Windows API Import Address Table
I. Understanding the Import Address Table (IAT)
The IAT is a data structure in Portable Executable (PE) files used by Windows operating systems to manage imported functions from dynamic-link libraries (DLLs). When a program is loaded into memory, the loader resolves the addresses of the imported functions and populates the IAT with these addresses.
For all windows programs the windows API's associated DLL's are included in the import table by default. However when using certain suspicious functions such as VirtualAllocEx or CreateRemoteThread the EDR marks this as suspicious.
EDR Bypass Techniques
- API Redirection: By manipulating the IAT, a malware developer can redirect the API calls to a custom implementation that bypasses the EDR's monitoring.
- Dynamic Import: Malware can delay the loading of a suspicious DLL or the resolution of an API function until the EDR has been disabled or bypassed.
- IAT Obfuscation: Scrambling or encrypting the IAT can make it harder for EDRs to analyze the PE file or detect the hooked functions.
Why use Dynamic Improrting
EDR's often look at the IAT for suspicious imports, this information is then used to make educated guess of the function of a piece of software. As malware manufactures have found a way of using functions in DLL's without them being included in the IAT. This is called dynamic imports, this is achieved by loading the dll into the program during execution and then accessing the addresses of the functions using GetProcAddress().
However, EDRs have already developed countermeasures to detect dynamic imports, making it less effective over time. Malware developers are now incorporating multiple techniques such as direct syscalls and WINAPI hashing to get around these new detections.
Example of Dynamic Import
Dynamic linking is the process of importing libraries at runtime allowing the program to use a function without it appearing in the IAT.
This allows suspicious WINAPI calls to not appear in the IAT for the EDR to question.
HMODULE hNtdll = LoadLibrary(TEXT("ntdll.dll"));
This code uses loadLibrary to load the library ntdll into the program at runtime. It then gives us a handle to that library called hNTDLL.
pNtOpenProcess NtOpenProcess = (pNtOpenProcess)GetProcAddress(hNtdll, "NtOpenProcess"); pNtAllocateVirtualMemory NtAllocateVirtualMemory = (pNtAllocateVirtualMemory)GetProcAddress(hNtdll, "NtAllocateVirtualMemory"); pNtWriteVirtualMemory NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(hNtdll, "NtWriteVirtualMemory"); pNtProtectVirtualMemory NtProtectVirtualMemory = (pNtProtectVirtualMemory)GetProcAddress(hNtdll, "NtProtectVirtualMemory"); pNtCreateThreadEx NtCreateThreadEx = (pNtCreateThreadEx)GetProcAddress(hNtdll, "NtCreateThreadEx");
This section of code then uses GetProcAddress function to obtain the addresses of the functions that are needed relative to the hNTDLL handle.
We now have everything we need to use these functions however to make them usable as normal functions (HANDLE handle = pNtOpenProcess() etc) we must declare the function pointers.
// Declare function pointers for dynamically loaded WinAPI functions typedef NTSTATUS(NTAPI *pNtOpenProcess)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PCLIENT_ID); typedef NTSTATUS(NTAPI *pNtAllocateVirtualMemory)(HANDLE, PVOID *, ULONG_PTR, PSIZE_T, ULONG, ULONG); typedef NTSTATUS(NTAPI *pNtWriteVirtualMemory)(HANDLE, PVOID, CONST PVOID, SIZE_T, PSIZE_T); typedef NTSTATUS(NTAPI *pNtProtectVirtualMemory)(HANDLE, PVOID *, PSIZE_T, ULONG, PULONG); typedef NTSTATUS(NTAPI *pNtCreateThreadEx)(PHANDLE, ACCESS_MASK, PVOID, HANDLE, PVOID, PVOID, ULONG, SIZE_T, SIZE_T, SIZE_T, PVOID);
These functions can now be used throughout the rest of the code without them appearing in the IAT to begin with. However, this is a poor mans implementation and new EDR's can easily detect this approach. The idea however is to take this idea and incorporating multiple other techniques together to achieve undetectable malware.
Conclusion
In conclusion, the Import Address Table (IAT) can be leveraged by malware developers to bypass Endpoint Detection and Response (EDR) systems through IAT manipulation. To evade EDRs, malware developers can use various IAT manipulation techniques, dynamic import, and IAT obfuscation. However, there are limitations to IAT manipulation, and EDRs have developed countermeasures to detect such attacks. Nevertheless, understanding the IAT and its vulnerabilities is crucial for effective malware creation and prevention.