Full area of IAT (as defined in Data Directory) is excluded from the code scan. It is scanned by another type of scan, detecting IAT hooks. This is in general a good behavior, but it creates a blind spot for the patches that are installed in the padding at the end of the IAT.
Full area of IAT (as defined in Data Directory) is excluded from the code scan. It is scanned by another type of scan, detecting IAT hooks. This is in general a good behavior, but it creates a blind spot for the patches that are installed in the padding at the end of the IAT.
Example:
Test case:
Below: the patched svchost vs the original one:
So, the patch starts in the last DWORD of the IAT (which was filled with padding).