-
Notifications
You must be signed in to change notification settings - Fork 441
4.7. Scan for IAT Hooks (iat)
hasherezade edited this page Apr 13, 2020
·
18 revisions
/iat <*scan_mode>
: Scan for IAT hooks.
*scan_mode:
0 - none: do not scan for IAT Hooks (default)
1 - filtered: scan for IAT Hooks, filter out system hooks
2 - unfiltered: scan for IAT Hooks, report all
By default PE-sieve search for inline hooks, and in-memory patches. When this option is chosen, it additionally scans IAT to detect eventual hooks. It generates a report in a following format:
<call via RVA>;<original function>-><hook function>;<hook module addr>+<offset>;<is module detected as suspicious>
If the scan was executed in a filtered mode (scan_mode = 1), the hooks leading to DLLs in system directories (System32, SysWow64) are excluded from the report. The exception from this rule is, if the target DLL was patched/modified and is detected as suspicious.
In the following sample cm_hooked.zip IAT was patched, and the function user32.MessageBoxW has been replaced by a function MBox from a custom DLL: NagMeNot.dll.
This is how PE-sieve reports it:
4068;user32.MessageBoxW #533->nagmenot.MBox #1;10000000+100c;0