Im asking this because I want to have different matrix functions on a DLL one for plain pentium, one for SMID and one for 3DNow. They take exactly the same arguments and do exacly the same thing, but their speed are very different. So has anyone tried to modify the jump tables at runtime. If so, will it work on Windows95/98/ME and NT/2000? :confused:
Posted on 2001-06-20 14:03:00 by dxantos
you mean the iat? if yes then i did it and i doesn't worked... i don't know why but if i used a debugger everything worked ok but without my modification are ignored. hm i had to patch a program to change intern code structures so i searched for other solutions in ended in learning how viruses work, how to inject my own code in others pe's without crashing them... so i increased the last section injected my code changes the entrypoint and changed the api calls i wanted to hook from there... hm but this is like shooting with big guns on little birds so i overthought everything and now i've got a LEGAL inmem patcher :) good luck
Posted on 2001-06-20 15:35:00 by _drcmda
dxantos, it is quite possible to modify the import table during runtime, you only need to make sure that you've got write access to the section containing it (which you should by default).
Posted on 2001-06-20 17:38:00 by Tola
i used virtualprotect for this purpose but it still not worked then i rendered all sections as writable in a loop but nothing happens...
Posted on 2001-06-21 05:46:00 by _drcmda
hello _drcmda, VirtualProtect works fine. The following code demonstrates it (it works whether started from a debugger or not):


    .386
    .model flat,stdcall

ExitProcess proto stdcall a1:dword
VirtualProtect proto stdcall a1:dword,a2:dword,a3:dword,a4:dword
MessageBoxA proto stdcall a1:dword,a2:dword,a3:dword,a4:dword

MB_OK          equ 0
PAGE_READWRITE equ 4

    .data

externdef   _imp__MessageBoxA@16:dword

data1 db "start with normal MessageBox",0
data2 db "message from MessageBox",0
data3 db "message from NewMessageBox",0
dwOldProc dword 0

    .code


NewMessageBox proc a1:dword, a2:dword,a3:ptr byte,a4:dword


    push  0
    push  0
    push  offset data3
    push  0
    call  dword ptr dwOldProc
    ret

NewMessageBox endp

WinMainCRTStartup proc

local dwOldStat:dword

    invoke MessageBoxA,0,addr data1,0,MB_OK

    invoke VirtualProtect,addr _imp__MessageBoxA@16,4,PAGE_READWRITE,addr dwOldStat

    mov    eax,offset NewMessageBox
    xchg   eax,_imp__MessageBoxA@16
    mov    dwOldProc,eax

    invoke MessageBoxA,0,addr data2,0,MB_OK

    mov    eax,dwOldProc
    xchg   eax,_imp__MessageBoxA@16

    invoke MessageBoxA,0,addr data2,0,MB_OK

    invoke ExitProcess,0
                
WinMainCRTStartup endp

    end
the code exchanges address of MessageBox with the address of a self-written proc. The program displays all 3 defined texts japheth
Posted on 2001-06-21 07:10:00 by japheth
Another idea is to poke in the PE section table so that .rdata becomes writeable. I'm going to try it myself. But can I get the IAT address and size at run time, in order to modify a chunk of it in one move, or do I need to modify import symbols addresses one by one?
Posted on 2001-06-21 10:03:00 by Larry Hammick
ahm yes i think all you need is the modulehandle. from there you'll find the data-table just after the image-optional-header. from there you can get the address and size (consider a pe manual) of the iat. but i am still not sure if it works. japheth looks interesting i will try it out.
Posted on 2001-06-21 12:45:00 by _drcmda
Thanks _drcmda. I take it that the module handle is always just the base address?
Posted on 2001-06-21 13:26:00 by Larry Hammick
yes... use GetModuleHandle at runtime or the imagebase value in the pe header.
Posted on 2001-06-21 13:34:00 by _drcmda