I am learning to hook functions on Windows in C/C++.
I want to find the address of an imported function from IAT (I am already able to do that and call the address I find as a function pointer), replace the function's address in Import Address Table with the address of my own function. (My own function only prints that it is being called and calls the original function).
My problem is that I need to call VirtualProtect (my first encounter with it) on the memory location of the IAT in order to be able to write the address. And I am quite confused what to give VirtualProtect as a parameter.
DWORD first_thunk_data = get_thunk_data_from_IAT(...); // This finds the PIMAGE_THUNK_DATA
// record moved by the position of the function name in the OriginalThunk
bool v = VirtualProtect((LPVOID)first_thunk_data, 1, PAGE_EXECUTE_READWRITE,
malloc_lpflOldProtect);
This code always returns false in v and the error code is 998 (Invalid access to memory location).
Thunk data are parsed correctly and the original function is callable like this:
DWORD function_address = *((DWORD *)first_thunk_data);
void*(*f_ptr)(int) = (void*(*)(int))function_address;
int * x = (int*) f_ptr(sizeof(int));
What is the correct argument of VirtualProtect? I believe the 1 I pass as the size is OK, because if I understand the documentation correctly, the influenced protection flags belong to pages that are at least one byte in the range address - address+size.
Do I need any special permissions to change the protection flags?
