Im asking this because I want to have different matrix functions on a DLL one for plain pentium, one for SMID and one for 3DNow. They take exactly the same arguments and do exacly the same thing, but their speed are very different. So has anyone tried to modify the jump tables at runtime. If so, will it work on Windows95/98/ME and NT/2000? :confused:
you mean the iat? if yes then i did it and i doesn't worked... i don't know why but if i used a debugger everything worked ok but without my modification are ignored. hm i had to patch a program to change intern code structures so i searched for other solutions in ended in learning how viruses work, how to inject my own code in others pe's without crashing them... so i increased the last section injected my code changes the entrypoint and changed the api calls i wanted to hook from there... hm but this is like shooting with big guns on little birds so i overthought everything and now i've got a LEGAL inmem patcher :) good luck
dxantos, it is quite possible to modify the import table during runtime, you only need to make sure that you've got write access to the section containing it (which you should by default).
i used virtualprotect for this purpose but it still not worked then i rendered all sections as writable in a loop but nothing happens...
hello _drcmda, VirtualProtect works fine. The following code demonstrates it (it works whether started from a debugger or not):
the code exchanges address of MessageBox with the address of a self-written proc. The program displays all 3 defined texts japheth
.386 .model flat,stdcall ExitProcess proto stdcall a1:dword VirtualProtect proto stdcall a1:dword,a2:dword,a3:dword,a4:dword MessageBoxA proto stdcall a1:dword,a2:dword,a3:dword,a4:dword MB_OK equ 0 PAGE_READWRITE equ 4 .data externdef _imp__MessageBoxA@16:dword data1 db "start with normal MessageBox",0 data2 db "message from MessageBox",0 data3 db "message from NewMessageBox",0 dwOldProc dword 0 .code NewMessageBox proc a1:dword, a2:dword,a3:ptr byte,a4:dword push 0 push 0 push offset data3 push 0 call dword ptr dwOldProc ret NewMessageBox endp WinMainCRTStartup proc local dwOldStat:dword invoke MessageBoxA,0,addr data1,0,MB_OK invoke VirtualProtect,addr _imp__MessageBoxA@16,4,PAGE_READWRITE,addr dwOldStat mov eax,offset NewMessageBox xchg eax,_imp__MessageBoxA@16 mov dwOldProc,eax invoke MessageBoxA,0,addr data2,0,MB_OK mov eax,dwOldProc xchg eax,_imp__MessageBoxA@16 invoke MessageBoxA,0,addr data2,0,MB_OK invoke ExitProcess,0 WinMainCRTStartup endp end
Another idea is to poke in the PE section table so that .rdata becomes writeable. I'm going to try it myself. But can I get the IAT address and size at run time, in order to modify a chunk of it in one move, or do I need to modify import symbols addresses one by one?
ahm yes i think all you need is the modulehandle. from there you'll find the data-table just after the image-optional-header. from there you can get the address and size (consider a pe manual) of the iat. but i am still not sure if it works. japheth looks interesting i will try it out.
Thanks _drcmda. I take it that the module handle is always just the base address?
yes... use GetModuleHandle at runtime or the imagebase value in the pe header.