Bypass IAT hook on screen capture

Question

I recently comes studing about api hook methods and now my main object of study is IAT hook method, this because I have discovered a security application where only this method of hook was applied for prevent against spywares.

Then, bethween several resources present in this security application,there are lock of screen capture that result in a white screen capture usually, this because IAT hook method had overwritten on table the address the address that points for original function, for a "fake function" that contains this code that locks screen capture.

So, I have read much about IAT hook on web, and found two websites where say ways for bypass this hook method are they:

iC0de.org in a answer to a IAT hook source code.

and

MalwareTech on piece of text where explains about IAT hook.

The method for bypass that called attenttion for me was where says for use GetProcAddress function for get real address of original function.

So, only for didatical pruporse , I want know how can implement GetProcAdress for this screen capture function below and finally bypass IAT hook implemented in this security application:

procedure Print;
var 
  DCDesk: HDC;
  bmp: TBitmap;
begin
  bmp := TBitmap.Create;

  bmp.Height := Screen.Height;
  bmp.Width := Screen.Width;

  DCDesk := GetWindowDC(GetDesktopWindow);

  BitBlt(bmp.Canvas.Handle, 0, 0, Screen.Width, Screen.Height, DCDesk, 0, 0, SRCCOPY);

  bmp.SaveToFile('ScreenShot' + '.bmp');

  ReleaseDC(GetDesktopWindow, DCDesk);

  bmp.Free;
end;

Any suggestions are welcome.

Answer 1

If your "security application" really does use IAT hooking to prevent a screenshot being taken it would presumably be hooking bitblt and then only if the desktop DC is being used and/or the full screen area is being copied - otherwise all the normal "legit" uses of bitblt would break also. It seems unlikely that they would not have gone through the fairly trivial additional work it would be to also hook GetProcAddress to return the hooked version of bitblt if you went that route.

In any case, an IAT hook will only prevent/alter functionality called from within the app itself, so using something like the Windows Snipping Tool or (Alt)PrtScn would be unaffected by this.

If you suspect that they used IAT hooking and did not hook GetProcAddress also then it's just a matter of getting a bitblt pointer from that and use it instead of the statically imported function pointer.