June 2018
Beginner
510 pages
13h 7m
English
Content preview from Learning Malware Analysis
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
4.1 IAT Hooking
As mentioned earlier, the IAT contains the addresses of functions that an application imports from DLLs. In this technique, after a DLL is injected into the target (legitimate) process, the code in the injected DLL (Dllmain() function) hooks the IAT entries in the target process. The following gives a high-level overview of the steps used to perform this type of hooking:
- Locate the IAT by parsing the executable image in memory.
- Identify the entry of the function to hook.
- Replace the address of the function with the address of the malicious function.
To help you understand, let's look at an example of a legitimate program deleting a file by calling the DeleteFileA() API. The DeleteFileA() object accepts a single parameter, ...