Detect IAT patching - Githubissues

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

3.01k stars 421 forks source link

Detect IAT patching #57

Closed hasherezade closed 4 years ago

hasherezade commented 4 years ago

Implement scanning IAT on demand (enabled by a parameter) against classic IAT hooking.

Test case:

Classic IAT hooking (implemented using IAT Patcher): cm_hooked.zip The replacement function was defined in the following way:

replacement

The scan output should look like:

1000100c;User32.MessageBoxW->NagMeNot.dll.MBox;10000000+100c;0

hasherezade commented 4 years ago

PE-sieve accepts a new parameter: /iat allowing to scan for IAT hooks. If found, hooks are listed in additional report. Report for the above sample :

4068;user32.MessageBoxW #533->nagmenot.MBox #1;10000000+100c;0

Format:

<call via RVA>;<original function>-><hook function>;<hook module addr>+<offset>;<is module detected as suspicious>