API Hooking (EAT)

[urbanyoung]

Hey,

I have a target executable which I need to hook some APIs for. I can't modify the IAT because the protector resolves the address and writes the call as: call 12345678, not call dword ptr ds:[xxx]. I can't place a hook within the actual API because it is checked to see if it has been modified. So, this lead me to the idea of modifying the export address table before its read, therefore the protector will resolve the call to my code and it won't be detected.

I'm wondering how I'd go about implementing it, when would I need to edit the EAT? I need to do it before its read (obviously), but when is it read? Would I need to hook LoadLibrary somewhere?

I'd like some tips if you have any. Thanks.

[quosego]

Well since the protector probably uses the export table, you could modify right at the start of the program. Just redir the Entrypoint to your code, hook the exports to point to your code and fix crc probably.

Should work fine. Have done this before in Winlicense.

[metr0]

I did this once to get rid of API emulation. I replaced several APIs in the EAT (got the modules using a GMH/LLA hook) by jmp dword ptr [RealAPI] which caused length disassembly engines to stop redirection right there. Just search all calls to one of these bridges and restore the original import. Beware of forwarded imports in case you plan to redirect the whole EAT.

Pretty easy to do in a HLL by injecting a worker dll. Could be detected by the protection system by checking the range the RVA resides in but I haven't seen that yet.