SecurityTubeBeta Watch ... Learn ... Contribute |
 |
 |
 |
 |
 |
  |
|
Import Address Table Hooking in Windows
In continuation to my video on DLL Injection, I am presenting this video on IAT Hooking. You can download the accompanying code here.
Import Libraries are dlls that an executable image are bound to. Much of windows core functionality is found in Dlls that MS provides and is how applications interact with the base windows services.Function addresses in the binary file of a dll are not static, as new versions come out they are destined to change, so applications cannot be built using a hard-coded function address.When an executable is first loaded, the Windows loader is responsible for reading in the files PE structure and loading the executable image into memory. One of the other steps it takes is to load all of the dlls that the application uses and map them into the process address space.The executable also lists all of the functions it will require from each dll. Because the function addresses are not static a mechanism had to be developed that allowed for the these variables to be changed without needing to alter all of the compiled code at runtime.This was accomplished through the use of an import address table. This is a table of function pointers filled in by the windows loader as the dlls are loaded.When the application was first compiled, it was designed so that all API calls will not use direct hard-coded addresses but rather work through a function pointer. Conventionally this pointer table can be accessed in several ways. Either directly by a call[pointer address]. A Hook could be placed that could intercept the arguments to the function and execution methodology too.
Author Bio:
Prasanna K (prasanna.in [] gmail [] com) is a security Researcher with 7 years experience, in field of network and application security. He enjoys Coding in C and Python. His latest interest is in Windows Internals and Reverse Engineering.
Import Libraries are dlls that an executable image are bound to. Much of windows core functionality is found in Dlls that MS provides and is how applications interact with the base windows services.Function addresses in the binary file of a dll are not static, as new versions come out they are destined to change, so applications cannot be built using a hard-coded function address.When an executable is first loaded, the Windows loader is responsible for reading in the files PE structure and loading the executable image into memory. One of the other steps it takes is to load all of the dlls that the application uses and map them into the process address space.The executable also lists all of the functions it will require from each dll. Because the function addresses are not static a mechanism had to be developed that allowed for the these variables to be changed without needing to alter all of the compiled code at runtime.This was accomplished through the use of an import address table. This is a table of function pointers filled in by the windows loader as the dlls are loaded.When the application was first compiled, it was designed so that all API calls will not use direct hard-coded addresses but rather work through a function pointer. Conventionally this pointer table can be accessed in several ways. Either directly by a call[pointer address]. A Hook could be placed that could intercept the arguments to the function and execution methodology too.
Author Bio:
Prasanna K (prasanna.in [] gmail [] com) is a security Researcher with 7 years experience, in field of network and application security. He enjoys Coding in C and Python. His latest interest is in Windows Internals and Reverse Engineering.
Related Videos from: Advanced Windows Hacking
 |  | .jpg) |  | ||
You are Viewing this Video Now! | |||||
9670 views | 8643 views | 1983 views | 2528 views |
Author
Anonymous Submission
©2007 Freak Labs |