Skip to content

28Zaaky/IAT-Hooking

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.gitignore
.gitignore
 
 
IAThook.h
IAThook.h
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
example.cpp
example.cpp
 
 

Repository files navigation

IAT Hooking Library

Lightweight Windows function hooking by modifying the Import Address Table (IAT) directly in memory.
No external dependencies like Microsoft Detours required.

Concept

The IAT stores addresses of functions imported from DLLs.
This library replaces original function addresses with your custom functions by patching the IAT in memory.

How It Works

  1. Get the module base address
  2. Parse the PE headers
  3. Locate the Import Directory
  4. Iterate over IMAGE_IMPORT_DESCRIPTOR entries
  5. Identify the target DLL
  6. Traverse function import entries
  7. Match the target function name
  8. Patch the IAT if there is a match

Key Features

  • Single-header implementation – Easy integration
  • No runtime dependencies – Works with any Windows C/C++ compiler
  • Process-specific hooks – Only affects the current process
  • Reversible – Original functions can be restored
  • Educational – Demonstrates Windows PE internals

Technical Details

The library uses VirtualProtect() to:

  1. Temporarily change IAT memory permissions from read-only to writable
  2. Replace function pointers
  3. Restore the original protection flags

License

MIT License — Free for educational, personal, and commercial use.

About

Single-header Windows library for function hooking by modifying the Import Address Table directly in memory. No external dependencies.

Topics

rootkit winapi malware-development iat-hooking usermode

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages