Skip to content
Assembly block for finding and calling the windows API functions inside import address table(IAT) of the running PE file.
Assembly Python
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
x64 Deallocate callers's reserved space for properly aligning the stack. Jun 19, 2019
x86
Example.png
Example64.png
LICENSE
README.md
flow.png
hash.py

README.md

IAT API

Assembly block for finding and calling the windows API functions inside import address table(IAT) of the running PE file.

Design of the block is inspired by Stephen Fewer's block_api and Josh Pitts's 2017 DEFCON talk. iat_api finds the addresses of API functions by parsing the _IMAGE_IMPORT_DESCRIPTOR structure entries inside the import table of the PE file. It first calculates the ROR(13) hash of the (module name + function name) and compares with the hash passed to block. If the hash matches it calls the function with the parameters passed to block.

Description

One of the main objectives while designing iat_api was bypassing exploit mitigation techniques used inside EMET, Windows Defender and similar security products. Using import address table(IAT) entries instead of export address table(EAT) makes it possible to find API addresses without reading the KERNEL32/NTDLL and KERNELBASE therefore bypasses the EMET's Export Address Filtering(EAF) and Export Address Filtering Plus(EAF+) mitigations. Also after finding the wanted API addresses iat_api makes a CALL to the API instead of jumping or returning inside it therefore bypasses EMET's caller checks. Changing the rotation value used for calculating the function name hash may help bypassing anti virus products that are using ROR13 hashes as signature detection.

IMPORTANT !!

  • The function that is called with iat_api must be imported by the PE file or it will crash.

Example

Here is a example MessageBox shellcode using the iat_api.

Description

Here is a 64 bit example MessageBox shellcode using the iat_api.

Description

You can’t perform that action at this time.