Posted December 11, 201410 yr Hi,guys Do you know any hook api library with its open source code ? I have tried mhook library,not quiet good with named 'RtlAllocateHeap' api. So I am wandering if you guys may know some better library that I can use it to hook that api. Currently I am re-coding a plugin,you may see it within Christmas Thanks in advance.
December 11, 201410 yr I personally use Detours 3.0 in most of my projects since it is free. The 32bit source code is included with the project as well. Some others are:https://github.com/TsudaKageyu/minhookhttps://code.google.com/p/ihook/http://newgre.net/ncodehook There are also a ton of homebrewed implementations you can find on various game hacking websites like UnknownCheats, MPGH, and so on.
December 11, 201410 yr Author Hi, atom0s Detours library use RtlAllocateheap api to allocate memory for a temp bridge to get orignal command for its hook routine. So it may cause stack overflow. ihook use malloc api to allocate,so it is the same situation as RtlAllocateheap do. Hope that minhook and ncodehook will be different. Thanks for your reply.
December 11, 201410 yr You could always adjust the code to use a different allocation API that would prevent that issue as well.
December 11, 201410 yr writing your own is easy....https://bitbucket.org/NtQuery/scyllahide/src/540ec6e2d29b9e9fd4355c7a9c7e3a1099da298a/HookLibrary/Hook.cpp?at=master
December 12, 201410 yr Author @atom0sem,currently I use VirtualAlloc to allocate a larger enough memory,write some self code for a temp use. not quiet perfect but good . @Aguila '0xE9 jmp' is not well for those special target,re-redirection command.I use '0x68' and '0xC3' for a temp hook.Thanks for your pieces of code, got some better overview.
December 12, 201410 yr I don't see any difference between E9 and 68, except that 68 needs one byte more.
December 12, 201410 yr ff 25 xx xx xx xx works nicely too, and stops some code that 'morphs' api code into its own.. like oh.. starforce and stuff...
December 12, 201410 yr ah you mean position independent jump code. yeh that is a small advantage, but typically people check for any api modifications.
December 13, 201410 yr Author @evlncrn8em, FF25 is very nice for my case, @Aguilayes, re-redirection is annoying part of its anti dump. For its second redirection command,it use memcpy api to copy the opcode.So if I use jmp code, it may point to somewhere unknown.That's the most bad thing of it.
December 13, 201410 yr In most cases anti-cheats / anti-tampers and such will check at least the first 5-6 bytes of an API to determine if its been altered. Since most API start with the same stub of:mov EDI, EDI,push EBPmov EBP, ESP That being said, sometimes you will need to do a mid-function hook instead to bypass the checks. Unless of course they take snapshots of the full API and its branches and do comparisons that way.It depends on how thorough the detections are.
December 13, 201410 yr Author @atomsthis situation happens after its all check thread started.My point is hook that api before all that thread.So that will not happen in my case.The code will restore all hooked api when some special routine done.
January 27, 20169 yr @atom0s Are you have Detours 3.0 full version? Edited February 4, 20169 yr by Perplex
January 28, 20169 yr @atom0s The free version has many limitations, Even the 32-bit version is limited. Quote Detours Express 3.0 is available for immediate download under a no-fee, click-through license for research, non-commercial, and non-production use. Detours Express is limited to 32-bit processes on x86 processors.
January 28, 20169 yr 1 minute ago, Perplex said: @atom0s The free version has many limitations, Even the 32-bit version is limited. For me, it fits my needs. I don't really do much with 64bit targets so it is not a concern of mine.
January 31, 20169 yr Usually I use hardware breakpoints in my injected libraries. Memory breakpoints also work but I never implemented it. Obviously this doesn't work if your target screws with hardware breakpoints. You can also place an int3 byte and do things that way. https://bitbucket.org/mrexodia/enigmahwid/src/b3eeee1772c369b1a37b7dfa68d5a4b7d9589ec0/main.cpp?at=master&fileviewer=file-view-default
Create an account or sign in to comment