Demo for IAT hooking and interception of Win32 API calls
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tripwire is a demo project for IAT hooking and interception of Win32 API calls.
- Start MS Publisher in a suspended state.
- Inject our custom GDIHOOK.DLL into the Publisher process.
- Inject a Publisher DLL we need to patch.
- Read the export address table for GDIHOOK.DLL and find the address of our replacement function.
- Read the import address table for Publisher's DLL looking for a specific Win32 API function.
- Write the address of our replacement function to the import thunk in Publisher's DLL.
- Resume the Publisher thread.
- Open a named pipe and wait.
- When Publisher calls the Win32 API function we want to intercept, our replacement function sends a signal over a named pipe to tripwire.
- Tripwire receives the signal from our DLL. If the intercepted function is never called the Tripwire waits indefinitely.