def hookiat(db, line):
'''
Hook the specified IAT entries by munging a pointer and emulating
"breakpoint" like behavior on the resultant memory access errors. Basically,
break on import call...
Usage: hookiat <libname> [ <implibname> [ <impfuncname> ] ]
Example:
hookiat calc
hookiat calc kernel32
hookiat calc kernel32 LoadLibraryA
NOTE: Once added, you may use "bp" and commands like "bpedit" to modify,
remove, or add code to "iat hooks"
'''
argv = e_cli.splitargs(line)
arglen = len(argv)
if arglen < 1:
return db.do_help('hookiat')
if arglen > 3:
return db.do_help('hookiat')
db.vprint('Adding IAT Hooks (use bp/bpedit cmds to review/modify...)')
hooks = vt_iathook.hookIat(db.trace, *argv)
if len(hooks):
db.vprint('[ bpid ] [ IAT Name ]')
for iatname, bpid in hooks:
db.vprint('[%6d] %s' % (bpid, iatname))
db.vprint('Added %d hooks.' % len(hooks))
def hookiat(db, line):
'''
Hook the specified IAT entries by munging a pointer and emulating
"breakpoint" like behavior on the resultant memory access errors. Basically,
break on import call...
Usage: hookiat <libname> [ <implibname> [ <impfuncname> ] ]
Example:
hookiat calc
hookiat calc kernel32
hookiat calc kernel32 LoadLibraryA
NOTE: Once added, you may use "bp" and commands like "bpedit" to modify,
remove, or add code to "iat hooks"
'''
argv = e_cli.splitargs(line)
arglen = len(argv)
if arglen < 1:
return db.do_help('hookiat')
if arglen > 3:
return db.do_help('hookiat')
db.vprint('Adding IAT Hooks (use bp/bpedit cmds to review/modify...)')
hooks = vt_iathook.hookIat(db.trace, *argv)
if len(hooks):
db.vprint('[ bpid ] [ IAT Name ]')
for iatname, bpid in hooks:
db.vprint('[%6d] %s' % (bpid, iatname))
db.vprint('Added %d hooks.' % len(hooks))