From 275e68137b9c9a94eb665b82667c34fdbc683c2b Mon Sep 17 00:00:00 2001
From: FunkyFr3sh <cc.red.alert.1@googlemail.com>
Date: Wed, 1 Nov 2023 12:16:22 +0100
Subject: [PATCH] tweak IAT hooker checks

---
 src/hook.c | 39 +++++++++++++++++++++------------------
 1 file changed, 21 insertions(+), 18 deletions(-)

diff --git a/src/hook.c b/src/hook.c
index 5b2500b..4173613 100644
--- a/src/hook.c
+++ b/src/hook.c
@@ -181,12 +181,14 @@ void hook_patch_obfuscated_iat_list(HMODULE hmod, BOOL unhook, HOOKLIST* hooks,
         if (nt_headers->Signature != IMAGE_NT_SIGNATURE)
             return;
 
-        PIMAGE_IMPORT_DESCRIPTOR import_desc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)dos_header +
-            (DWORD)(nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress));
+        DWORD import_desc_rva = nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
+        DWORD import_desc_size = nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size;
 
-        if (import_desc == (PIMAGE_IMPORT_DESCRIPTOR)nt_headers)
+        if (import_desc_rva == 0 || import_desc_size == 0)
             return;
 
+        PIMAGE_IMPORT_DESCRIPTOR import_desc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)dos_header + import_desc_rva);
+
         while (import_desc->FirstThunk)
         {
             if (!import_desc->Name)
@@ -301,12 +303,14 @@ void hook_patch_iat_list(HMODULE hmod, BOOL unhook, HOOKLIST* hooks, BOOL is_loc
         if (nt_headers->Signature != IMAGE_NT_SIGNATURE)
             return;
 
-        PIMAGE_IMPORT_DESCRIPTOR import_desc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)dos_header +
-            (DWORD)(nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress));
+        DWORD import_desc_rva = nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
+        DWORD import_desc_size = nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size;
 
-        if (import_desc == (PIMAGE_IMPORT_DESCRIPTOR)nt_headers)
+        if (import_desc_rva == 0 || import_desc_size == 0)
             return;
 
+        PIMAGE_IMPORT_DESCRIPTOR import_desc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)dos_header + import_desc_rva);
+
         while (import_desc->FirstThunk)
         {
             if (!import_desc->OriginalFirstThunk || !import_desc->Name)
@@ -416,25 +420,24 @@ BOOL hook_got_ddraw_import()
         if (nt_headers->Signature != IMAGE_NT_SIGNATURE)
             return FALSE;
 
-        PIMAGE_IMPORT_DESCRIPTOR import_desc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)dos_header +
-            (DWORD)(nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress));
+        DWORD import_desc_rva = nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
+        DWORD import_desc_size = nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size;
 
-        if (import_desc == (PIMAGE_IMPORT_DESCRIPTOR)nt_headers)
+        if (import_desc_rva == 0 || import_desc_size == 0)
             return FALSE;
 
+        PIMAGE_IMPORT_DESCRIPTOR import_desc = (PIMAGE_IMPORT_DESCRIPTOR)((DWORD)dos_header + import_desc_rva);
+
         while (import_desc->FirstThunk)
         {
-            if (!import_desc->Name)
+            if (import_desc->Name)
             {
-                import_desc++;
-                continue;
-            }
+                char* imp_module_name = (char*)((DWORD)dos_header + import_desc->Name);
 
-            char* imp_module_name = (char*)((DWORD)dos_header + import_desc->Name);
-
-            if (_stricmp(imp_module_name, "ddraw.dll") == 0)
-            {
-                return TRUE;
+                if (_stricmp(imp_module_name, "ddraw.dll") == 0)
+                {
+                    return TRUE;
+                }
             }
 
             import_desc++;