Exploring IAT hooking
Import Address Table hooking (IAT hooking) is another form of API hooking that is not used as often. This hooking technique doesn’t require any disassembler, code patching, or trampoline. The idea behind it is to modify the import table’s addresses so that they point to the malicious hooking functions rather than the actual API. In this case, the hooking function executes jmp on the actual API address (or the call after pushing the API arguments to the stack), and then returns to the actual program, as shown in the following diagram:
Figure 5.20 – The IAT hooking mechanism
This hooking is not effective against the dynamic loading of APIs (using GetProcAddress and LoadLibrary), but it’s still effective against many legitimate applications that have most of their required APIs in the import table.
