IAT hooking: detecting replaced function within the same DLL

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

3.06k stars 425 forks source link

IAT hooking: detecting replaced function within the same DLL #77

Closed hasherezade closed 2 years ago

hasherezade commented 3 years ago

There is a possibility that instead of an external hook, a replacement can be made, redirecting a function to another function within the same DLL. Example:

demos.zip

It should be as well detected as an IAT hook.