Results 1 to 11 of 11

Thread: VB6 - Process injection/API hooking

Threaded View

  1. Aug 25th, 2005, 10:42 AM #1
    rm_03
    rm_03 is offline

    Thread Starter
    Lively Member rm_03's Avatar
    Join Date
    Aug 2004
    Posts
    92

    VB6 - Process injection/API hooking

    Part 1) IAT Hooking. All imported functions (like kernel32.sleep()) by a module
    have an entry in its IAT (Import Address Table). By comparing the entry point of the
    target function with all the entries in the IAT, you can overwrite the IAT entry with a new function pointer.
    Next time the importing module calls the target function, it will be redirected to the new function.

    Part 2) Function redirection. By overwriting a function with a JMP instruction you can redirect any function to a new one.

    Part 3) Process injection and remote API hooking.
    You can inject any module into a process by getting its size (=> PE header),
    allocating memory in the remote process
    and copy the whole module with WriteProcessMemory() to the remote process.
    The aim now is to hook an API in the remote process.
    Because CreateRemoteThread() will cause VB code to run in a new thread (not good, as we all know),
    we simply do the same thing like in part 2, but with WriteProcessMemory().

    Note: The remote process needs to be written in VB, too.
    Attached Files Attached Files
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


Click Here to Expand Forum to Full Width