Detect a patch partially overlapping Import Address Table #15
Assignees
Labels
Comments
hasherezade
changed the title
hasherezade
added a commit
that referenced
this issue
Sep 9, 2021
hasherezade
added a commit
that referenced
this issue
Sep 9, 2021
|
Fixed: after more precise clearing of IAT, entire patch is detected:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Full area of IAT (as defined in Data Directory) is excluded from the code scan. It is scanned by another type of scan, detecting IAT hooks. This is in general a good behavior, but it creates a blind spot for the patches that are installed in the padding at the end of the IAT.
Example:
Test case:
https://www.hybrid-analysis.com/sample/8b86662ab617d11079f16d95d4d584e8acb4a374b87edf341195ab9e043ed1d2?environmentId=100 (Andromeda)
The Data Directory of the infected application (svchost.exe):
IAT is located in the .text section, from RVA 0x1000 to 0x11A8.
It has been hooked by Andromeda and the patch starts from RVA 0x11A4.
Infected code:
versus the original code:
Due to the fact that IAT is omitted, the hook is not detected properly. Only the bytes that are outside the IAT has been detected as patched:
Below: the patched svchost vs the original one:
So, the patch starts in the last DWORD of the IAT (which was filled with padding).
The text was updated successfully, but these errors were encountered: