locked
Cannot modify IAT in module RRS feed

  • Question

  • I am trying to hook the keybd_event API in a service. I have found the address of the import entry for keybd_event in the service module's IAT. I have done so by disassembling the service dll and finding the offset from an exported function to that IAT entry. At runtime, I have added my own service (in order to get my dll loaded into services.exe). When loaded, I use GetModuleHandle and GetProcAddress to find that exported function then use the known offset to find the IAT entry. I have verified that I have the right memory location by comparing the pointer to the module's location using remote process viewer.

    The problem is that I cannot read from or write to the IAT. My code crashes when I try. IsBadReadPtr and IsBadWritePtr tell me that I cant read or write to this memory location. Even a call to VirtualProtect to set it to PAGE_EXECUTE_READWRITE will not work. The call fails. How can I get access to this memory?
    Saturday, January 2, 2010 7:03 AM

Answers

  • Nevermind! It seems I was not modifying the correct location. I was trying to modify the table that simply lists imports. I found where the actual function pointer is stored.
    • Marked as answer by ZHE ZHAO Friday, January 8, 2010 2:12 AM
    Sunday, January 3, 2010 7:42 AM