IAT hooking with RunPE

[teknixstuff]

Is it possible to hook imports while using RunPE? I want to load one of the DLLs that the PE imports from memory too, rather than from a file on disk.

[hasherezade]

Hi @teknixstuff !
In case of RunPE (meaning: a loader where the implant is attached to PEB, or filled in on the place of the original EXE), the Import Table of the implant will be filled in automatically by Windows loader, once it took over the loading on process resume. So, all imports are going to be filled in following their default definitions. You can overwrite some of them later, i.e. by a small hooking stub that will be run at the entry point of the implant. But this requires modifying the implant itself with additional logic, so it is probably not the solution that you are looking for.

If you want to have a full control over the loading of the imports, and fill in some of them by pointers to manually loaded DLL, you may consider using full manual loading, rather than RunPE. In case of full manual loading, you don't use Windows loader at all - so you don't have to attach your implant to PEB. The import resolution has to be implemented fully in your loader, and in such case, you fill in the pointers in the IAT by whatever you desire.
You can also do it with the help of LibPEConv (which is a flexible manual loader). Check the following example:
https://github.com/hasherezade/libpeconv/blob/master/tests/test_hooking_imps.cpp

[teknixstuff]

Hi @teknixstuff ! In case of RunPE (meaning: a loader where the implant is attached to PEB, or filled in on the place of the original EXE), the Import Table of the implant will be filled in automatically by Windows loader, once it took over the loading on process resume. So, all imports are going to be filled in following their default definitions. You can overwrite some of them later, i.e. by a small hooking stub that will be run at the entry point of the implant. But this requires modifying the implant itself with additional logic, so it is probably not the solution that you are looking for.

Modifying the PE is not an issue, however I cannot just overwrite the import addresses after loading, as the DLL to be imported does not exist on disk at all, and I cannot just remove the DLL from the import table, as then the process fails to start.

If you want to have a full control over the loading of the imports, and fill in some of them by pointers to manually loaded DLL, you may consider using full manual loading, rather than RunPE. In case of full manual loading, you don't use Windows loader at all - so you don't have to attach your implant to PEB. The import resolution has to be implemented fully in your loader, and in such case, you fill in the pointers in the IAT by whatever you desire. You can also do it with the help of LibPEConv (which is a flexible manual loader). Check the following example: https://github.com/hasherezade/libpeconv/blob/master/tests/test_hooking_imps.cpp

That's a great idea. Although, I've ended up finding another solution, namely, hooking the Windows loader, which seems to work better for my use case at the moment.

[hasherezade]

That's a great idea. Although, I've ended up finding another solution, namely, hooking the Windows loader, which seems to work better for my use case at the moment.

Sure it will work too! I am glad it is solved.