IAT binding is loading new libs?

Question

IAT binding is loading new libs?

Closed this issue 3 months ago · 2 comments

It seems that is only binding well functions of libs already loaded.

Answer 1 · 2024-10-07T08:32:48.000Z

Here there are kernel32 and ntdll addreses binded, but not the comctl32 one:

225 0x14000c0ba: jmp   qword ptr [14001F7E8h]
/!\ changing RIP to kernel32_rdata 
** 225 kernel32!InitializeCriticalSection ptr: 0x1400211e0 
226 0x140001079: call  000000014000B538h
227 0x14000b538: sub   rsp,28h
228 0x14000b53c: xor   edx,edx
229 0x14000b53e: lea   rcx,[rsp+30h]
230 0x14000b543: lea   r8d,[rdx+8]
231 0x14000b547: call  0000000140007000h
232 0x140007000: jmp   qword ptr [14001F6A8h]
/!\ changing RIP to ntdll_text 
** 232 ntdll!memset ptr: 0x14f488 byte: 0 count: 8 
233 0x14000b54c: lea   rcx,[rsp+30h]
234 0x14000b551: mov   dword ptr [rsp+30h],8
235 0x14000b559: mov   dword ptr [rsp+34h],0B48h
236 0x14000b561: call  qword ptr [14001FAE0h]
237 0x2041e: add   [rax],al
238 0x20420: add   [rax],al
239 0x20422: add   [rax],al
240 0x20424: add   [rax],al
241 0x20426: add   [rax],al
242 0x20428: add   [rax],al

ie sample: dropclue

Answer 2 · 2024-10-07T10:32:15.000Z

dll maps64//comctl32.dll not found.

the problem is simply that the lib comctl32.dll is not on maps64/ and cannot load it.