IAT hooks are simple and powerful, but the disadvantage is that they are easy to be found. On the other hand, this method is often used. The driver verification mechanism is the IAT Hook method, and the IAT hook is also used by the operating system in a process called DLL forwarding. Therefore, even if an IAT hook is detected, it is still difficult to distinguish between benign and malicious hooks.
Another disadvantage of IAT hook is that IAT hook takes effect only when DLL is implicitly called. IAT Hook does not take effect when DLL is called through loadlibrary and getprocaddress. The reason is that the call uses post-demand binding technology. This binding method parses the function address only when calling the function. When these functions are hooked up, the IAT may not have their addresses.
The IAT hook experiment method can be used to write the driver according to the first part of the IAT hook. However, note that the following two variables are involved in the callback function:
Char * pc_dlltar = "kernel32.dll ";
Char * pc_fnctar = "getprocaddress ";
It is best to set the DLL and function name compiled by myself. Here I set it to the driverdll. dll and test functions.
Then install the driver. You can use srvinstw. EXE to install the driver. Assume that the service name is apihook.
Then, compile a test program and call the test function of driverdll. dll in two ways: Display and implicit. Note that the test function is used separately.
Then, Enter cmd in the running process, and then enter Net start apihook. At this time, the service is started and the IAT hook is working.
You can use dbgview to observe the IAT hook execution process. Be sure to check the capture kernel option in dbgview.
Run the test program separately. The result is:
The address of the test function cannot be found when the DLL is called, and the address of the test function in the IAT can be caught during implicit calling. The result is shown in: