Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Any api hook library ?

Featured Replies

Posted

Hi,guys


 


Do you know any hook api library with its open source code ?


 


I have tried mhook library,not quiet good with named 'RtlAllocateHeap' api.


 


So I am wandering if you guys may know some better library that I can use it to hook that api.


Currently I am re-coding a plugin,you may see it within Christmas :)


 


 


Thanks in advance.


I personally use Detours 3.0 in most of my projects since it is free. The 32bit source code is included with the project as well. 


 


Some others are:


https://github.com/TsudaKageyu/minhook


https://code.google.com/p/ihook/


http://newgre.net/ncodehook


 


There are also a ton of homebrewed implementations you can find on various game hacking websites like UnknownCheats, MPGH, and so on.

  • Author

Hi, atom0s


 


 


Detours library use RtlAllocateheap api to allocate memory for a temp bridge to get orignal command for its hook routine. So it may cause stack overflow.


 


ihook use malloc api to allocate,so it is the same situation as RtlAllocateheap do.


 


Hope that minhook and ncodehook will be different.   :)


Thanks for your reply.

You could always adjust the code to use a different allocation API that would prevent that issue as well.


  • Author

@atom0s


em,currently I use VirtualAlloc to allocate a larger enough memory,write some self code for a temp use. not quiet perfect but good .


 


@Aguila


 


'0xE9 jmp' is not well for those special target,re-redirection command.I use '0x68' and '0xC3' for a temp hook.


Thanks for your pieces of code, got some better overview.


I don't see any difference between E9 and 68, except that 68 needs one byte more.


ff 25 xx xx xx xx works nicely too, and stops some code that 'morphs' api code into its own.. like oh.. starforce and stuff...

ah you mean position independent jump code. yeh that is a small advantage, but typically people check for any api modifications.


  • Author

@evlncrn8


em, FF25 is very nice for my case,


 


@Aguila


yes, re-redirection is annoying part of its anti dump. For its second  redirection command,it use memcpy api to copy the opcode.


So if I use jmp code, it may point to somewhere unknown.That's the most bad thing of it.

In most cases anti-cheats / anti-tampers and such will check at least the first 5-6 bytes of an API to determine if its been altered. Since most API start with the same stub of:


mov EDI, EDI,


push EBP


mov EBP, ESP


 


That being said, sometimes you will need to do a mid-function hook instead to bypass the checks. Unless of course they take snapshots of the full API and its branches and do comparisons that way.


It depends on how thorough the detections are.


  • Author

@atoms


this situation happens after its all check thread started.


My point is hook that api before all that thread.So that will not happen in my case.


The code will restore all hooked api when some special routine done.

  • 1 year later...

@atom0s Are you have Detours 3.0 full version? 

Edited by Perplex

@atom0s The free version has many limitations, Even the 32-bit version is limited.

Quote

Detours Express 3.0 is available for immediate download under a no-fee, click-through license for research, non-commercial, and non-production use.  Detours Express is limited to 32-bit processes on x86 processors.

 

1 minute ago, Perplex said:

@atom0s The free version has many limitations, Even the 32-bit version is limited.

 

For me, it fits my needs. I don't really do much with 64bit targets so it is not a concern of mine.

Usually I use hardware breakpoints in my injected libraries. Memory breakpoints also work but I never implemented it. Obviously this doesn't work if your target screws with hardware breakpoints. You can also place an int3 byte and do things that way.

https://bitbucket.org/mrexodia/enigmahwid/src/b3eeee1772c369b1a37b7dfa68d5a4b7d9589ec0/main.cpp?at=master&fileviewer=file-view-default

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.