if the application uses LoadLibrary and GetProcAddress to find the addresses of functions, your IAT hook will not work.”
If you find any errors or bugs, please leave a comment. Thanks for visiting and reading.
reflink: http://unlmtd.wordpress.com/2007/08/21/iat-hooking/