Detection Example: DSE vs IAT & EAT Hooks
Description: Import and Export Address Tables (IAT & EAT respectively) are essentially lists of addresses. The IAT contains a list of addresses corresponding to functions imported by the module, and the EAT contains a list of functions exported by the module.
Both address tables can be modified to change where they point to, allowing functions to be hooked.
Detection: For this demo we've used the HookLib library by author 'Rewolf'. First we'll try an IAT hook. Here the demo program (c:\hooklibtest.exe) changes the IAT address of the MessageBoxA function in user32.dll so that it points to c:\hooklibtest.exe instead of user32.dll:
Here we can see how easily Deep System Explorer detects the hook:
Likewise, detecting the EAT hook is just as easy:
You may have noticed that the HookLib demo also has a 3rd type of hook: HP. This is a Hotpatching hook, which DSE also easily detects. Demonstration
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.