If there is miscrepancy between bytes fetched from memory and from file - we consider function was inline patched (hot-patched).
The same goes if our Executable Import Address Table (IAT) entry for that function was altered and no longer points to the correct spot in DLL's code section - then the function is considered to be IAT hooked.Īssuming no hooks were found so far, we fetch first N bytes of the function's prologue and compare them to what's in DLL's file stored in disk. If address of a routine defined in DLL's Export Address Table doesn't correspond to what we would expect, the export is considered EAT hooked. Then we process loaded/referenced library's PE headers, map its exports, retrieve array of exports addresses as well as compute these addresses ourselves for cross-verification. The underlaying resolver leverages custom PE headers parser, that processes every referenced DLL module to map their exports and verify that module's PE headers integrity as well as integrity of referenced function's stub bytes.įirstly we issue LoadLibrary to load referenced by the user library (the one specified as first parameter for RESOLVE macro) if it could not be reached through GetModuleHandle.
0 kommentar(er)
