PDA

View Full Version : Adding API To IAT

durexlw
February 1st, 2008, 08:50
I am wondering if it's possible to add an API call to the IAT

In my case, I'd like to add User32.SendDlgItemMessage to an application, so I can use it to patch the application.

If you can point me in the right direction, i'd be happy to hear from you.

Cheers,
Durex
evlncrn8
February 1st, 2008, 10:14
just edit the import table, hardly rocket science... if theres no space, make a new iat, and append the api's you need into it...
deroko
February 1st, 2008, 10:34
1. create new section or expand last section
2. copy IMAGE_IMPORT_DESCRIPTORs there
3. add your IMAGE_IMPORT_DESCRIPTOR and update it to point to dll name and api_name + address where you want it stored
4. update PE.OptionalHeader.DataDirectories[IMPORT] with RVA of place where you moved old ones
5. done

or

use IIDKing to do this
OHPen
February 1st, 2008, 10:38
LOL: deroko and i nearly posted at the same time. so forget my post

lo,

i agree with evlncrn8, should be no problem to append a new section for example and, create a new iat from the scratch, relying on the old iat + adding needed api functions. afterwards you just have to link the iat pointer just to point to new section.
if i remember correctly there was a well known tool which do exactly like that, but i forgot, sorry.

regards,

papi
Admiral
February 1st, 2008, 10:38
There are a few tools out there that can automate this process. I can't personally vouch for any but IIDKing looks like the most suitable in the CRECTL:

http://www.woodmann.com/collaborative/tools/Category:Import_Editors

Admiral
deroko
February 1st, 2008, 11:02
Quote:
[Originally Posted by OHPen;72409]LOL: deroko and i nearly posted at the same time. so forget my post


I was faster
OHPen
February 1st, 2008, 11:55
@deroko: yeah, damn'it
disavowed
February 2nd, 2008, 20:17
LordPE can do that too. i'll add it to the CRCETL page (it's not on there at the moment).
Admiral
February 2nd, 2008, 20:39
Quote:
[Originally Posted by disavowed;72425]LordPE can do that too. i'll add it to the CRCETL page (it's not on there at the moment).

Huh. I've been using LordPE for as long as I've been on solids and not once did I discover this feature. That would have saved me some grief on a few occasions .

Still learning then
Nacho_dj
February 3rd, 2008, 05:28
If you don't want to increase the size in your executable, you could add your API using some of those tools in the same place where I.T. is now, building IAT by ordinals, because it won't use Names of Functions. But it is not a good idea if you are carrying your executable to another machine, since ordinals are strongly system version dependent.

Cheers

Nacho_dj
disavowed
February 3rd, 2008, 12:39
Quote:
[Originally Posted by Admiral;72426]Huh. I've been using LordPE for as long as I've been on solids and not once did I discover this feature. That would have saved me some grief on a few occasions .

Still learning then


yeah, just right-click on an imported dll in the import-table viewer and click "add import..."