From a57491f2b647cc81108a8cfaea672fc8c7e1472b Mon Sep 17 00:00:00 2001 From: Seliaste Date: Wed, 25 Mar 2026 15:16:51 +0100 Subject: [PATCH] Fixed patcher rewriting non-adress calls --- iat.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/iat.py b/iat.py index 36f47c5..e153fe4 100644 --- a/iat.py +++ b/iat.py @@ -28,9 +28,7 @@ def get_used_functions_from_dll(dllname, calls): return res -def patch_call_to_new_IAT_entry(pe: lief.PE.Binary, call: dict[str, str], rva: int): - base = pe.imagebase - instruction_offset = int(call["adress"], 16) - base +def patch_direct_adress_call(pe: lief.PE.Binary, rva: int, instruction_offset: int): # We can manually patch the instruction here: FF 15 08 10 00 01 represents `call [0x01001080]` adress_size = 4 if pe.abstract.header.is_32 else 8 is_little_endian = pe.abstract.header.endianness == lief.Header.ENDIANNESS.LITTLE @@ -48,6 +46,14 @@ def patch_call_to_new_IAT_entry(pe: lief.PE.Binary, call: dict[str, str], rva: i ) +def patch_call_to_new_IAT_entry(pe: lief.PE.Binary, call: dict[str, str], rva: int): + base = pe.imagebase + instruction_offset = int(call["adress"], 16) - base + memview = pe.get_content_from_virtual_address(instruction_offset,2) + if([memview[0],memview[1]] == [0xFF,0x15]): + patch_direct_adress_call(pe,rva, instruction_offset) + + def patch_calls_to_new_IAT( pe: lief.PE.Binary, imp: lief.PE.Import, entry: lief.PE.ImportEntry, rva: int ): @@ -79,7 +85,7 @@ entrypoint_format = int(hex(wave_entry)[-4:], 16) pe.optional_header.addressof_entrypoint = entrypoint_format # remove all current imports -# pe.remove_all_imports() +pe.remove_all_imports() # recreate all DLL imports for dll in get_used_dlls(calls):