• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

How to reload Import address table in suspended threads?

H

hans007

Lifer
I figured I'd give this a shot, maybe someone will know a solution since I'm pretty desperate.


I am playing with import address table at work, and got it to work.

However I noticed that if I replace all the functions on an already running proces that any currently running threads will already have gotten the address of the original imports.

So my changes do not take effect until after.

I know that generally people will hook createprocess to suspend processes before hooking. But lets say I cant do that. Am i stuck with waiting for the next thread?

I tried suspending all threads and then resuming them, but it doesnt reload the Imports.

Anyhow, I'm sure theres people here who know what i'm talking about, any help would be appreciated.
 
Language? Operating system? Runtime environment? It sounds like Windows, but some more details would be helpful 🙂.
 
I assume it is Windows too, but I am confused how/why a thread would have import-table information, unless you are specifically saving function pointers in each thread? The import tables are be module-specific, not thread-specific so don't persist the pointers. Patch the import table(s) *AND* export table(s), and use GetProcAddress() within the thread to get the dynamic address.

It's been quite a while since I played with this stuff, but its fun!

Please provide more details about what you are trying to do (esp. in the threads), what code you have access to, etc. That would help a lot.
 
oh...

i'm doing it in c++ on windows.

the main thing is.... if i patch the import table (and i dont want to patch the export table because i could not keep the hook isolated to one process) what happenes is... if i patch a currently running process it seems like

the threads that area already running already have fetched the pointers from the original import table. so even if i patch the import address table, the current threads seems to already be using the original references, and only newly created threads use the new pointers.


i have just been seetting pointers to new function in the IAT and not doing the ASM jump method.

so i wanted to know if i could say suspend all threads, patch IAT, and make all those old threads get the IAT references again to the new pointers.

for example... i had a console app i made. that was something like this. i am just psuedocoding this just assume those parts work right.

int main
{

MessageBoxA
getch()
MessageBoxA again.



}

if i run another app to inject the code while this console app is blocked at getch, the 2nd message box does not use my new function.

however...

if i do something like this:

messageboxing thread
{
MessageBoxA
}

int main
{

beginthread(messageboxthread)
getch()
beginthread(messageboxthread)




}



if i do something like that in the console app, and inject when blocked at getch... then the 2nd thread's call to message box is my new function.


i think that the PE loader gets the IAT for a full thread the first time the thread sees the reference "messageboxA".


since i also tried this , in the console.

int main
{
getch()
messageboxA
messageboxA


}

and injected when blocked on getch. so since it had not called messageboxA yet, it had not fetched the IAT pointer yet, and that does work.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top