Git Product home page Git Product logo

hooklib's Introduction

HookLib

The Win32 lightweight functions interception library

Advantages:

  • Written on pure C
  • Extremely lightweight
  • Based on the fastest and lightweight Zydis disassembler
  • Uses only NativeAPI functions
  • Has no other dependencies
  • Kernelmode support
  • Supports instructions relocation and thread's contexts fixup

⚙️ How it works:

TargetFunction():                                 ^ ; return
-> jmp Interceptor ------> Interceptor():         |
   ??? ; Broken bytes        ... Handler code ... |
   ... ; Continuation <--+   CallOriginal() ------|--> OriginalBeginning():
   ...         +---------|-> ...                  |      ... Original beginning ...
   ret --------+         |   ret -----------------+      ... of TargetFunction ...
                         +------------------------------ jmp Continuation

🧱 Trampolines:

Types:

  • E9 44 33 22 11 | jmp 0x11223344 - Relative jump to the +-2Gb
  • FF 25 00 00 00 00 88 77 66 55 44 33 22 11 | jmp [rip+00h] - Absolute jump to the address stored after the jmp as raw bytes (4 bytes in x32 and 8 bytes in x64)

x32:

  • jmp rel Interceptor only one

x64:

  • jmp rel Interceptor if Abs(Interceptor - Target) <= 2Gb
  • jmp rel Intermediate -> jmp abs Interceptor if Abs(Interceptor - Target) > 2Gb and we have free space for the intermediate trampoline buffer
  • jmp abs Interceptor if we have no free space for the intermediate buffer in +- 2Gb interval

🧵 Using:

Open the HookLib.sln and build it.
Add Zydis.lib, HookLib.lib and HookLib.h to your project.

#include <cstdio>

#include <Windows.h>

#include <HookLib.h>
#pragma comment(lib, "Zydis.lib")
#pragma comment(lib, "HookLib.lib")

using _ExitProcess = VOID(WINAPI*)(ULONG ExitCode);
_ExitProcess OriginalExitProcess = NULL;
VOID WINAPI ExitProcessHook(ULONG ExitCode)
{
    printf("ExitCode: %ul\r\n", ExitCode);
    RemoveHook(OriginalExitProcess);
    ExitProcess(0);
}

int main()
{
    PVOID Target = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "ExitProcess");
    SetHook(Target, ExitProcessHook, reinterpret_cast<PVOID*>(&OriginalExitProcess));
    ExitProcess(0);
    return 0;
}

hooklib's People

Contributors

hoshimin avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.