Summary
Every binary loaded into WIndows, has a list of needed functions and processes in order for it to function properly. THink of a browser, it will use a Windows DLL to resolved the hostname to the IPv4 address and so forth. This Table can be hijacked, so instead of pointing to the appropriate function in windows, it will point to a rogue or attacker controlled function, which can be used for what ever purpose needed by the attacker.
https://github.com/helviojunior/hookchain?tab=readme-ov-file
IAT Table
- Windows portable executable contains a structure called
Import Address Table (IAT) - IAT contains pointers to information that is critical for an executable to do its job:
- a list of DLLs it depends on for providing the expected functionality
- a list of function names and their addresses from those DLLs that may be called by the binary at some point
- It is possible to hook function pointers specified in the IAT by overwriting the target function’s address with a rogue function address and optionally to execute the originally intended function
Through a sophisticated method that combines IAT Hooking (a type of function call interception through the manipulation of the import table) with the dynamic resolution of system service numbers (SSN) and indirect system calls (Indirect Syscalls), HookChain is capable of redirecting the execution flow of all major Windows subsystems, such as kernel32.dll, kernelbase.dll, and user32.dll. This means that, once deployed, HookChain ensures that all API calls within the context of an application are carried out transparently, completely avoiding detection by EDRs