Closed hasherezade closed 4 years ago
PE-sieve accepts a new parameter: /iat
allowing to scan for IAT hooks. If found, hooks are listed in additional report.
Report for the above sample :
4068;user32.MessageBoxW #533->nagmenot.MBox #1;10000000+100c;0
Format:
<call via RVA>;<original function>-><hook function>;<hook module addr>+<offset>;<is module detected as suspicious>
Implement scanning IAT on demand (enabled by a parameter) against classic IAT hooking.
Test case:
Classic IAT hooking (implemented using IAT Patcher): cm_hooked.zip The replacement function was defined in the following way:
The scan output should look like: