flat assembler
Message board for the users of flat assembler.
Index
> Windows > PE/COFF - IAT in .code section blows Import table |
Author |
|
TheLord 11 May 2009, 18:30
I'm actually "playing" with the PE headers of the incrimined file (CALC.EXE)
It seems that just reset the IAT directory structure to VA = 00000000 VS = 00000000 and reseting the boundimport directory structure to VA = 00000000 VS = 00000000 Does NOT corrupt the execution of the file. Is the IAT optional ? is this just a "helper" to resolve APIS faster ?? (instead of directly looking into the import table ? I checked the MSDN documentation about the PE headers but it does not seems to be very clear for me ! Thanks for the help. |
|||
11 May 2009, 18:30 |
|
comrade 11 May 2009, 20:18
IAT is necessary for the executable to function correctly.
You have to careful to only encrypt what is needed. |
|||
11 May 2009, 20:18 |
|
pal 11 May 2009, 21:28
Can you actually encrypt the IAT? I don't think you can as the Windows process loader loads the IAT into memory before the execution of your program, so it wont work like that. I may be wrong, so please correct me if I am.
You could always use GetProcAddress and decrypt data upon loading. It would be a much better method. You could replace all calls to an API with injected code (IAT patching). |
|||
11 May 2009, 21:28 |
|
TheLord 13 May 2009, 08:37
Hi,
Thank you for your answer. I spent some time on the all import stuff and found out it's better to "fake" an import table importing loadlibrary and getprocaddress, and then restore the APIs during the file runtime, just as pal said. This way I dont have to take care of what code portion i encrypt ! This sounds good to me, if there is anything that would make it impossible, illuminate me :p Thank you again |
|||
13 May 2009, 08:37 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.