Jump to content
Tuts 4 You

Any api hook library ?

White

By White
in Programming and Coding

Recommended Posts

White

White

Posted
Posted

Hi,guys


 


Do you know any hook api library with its open source code ?


 


I have tried mhook library,not quiet good with named 'RtlAllocateHeap' api.


 


So I am wandering if you guys may know some better library that I can use it to hook that api.


Currently I am re-coding a plugin,you may see it within Christmas :)


 


 


Thanks in advance.


White

White

Posted
  • Author
Posted

Hi, atom0s


 


 


Detours library use RtlAllocateheap api to allocate memory for a temp bridge to get orignal command for its hook routine. So it may cause stack overflow.


 


ihook use malloc api to allocate,so it is the same situation as RtlAllocateheap do.


 


Hope that minhook and ncodehook will be different.   :)


Thanks for your reply.

atom0s

atom0s

Posted
Posted

You could always adjust the code to use a different allocation API that would prevent that issue as well.


White

White

Posted
  • Author
Posted

@atom0s


em,currently I use VirtualAlloc to allocate a larger enough memory,write some self code for a temp use. not quiet perfect but good .


 


@Aguila


 


'0xE9 jmp' is not well for those special target,re-redirection command.I use '0x68' and '0xC3' for a temp hook.


Thanks for your pieces of code, got some better overview.


Aguila

Aguila

Posted
Posted

I don't see any difference between E9 and 68, except that 68 needs one byte more.


evlncrn8

evlncrn8

Posted
Posted

ff 25 xx xx xx xx works nicely too, and stops some code that 'morphs' api code into its own.. like oh.. starforce and stuff...

Aguila

Aguila

Posted
Posted

ah you mean position independent jump code. yeh that is a small advantage, but typically people check for any api modifications.


White

White

Posted
  • Author
Posted

@evlncrn8


em, FF25 is very nice for my case,


 


@Aguila


yes, re-redirection is annoying part of its anti dump. For its second  redirection command,it use memcpy api to copy the opcode.


So if I use jmp code, it may point to somewhere unknown.That's the most bad thing of it.

atom0s

atom0s

Posted
Posted

In most cases anti-cheats / anti-tampers and such will check at least the first 5-6 bytes of an API to determine if its been altered. Since most API start with the same stub of:


mov EDI, EDI,


push EBP


mov EBP, ESP


 


That being said, sometimes you will need to do a mid-function hook instead to bypass the checks. Unless of course they take snapshots of the full API and its branches and do comparisons that way.


It depends on how thorough the detections are.


White

White

Posted
  • Author
Posted

@atoms


this situation happens after its all check thread started.


My point is hook that api before all that thread.So that will not happen in my case.


The code will restore all hooked api when some special routine done.

  • 1 year later...
Perplex

Perplex

Posted
Posted (edited)

@atom0s Are you have Detours 3.0 full version? 

Edited by Perplex
Perplex

Perplex

Posted
Posted

@atom0s The free version has many limitations, Even the 32-bit version is limited.

Quote

Detours Express 3.0 is available for immediate download under a no-fee, click-through license for research, non-commercial, and non-production use.  Detours Express is limited to 32-bit processes on x86 processors.

 

atom0s

atom0s

Posted
Posted
1 minute ago, Perplex said:

@atom0s The free version has many limitations, Even the 32-bit version is limited.

 

For me, it fits my needs. I don't really do much with 64bit targets so it is not a concern of mine.

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...