IAT Hooking (A Shiny new Toy)

[why06]

IAT Hooking

Well I've been getting my ass kicked by hacksheild for way too long:
- It detects my cheat engines
- Hooks my D3D
- Steals my lunch money

But it's time to fight back, and I think I might have found a technique to do it. It's called IAT (Import Address Table) Hooking. In PE (Portable Executable) files aka. .exe there is a table of imported functions that the executable borrows from .dlls. With IAT Hooking it is possible to detour or hook these functions before they ever get called.

I went for this approach because of the lack of documentation for the Lithtech Engine. Unlike in HD's AssualtCube hooks where there is a lot of source code and little trinkets like text strings to look for. So Im going to be reading up on this. Thought someone else maybe interested to so I shared.

[Retoxified]

I'm in, althought I have my own way of hooking functions without getting detected ^^

[Void]

I'm in, althought I have my own way of hooking functions without getting detected ^^

Sharing is caring. ;(

[Arhk]

Hmmm.... My API book is helping, it forced me to learn alot about this kind of stuff....
~

[TheBigBoy]

I think u want to do something like this It dont take much to bypass HS at all they fail so much
What this does is u get the function like
sub_blahblah In IDA
you detour that function returning 0(False) or 1(True)
Sometimes it takes a little more depends on what ur trying to do
But this is how u do a simple bypass This is my private way and it does the job

Code:

HSCeScan = (HS_CeScan)	HsBypass.Create(( BYTE* )(hEhsvc + NotTellingYou), ( BYTE* )cHSCeScan, DETOUR_TYPE_JMP);

typedef int (__cdecl *HS_CeScan)(int a1, int a2, int a3);
HS_CeScan HSCeScan;
int __cdecl cHSCeScan(int a1, int a2, int a3)
{
	return 1; 
}

HSCheckA= (HS_CheckA)	HsBypass.Create(( BYTE* )(hEhsvc + NotTellingYou), ( BYTE* )cHSCheckA, DETOUR_TYPE_JMP);

typedef int (__cdecl *HS_CheckA)(int a1, int a2);
HS_CheckA HSCheckA;
int __cdecl cHSCheckA(int a1, int a2)
{
	return 1; 
}

HSCheckB= (HS_CheckB )	HsBypass.Create(( BYTE* )(hEhsvc + NotTellingYou), ( BYTE* )cHSCheckB, DETOUR_TYPE_JMP);

typedef int (__cdecl *HS_CheckB)(int a1, int a2,int a3, int a4, int a5);
HS_CheckB HSCheckB;
int __cdecl cHSCheckB(int a1, int a2,int a3, int a4, int a5)
{
	return 1; 
}

HSSelfCheck = (HS_SelfCheck)	HsBypass.Create(( BYTE* )(hEhsvc + NotTellingYou), ( BYTE* )cHSSelfCheck, DETOUR_TYPE_JMP);

typedef int (__cdecl *HS_SelfCheck)(int a1, int a2);
HS_SelfCheck HSSelfCheck;
int __cdecl cHSSelfCheck(int a1, int a2)
{
	return 0; 
}

[[MPGH]Dave84311]

IAT hooking is old, but won't help you unless you know what you're doing or have a ton of time to waste trying to figure out what you're hooking and what correlation it has to the overall operation of things.

[why06]

I think u want to do something like this It dont take much to bypass HS at all they fail so much
What this does is u get the function like
sub_blahblah In IDA
you detour that function returning 0(False) or 1(True)
Sometimes it takes a little more depends on what ur trying to do
But this is how u do a simple bypass This is my private way and it does the job

hmmm... really? disabling HS is that easy? But how do I go about unpacking EHsvc.dll to even try to do this...? =/

[TheBigBoy]

LordPE google that to dump ehsvc.dll/engine.exe/cshell.dll/anything else u want to
and that don't completely stop hacksheild but it lets you do whatever you wish

[why06]

LordPE google that to dump ehsvc.dll/engine.exe/cshell.dll/anything else u want to
and that don't completely stop hacksheild but it lets you do whatever you wish

Oh I have LordPE, I was trying to do something like that with it, but it would not show Engine.exe on its process lists. =/

[Hell_Demon]

Oh I have LordPE, I was trying to do something like that with it, but it would not show Engine.exe on its process lists. =/

Google for PermEdit and grant LordPE full system rights everytime you run it.

[Lugz]

IAT hooking is old, but won't help you unless you know what you're doing or have a ton of time to waste trying to figure out what you're hooking and what correlation it has to the overall operation of things.

I was going to say I remember way back when LanceVorgin or someone on gd introduced IAT hooking to the community for a short period of time.