Eine Unit von mir mit der man fest geladene Funktionen hooken kann.
Nützlich für ring3 rootkits.
here you go:
Code:
unit umypatchIAT;

interface
uses windows, imagehlp, sysutils, dialogs;
procedure PatchIAT(Base : Cardinal; strMod : Pchar; Alt, Neu : Pointer);
type
_IMAGE_IMPORT_DESCRIPTOR = packed record
case Integer of
0:(Characteristics: DWORD);
1:(OriginalFirstThunk:DWORD;TimeDateStamp:DWORD;ForwarderChain: DWORD;Name: DWORD;FirstThunk: DWORD);
end;
IMAGE_IMPORT_DESCRIPTOR=_IMAGE_IMPORT_DESCRIPTOR;
PIMAGE_IMPORT_DESCRIPTOR=^IMAGE_IMPORT_DESCRIPTOR;
implementation

procedure PatchIAT(Base : Cardinal; strMod : Pchar; Alt, Neu : Pointer);
var
pImportDir : pImage_Import_Descriptor;
size : CardinaL;
//Base : Cardinal;
pThunk : PDWORD;
bw : Cardinal;
begin
pImportDir := ImageDirectoryEntryToData(Pointer(Base),True,IMAGE_DIRECTORY_ENTRY_IMPORT,size);
while pImportDIr^.Name <> 0 Do begin
  If (lstrcmpiA(Pchar(pImportDir^.Name+ Base),strMod) = 0) then begin
    pThunk := PDWORD(Base + pImportDir^.FirstThunk);
    While pThunk^ <> 0 Do begin
      if DWORD(Alt) = pthunk^ Then begin
        //pthunk^ :=  Cardinal(Neu);
        VirtualProtectEx(GetCurrentProcess,pthunk,4,PAGE_EXECUTE_READWRITE,bw);
        WriteProcessMemory(GetCurrentProcess, pthunk, @Neu, 4, bw);

      end;
    Inc(pThunk);
    end;
  end;
  Inc(PImportDir);
end;
end;


end.
greetz Hamtaro aka CorVu5


----------------
Now playing: Sum 41 - In Too Deep
via FoxyTunes