Detect a patch partially overlapping Import Address Table

[hasherezade]

Full area of IAT (as defined in Data Directory) is excluded from the code scan. It is scanned by another type of scan, detecting IAT hooks. This is in general a good behavior, but it creates a blind spot for the patches that are installed in the padding at the end of the IAT.

Example:

Test case:

• https://www.hybrid-analysis.com/sample/8b86662ab617d11079f16d95d4d584e8acb4a374b87edf341195ab9e043ed1d2?environmentId=100 (Andromeda)

• The Data Directory of the infected application (svchost.exe): IAT is located in the .text section, from RVA 0x1000 to 0x11A8.
• It has been hooked by Andromeda and the patch starts from RVA 0x11A4. Infected code: versus the original code:
• Due to the fact that IAT is omitted, the hook is not detected properly. Only the bytes that are outside the IAT has been detected as patched:

Below: the patched svchost vs the original one:

So, the patch starts in the last DWORD of the IAT (which was filled with padding).

[hasherezade]

Fixed: after more precise clearing of IAT, entire patch is detected: