IAT隐藏技术详解<\/h1>

1. IAT基础概念<\/h2>
导入地址表(IAT, Import Address Table)是PE文件结构中用于存储程序依赖的外部DLL函数地址的数据结构。当程序运行时，Windows加载器会填充IAT中的地址，使程序能够调用这些外部函数。<\/p>

1.1 为什么需要隐藏IAT<\/h3>

杀毒软件通常会扫描程序的IAT，查找可疑的API函数调用，如：<\/p>

Kernel32.dll<\/code>中的CreateRemoteThread<\/code><\/li>
VirtualAllocEx<\/code><\/li>

其他与进程注入、内存操作相关的函数<\/li>
<\/ul>
隐藏IAT可以降低程序被识别为恶意软件的概率。<\/p>
2. 动态调用技术<\/h2>
2.1 基本动态调用方法<\/h3>
使用LoadLibrary<\/code>和GetProcAddress<\/code>动态加载函数：<\/p>
typedef<\/span> BOOL<\/span> (WINAPI *<\/span>pVirtualAllocEx)(
<\/span><\/span>    HANDLE hProcess,
<\/span><\/span>    LPVOID lpAddress,
<\/span><\/span>    SIZE_T dwSize,
<\/span><\/span>    DWORD flAllocationType,
<\/span><\/span>    DWORD flProtect
<\/span><\/span>);
<\/span><\/span>
<\/span><\/span>pVirtualAllocEx myVirtualAllocEx =<\/span> (pVirtualAllocEx)GetProcAddress(
<\/span><\/span>    GetModuleHandleA("KERNEL32.DLL"<\/span>), 
<\/span><\/span>    "VirtualAllocEx"<\/span>
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>这种方法存在两个问题：<\/p>

API函数名称字符串("VirtualAllocEx")会出现在程序中<\/li>
引入了新的敏感函数GetProcAddress<\/code>和GetModuleHandleA<\/code><\/li>
<\/ol>
2.2 解决函数名字符串问题<\/h3>
方法1：使用局部字符数组<\/h4>
char<\/span> str1[] =<\/span> {'V'<\/span>,'i'<\/span>,'r'<\/span>,'t'<\/span>,'u'<\/span>,'a'<\/span>,'l'<\/span>,'A'<\/span>,'l'<\/span>,'l'<\/span>,'o'<\/span>,'c'<\/span>,'E'<\/span>,'x'<\/span>,'\0'<\/span>};
<\/span><\/span>pVirtualAllocEx myVirtualAllocEx =<\/span> (pVirtualAllocEx)GetProcAddress(
<\/span><\/span>    GetModuleHandleA("KERNEL32.DLL"<\/span>), 
<\/span><\/span>    str1
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>注意<\/strong>：必须使用局部变量，全局变量无效。<\/p>
方法2：字符串加密<\/h4>
可以对API名称字符串进行加密，运行时解密后再使用。<\/p>
3. 自实现GetProcAddress<\/h2>
3.1 原理分析<\/h3>
GetProcAddress<\/code>的功能是通过遍历DLL的导出表，根据函数名找到对应的函数地址。我们可以自己实现这个过程。<\/p>
3.2 获取导出表<\/h3>
void<\/span> getExportTable<\/span>(HMODULE module, PIMAGE_EXPORT_DIRECTORY*<\/span> exportTable) {
<\/span><\/span>    PIMAGE_DOS_HEADER pDosHeader =<\/span> (PIMAGE_DOS_HEADER)module;
<\/span><\/span>    PIMAGE_NT_HEADERS pNtHeader =<\/span> (PIMAGE_NT_HEADERS)((DWORD64)module +<\/span> pDosHeader-><\/span>e_lfanew);
<\/span><\/span>    IMAGE_DATA_DIRECTORY dataDir =<\/span> (IMAGE_DATA_DIRECTORY)pNtHeader-><\/span>OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
<\/span><\/span>    *<\/span>exportTable =<\/span> (PIMAGE_EXPORT_DIRECTORY)((DWORD64)module +<\/span> dataDir.VirtualAddress);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.3 遍历导出表获取函数地址<\/h3>
FARPROC myGetProcAddr<\/span>(HMODULE module, PIMAGE_EXPORT_DIRECTORY exportTable, LPCSTR funcName) {
<\/span><\/span>    PDWORD NameArray =<\/span> (PDWORD)((DWORD64)module +<\/span> exportTable-><\/span>AddressOfNames);
<\/span><\/span>    PDWORD AddressArray =<\/span> (PDWORD)((DWORD64)module +<\/span> exportTable-><\/span>AddressOfFunctions);
<\/span><\/span>    PWORD OrdinalArray =<\/span> (PWORD)((DWORD64)module +<\/span> exportTable-><\/span>AddressOfNameOrdinals);
<\/span><\/span>    
<\/span><\/span>    for<\/span>(SIZE_T i =<\/span> 0<\/span>; i <<\/span> exportTable-><\/span>NumberOfNames; i++<\/span>) {
<\/span><\/span>        LPCSTR currentName =<\/span> (LPCSTR)((DWORD64)module +<\/span> NameArray[i]);
<\/span><\/span>        if<\/span>(strcmp(funcName, currentName) ==<\/span> 0<\/span>) {
<\/span><\/span>            return<\/span> (FARPROC)((DWORD64)module +<\/span> AddressArray[OrdinalArray[i]]);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> NULL;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 自实现GetModuleHandle<\/h2>
4.1 PEB结构概述<\/h3>
进程环境块(PEB)包含三个链表，描述同一组模块但顺序不同：<\/p>

InLoadOrderModuleList<\/code> - 按加载顺序排列<\/li>
InMemoryOrderModuleList<\/code> - 按内存顺序排列<\/li>
InInitializationOrderModuleList<\/code> - 按初始化顺序排列<\/li>
<\/ol>
4.2 关键结构定义<\/h3>
typedef<\/span> struct<\/span> _UNICODE_STRING {
<\/span><\/span>    USHORT Length;
<\/span><\/span>    USHORT MaximumLength;
<\/span><\/span>    PWSTR Buffer;
<\/span><\/span>} UNICODE_STRING, *<\/span>PUNICODE_STRING;
<\/span><\/span>
<\/span><\/span>typedef<\/span> struct<\/span> _PEB_LDR_DATA {
<\/span><\/span>    ULONG Length;
<\/span><\/span>    BOOLEAN Initialized;
<\/span><\/span>    PVOID SsHandle;
<\/span><\/span>    LIST_ENTRY InLoadOrderModuleList;
<\/span><\/span>    LIST_ENTRY InMemoryOrderModuleList;
<\/span><\/span>    LIST_ENTRY InInitializationOrderModuleList;
<\/span><\/span>} PEB_LDR_DATA, *<\/span>PPEB_LDR_DATA;
<\/span><\/span>
<\/span><\/span>typedef<\/span> struct<\/span> _PEB {
<\/span><\/span>    BOOLEAN InheritedAddressSpace;
<\/span><\/span>    BOOLEAN ReadImageFileExecOptions;
<\/span><\/span>    BOOLEAN BeingDebugged;
<\/span><\/span>    BOOLEAN Spare;
<\/span><\/span>    HANDLE Mutant;
<\/span><\/span>    PVOID ImageBaseAddress;
<\/span><\/span>    PPEB_LDR_DATA LoaderData;
<\/span><\/span>    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
<\/span><\/span>    \/\/ ... 其他成员省略
<\/span><\/span><\/span><\/span>} PEB, *<\/span>PPEB;
<\/span><\/span>
<\/span><\/span>typedef<\/span> struct<\/span> _LDR_DATA_TABLE_ENTRY {
<\/span><\/span>    LIST_ENTRY InLoadOrderLinks;
<\/span><\/span>    LIST_ENTRY InMemoryOrderLinks;
<\/span><\/span>    LIST_ENTRY InInitializationOrderLinks;
<\/span><\/span>    PVOID DllBase;
<\/span><\/span>    \/\/ ... 其他成员省略
<\/span><\/span><\/span><\/span>    UNICODE_STRING FullDllName;
<\/span><\/span>    UNICODE_STRING BaseDllName;
<\/span><\/span>    \/\/ ... 其他成员省略
<\/span><\/span><\/span><\/span>} LDR_DATA_TABLE_ENTRY, *<\/span>PLDR_DATA_TABLE_ENTRY;
<\/span><\/span><\/code><\/pre>4.3 实现代码<\/h3>
通过遍历PEB中的模块链表来获取模块基址：<\/p>
HMODULE myGetModuleHandle<\/span>(LPCWSTR moduleName) {
<\/span><\/span>#ifdef _WIN64
<\/span><\/span><\/span><\/span>    PPEB peb =<\/span> (PPEB)__readgsqword(0x60<\/span>);
<\/span><\/span>#else
<\/span><\/span><\/span><\/span>    PPEB peb =<\/span> (PPEB)__readfsdword(0x30<\/span>);
<\/span><\/span>#endif
<\/span><\/span><\/span><\/span>
<\/span><\/span>    PPEB_LDR_DATA ldr =<\/span> peb-><\/span>LoaderData;
<\/span><\/span>    PLIST_ENTRY listEntry =<\/span> ldr-><\/span>InLoadOrderModuleList.Flink;
<\/span><\/span>    
<\/span><\/span>    while<\/span>(listEntry !=<\/span> &<\/span>ldr-><\/span>InLoadOrderModuleList) {
<\/span><\/span>        PLDR_DATA_TABLE_ENTRY entry =<\/span> CONTAINING_RECORD(listEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
<\/span><\/span>        
<\/span><\/span>        if<\/span>(_wcsicmp(entry-><\/span>BaseDllName.Buffer, moduleName) ==<\/span> 0<\/span>) {
<\/span><\/span>            return<\/span> (HMODULE)entry-><\/span>DllBase;
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        listEntry =<\/span> listEntry-><\/span>Flink;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    return<\/span> NULL;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. 完整解决方案<\/h2>
结合上述技术，完整的IAT隐藏方案如下：<\/p>
\/\/ 1. 自实现GetModuleHandle
<\/span><\/span><\/span><\/span>HMODULE myGetModuleHandle<\/span>(LPCWSTR moduleName) {
<\/span><\/span>    \/\/ 实现同上
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 2. 自实现GetProcAddress
<\/span><\/span><\/span><\/span>FARPROC myGetProcAddress<\/span>(HMODULE module, LPCSTR funcName) {
<\/span><\/span>    PIMAGE_EXPORT_DIRECTORY exportTable;
<\/span><\/span>    getExportTable(module, &<\/span>exportTable);
<\/span><\/span>    return<\/span> myGetProcAddr(module, exportTable, funcName);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 3. 安全调用敏感API
<\/span><\/span><\/span><\/span>void<\/span> safeCall<\/span>() {
<\/span><\/span>    \/\/ 使用局部字符数组隐藏API名称
<\/span><\/span><\/span><\/span>    char<\/span> virtualAllocExName[] =<\/span> {'V'<\/span>,'i'<\/span>,'r'<\/span>,'t'<\/span>,'u'<\/span>,'a'<\/span>,'l'<\/span>,'A'<\/span>,'l'<\/span>,'l'<\/span>,'o'<\/span>,'c'<\/span>,'E'<\/span>,'x'<\/span>,'\0'<\/span>};
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取模块句柄
<\/span><\/span><\/span><\/span>    HMODULE hKernel32 =<\/span> myGetModuleHandle(L<\/span>"KERNEL32.DLL"<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取函数地址
<\/span><\/span><\/span><\/span>    pVirtualAllocEx myVirtualAllocEx =<\/span> (pVirtualAllocEx)myGetProcAddress(
<\/span><\/span>        hKernel32, 
<\/span><\/span>        virtualAllocExName
<\/span><\/span>    );
<\/span><\/span>    
<\/span><\/span>    \/\/ 使用获取的函数
<\/span><\/span><\/span><\/span>    if<\/span>(myVirtualAllocEx) {
<\/span><\/span>        \/\/ 调用函数...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. 进阶技巧<\/h2>
6.1 哈希比较替代字符串比较<\/h3>
在遍历导出表时，可以使用哈希比较替代字符串比较，进一步隐藏API名称：<\/p>
DWORD calcHash<\/span>(LPCSTR str) {
<\/span><\/span>    DWORD hash =<\/span> 0<\/span>;
<\/span><\/span>    while<\/span>(*<\/span>str) {
<\/span><\/span>        hash =<\/span> ((hash <<<\/span> 5<\/span>) +<\/span> hash) +<\/span> *<\/span>str++<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> hash;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 在遍历导出表时比较哈希值而非字符串
<\/span><\/span><\/span><\/span>if<\/span>(calcHash(funcName) ==<\/span> calcHash(currentName)) {
<\/span><\/span>    \/\/ 匹配成功
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>6.2 延迟加载<\/h3>
将敏感API的加载推迟到实际需要使用时，减少程序启动时的可疑行为。<\/p>
6.3 API调用混淆<\/h3>
在调用获取的API时，可以使用间接调用或插入无意义指令来混淆调用模式。<\/p>
7. 注意事项<\/h2>

不同Windows版本PEB结构可能有差异，需要做好兼容性处理<\/li>
32位和64位程序的结构偏移量不同，需要分别处理<\/li>
某些安全产品会监控PEB操作，过度操作可能引起怀疑<\/li>
在实现过程中要注意错误处理，避免因模块未加载等情况导致崩溃<\/li>
<\/ol>
通过以上技术，可以有效隐藏程序的IAT信息，降低被安全产品检测到的概率。但需要注意，这只是一项基础技术，现代安全产品会使用多种检测手段，实际应用中可能需要结合其他技术共同使用。<\/p>

IAT隐藏技术详解<\/h1>

1. IAT基础概念<\/h2> 导入地址表(IAT, Import Address Table)是PE文件结构中用于存储程序依赖的外部DLL函数地址的数据结构。当程序运行时，Windows加载器会填充IAT中的地址，使程序能够调用这些外部函数。<\/p>

2. 动态调用技术<\/h2>

2.2 解决函数名字符串问题<\/h3>

3. 自实现GetProcAddress<\/h2>

3.1 原理分析<\/h3> GetProcAddress<\/code>的功能是通过遍历DLL的导出表，根据函数名找到对应的函数地址。我们可以自己实现这个过程。<\/p>

4. 自实现GetModuleHandle<\/h2>

6. 进阶技巧<\/h2>

6.2 延迟加载<\/h3> 将敏感API的加载推迟到实际需要使用时，减少程序启动时的可疑行为。<\/p>

6.3 API调用混淆<\/h3> 在调用获取的API时，可以使用间接调用或插入无意义指令来混淆调用模式。<\/p>

1. IAT基础概念<\/h2>
导入地址表(IAT, Import Address Table)是PE文件结构中用于存储程序依赖的外部DLL函数地址的数据结构。当程序运行时，Windows加载器会填充IAT中的地址，使程序能够调用这些外部函数。<\/p>

3.1 原理分析<\/h3>
`GetProcAddress<\/code>的功能是通过遍历DLL的导出表，根据函数名找到对应的函数地址。我们可以自己实现这个过程。<\/p>`

6.2 延迟加载<\/h3>
将敏感API的加载推迟到实际需要使用时，减少程序启动时的可疑行为。<\/p>

6.3 API调用混淆<\/h3>
在调用获取的API时，可以使用间接调用或插入无意义指令来混淆调用模式。<\/p>