Adding API To IAT [Archive] - RCE Messageboard's Regroupment

durexlw

02-01-2008, 08:50 AM

I am wondering if it's possible to add an API call to the IAT

In my case, I'd like to add User32.SendDlgItemMessage to an application, so I can use it to patch the application.

If you can point me in the right direction, i'd be happy to hear from you.

Cheers,
Durex

evlncrn8

02-01-2008, 10:14 AM

just edit the import table, hardly rocket science... if theres no space, make a new iat, and append the api's you need into it...

deroko

02-01-2008, 10:34 AM

1. create new section or expand last section
2. copy IMAGE_IMPORT_DESCRIPTORs there
3. add your IMAGE_IMPORT_DESCRIPTOR and update it to point to dll name and api_name + address where you want it stored
4. update PE.OptionalHeader.DataDirectories[IMPORT] with RVA of place where you moved old ones
5. done

or

use IIDKing to do this

OHPen

02-01-2008, 10:38 AM

LOL: deroko and i nearly posted at the same time. so forget my post

lo,

i agree with evlncrn8, should be no problem to append a new section for example and, create a new iat from the scratch, relying on the old iat + adding needed api functions. afterwards you just have to link the iat pointer just to point to new section.
if i remember correctly there was a well known tool which do exactly like that, but i forgot, sorry.

regards,

papi

Admiral

02-01-2008, 10:38 AM

There are a few tools out there that can automate this process. I can't personally vouch for any but IIDKing looks like the most suitable in the CRECTL:

http://www.woodmann.com/collaborative/tools/index.php/Category:Import_Editors

Admiral

deroko

02-01-2008, 11:02 AM

Quote:

[Originally Posted by OHPen;72409]LOL: deroko and i nearly posted at the same time. so forget my post

I was faster

OHPen

02-01-2008, 11:55 AM

@deroko: yeah, damn'it

disavowed

02-02-2008, 08:17 PM

LordPE can do that too. i'll add it to the CRCETL page (it's not on there at the moment).

Admiral

02-02-2008, 08:39 PM

Quote:

[Originally Posted by disavowed;72425]LordPE can do that too. i'll add it to the CRCETL page (it's not on there at the moment).

Huh. I've been using LordPE for as long as I've been on solids and not once did I discover this feature. That would have saved me some grief on a few occasions

.

Still learning then

Nacho_dj

02-03-2008, 05:28 AM

If you don't want to increase the size in your executable, you could add your API using some of those tools in the same place where I.T. is now, building IAT by ordinals, because it won't use Names of Functions. But it is not a good idea if you are carrying your executable to another machine, since ordinals are strongly system version dependent.

Cheers

Nacho_dj

disavowed

02-03-2008, 12:39 PM

Quote:

[Originally Posted by Admiral;72426]Huh. I've been using LordPE for as long as I've been on solids and not once did I discover this feature. That would have saved me some grief on a few occasions .

Still learning then

yeah, just right-click on an imported dll in the import-table viewer and click "add import..."