Im asking this because I want to have different matrix functions on a DLL one for plain pentium, one for SMID and one for 3DNow.
They take exactly the same arguments and do exacly the same thing, but their speed are very different.
So has anyone tried to modify the jump tables at runtime. If so, will it work on Windows95/98/ME and NT/2000? :confused:
you mean the iat? if yes then i did it
and i doesn't worked... i don't know why
but if i used a debugger everything worked
ok but without my modification are ignored.
hm i had to patch a program to change intern
code structures so i searched for other
solutions in ended in learning how viruses
work, how to inject my own code in others
pe's without crashing them... so i increased
the last section injected my code changes
the entrypoint and changed the api calls i
wanted to hook from there... hm but this is
like shooting with big guns on little birds so
i overthought everything and now i've got
a LEGAL inmem patcher :)
good luck
dxantos, it is quite possible to modify the import table during runtime, you only need to make sure that you've got write access to the section containing it (which you should by default).
i used virtualprotect for this purpose but it still
not worked then i rendered all sections as writable
in a loop but nothing happens...
hello _drcmda,
VirtualProtect works fine. The following code demonstrates it (it works whether started from a debugger or not):
.386
.model flat,stdcall
ExitProcess proto stdcall a1:dword
VirtualProtect proto stdcall a1:dword,a2:dword,a3:dword,a4:dword
MessageBoxA proto stdcall a1:dword,a2:dword,a3:dword,a4:dword
MB_OK equ 0
PAGE_READWRITE equ 4
.data
externdef _imp__MessageBoxA@16:dword
data1 db "start with normal MessageBox",0
data2 db "message from MessageBox",0
data3 db "message from NewMessageBox",0
dwOldProc dword 0
.code
NewMessageBox proc a1:dword, a2:dword,a3:ptr byte,a4:dword
push 0
push 0
push offset data3
push 0
call dword ptr dwOldProc
ret
NewMessageBox endp
WinMainCRTStartup proc
local dwOldStat:dword
invoke MessageBoxA,0,addr data1,0,MB_OK
invoke VirtualProtect,addr _imp__MessageBoxA@16,4,PAGE_READWRITE,addr dwOldStat
mov eax,offset NewMessageBox
xchg eax,_imp__MessageBoxA@16
mov dwOldProc,eax
invoke MessageBoxA,0,addr data2,0,MB_OK
mov eax,dwOldProc
xchg eax,_imp__MessageBoxA@16
invoke MessageBoxA,0,addr data2,0,MB_OK
invoke ExitProcess,0
WinMainCRTStartup endp
end
Another idea is to poke in the PE section
table so that .rdata becomes writeable.
I'm going to try it myself. But can I get
the IAT address and size at run time, in
order to modify a chunk of it in one move,
or do I need to modify import symbols
addresses one by one?
ahm yes i think all you need is the modulehandle.
from there you'll find the data-table just after the
image-optional-header. from there you can get the
address and size (consider a pe manual) of the iat.
but i am still not sure if it works.
japheth looks interesting i will try it out.
Thanks _drcmda. I take it that the module
handle is always just the base address?
yes...
use GetModuleHandle at runtime
or the imagebase value in the pe
header.