0xFF Posted November 30, 2010 Posted November 30, 2010 This code is NOT by me, it's by Madshi, author of madCodeHook, taken from experts-exchange, i'm an expert there.You can use the following code, it's copied from my madExcept package. madCodeHook uses a much better but also much more complicated API hooking method. The missing parts (e.g. GetImageNtHeaders) can be found in the madBasic package (which includes sources) of my collection.This function works fine. For successful IAT patching you need to patch each and every module in your process. However, in win9x you're not allowed to patch system modules (modules whose handle is bigger than $80000000). If you would do that, you'd make the whole OS unstable. As a result IAT patching doesn't work too well in win9x. After all IAT patching is not the best hooking method. But in normal use you might not notice the difference. It depends on for which purpose you need this stuff.procedure PatchImportTable(module: dword; old, new: pointer);var pinh : PImageNtHeaders; pid : ^TImageImportDirectory; p1 : TPPointer; c1 : dword; eis : dword; // end of import sectionbegin pinh := GetImageNtHeaders(module); if pinh <> nil then begin with pinh^.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT] do begin pid := pointer(module + VirtualAddress); eis := VirtualAddress + Size; end; if pid <> nil then while pid^.Name_ <> 0 do begin if pid^.ThunkArray > eis then break; // invalid import table! if pid^.ThunkArray <> 0 then begin p1 := pointer(module + pid^.ThunkArray); while p1^ <> nil do begin if (p1^ = old) and VirtualProtect(p1, 4, PAGE_EXECUTE_READWRITE, @c1) then p1^ := new; inc(p1); end; end; inc(pid); end; end;end;
0xFF Posted December 2, 2010 Author Posted December 2, 2010 (edited) Thanks for your sharing. It is very useful for meyou're welcome, and you will also need madCodeHook (Hook Engine) installed in order to use this procedure, website is http://www.madshi.net/. Edited December 2, 2010 by rotem156
SunBeam Posted December 3, 2010 Posted December 3, 2010 i'm an expert there I highly doubt that But it's always nice to see someone brag with their skills while posting OTHER people's code Keep it up 4
0xFF Posted December 7, 2010 Author Posted December 7, 2010 I highly doubt that But it's always nice to see someone brag with their skills while posting OTHER people's code Keep it up says the one who's using dUP2 to generate noob patchers while he can't code his own ones, P.S - Why reinvent the wheel ? any bells ringing ?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now