Reading Note _ windows APIHook technology _ part 2

Source: Internet
Author: User

IAT hooks are simple and powerful, but the disadvantage is that they are easy to be found. On the other hand, this method is often used. The driver verification mechanism is the IAT Hook method, and the IAT hook is also used by the operating system in a process called DLL forwarding. Therefore, even if an IAT hook is detected, it is still difficult to distinguish between benign and malicious hooks.

Another disadvantage of IAT hook is that IAT hook takes effect only when DLL is implicitly called. IAT Hook does not take effect when DLL is called through loadlibrary and getprocaddress. The reason is that the call uses post-demand binding technology. This binding method parses the function address only when calling the function. When these functions are hooked up, the IAT may not have their addresses.

The IAT hook experiment method can be used to write the driver according to the first part of the IAT hook. However, note that the following two variables are involved in the callback function:

Char * pc_dlltar = "kernel32.dll ";

Char * pc_fnctar = "getprocaddress ";

It is best to set the DLL and function name compiled by myself. Here I set it to the driverdll. dll and test functions.

Then install the driver. You can use srvinstw. EXE to install the driver. Assume that the service name is apihook.

Then, compile a test program and call the test function of driverdll. dll in two ways: Display and implicit. Note that the test function is used separately.

Then, Enter cmd in the running process, and then enter Net start apihook. At this time, the service is started and the IAT hook is working.

You can use dbgview to observe the IAT hook execution process. Be sure to check the capture kernel option in dbgview.

Run the test program separately. The result is:

The address of the test function cannot be found when the DLL is called, and the address of the test function in the IAT can be caught during implicit calling. The result is shown in:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.