├── LICENSE
├── README.md
├── Ring 3
├── Detours Explorer CreateProc
│ ├── Detours Explorer CreateProc.sln
│ ├── Detours Explorer CreateProc.v12.suo
│ └── Detours Explorer CreateProc
│ │ ├── Detours Explorer CreateProc.vcxproj
│ │ ├── Detours Explorer CreateProc.vcxproj.filters
│ │ ├── Detours_x64.cpp
│ │ ├── Detours_x64.h
│ │ └── main.cpp
├── Detours Hook x64
│ ├── Detours Hook x64.sln
│ ├── Detours Hook x64.v12.suo
│ └── Detours Hook x64
│ │ ├── Detours Hook x64.vcxproj
│ │ ├── Detours Hook x64.vcxproj.filters
│ │ ├── Detours Hook x64.vcxproj.user
│ │ ├── Detours_x64.cpp
│ │ ├── Detours_x64.h
│ │ └── main.cpp
├── Detours Hook x86
│ ├── Detours Hook x86.sln
│ ├── Detours Hook x86.v12.suo
│ └── Detours Hook x86
│ │ ├── Detours Hook x86.vcxproj
│ │ ├── Detours Hook x86.vcxproj.filters
│ │ ├── Detours Hook x86.vcxproj.user
│ │ ├── Detours_x86.cpp
│ │ ├── Detours_x86.h
│ │ └── main.cpp
├── EAT Hook
│ ├── EAT Hook.sln
│ ├── EAT Hook.v12.suo
│ └── EAT Hook
│ │ ├── EAT Hook.vcxproj
│ │ ├── EAT Hook.vcxproj.filters
│ │ ├── EAT.cpp
│ │ ├── EAT.h
│ │ └── main.cpp
├── IAT Hook
│ ├── IAT Hook.sln
│ ├── IAT Hook.v12.suo
│ └── IAT Hook
│ │ ├── IAT Hook.vcxproj
│ │ ├── IAT Hook.vcxproj.filters
│ │ ├── IAT Hook.vcxproj.user
│ │ ├── IAT.cpp
│ │ ├── IAT.h
│ │ └── main.cpp
├── Injector
│ ├── Injector.sln
│ ├── Injector.v12.suo
│ └── Injector
│ │ ├── Injector.vcxproj
│ │ ├── Injector.vcxproj.filters
│ │ └── main.cpp
├── TestApp EAT
│ ├── TestApp.sln
│ ├── TestApp.v12.suo
│ └── TestApp
│ │ ├── TestApp.vcxproj
│ │ ├── TestApp.vcxproj.filters
│ │ ├── TestApp.vcxproj.user
│ │ └── main.cpp
├── TestApp
│ ├── TestApp.sln
│ ├── TestApp.v12.suo
│ └── TestApp
│ │ ├── TestApp.vcxproj
│ │ ├── TestApp.vcxproj.filters
│ │ ├── TestApp.vcxproj.user
│ │ └── main.cpp
├── Trampoline Hook x64
│ ├── Trampoline Hook x64.sln
│ ├── Trampoline Hook x64.v12.suo
│ └── Trampoline Hook x64
│ │ ├── LDE64x64.lib
│ │ ├── Trampoline Hook x64.vcxproj
│ │ ├── Trampoline Hook x64.vcxproj.filters
│ │ ├── Trampoline Hook x64.vcxproj.user
│ │ ├── Trampoline_X64.cpp
│ │ ├── Trampoline_X64.h
│ │ └── main.cpp
├── Trampoline Hook x86
│ ├── Trampoline Hook x86.sln
│ ├── Trampoline Hook x86.v12.suo
│ └── Trampoline Hook x86
│ │ ├── LDE64.lib
│ │ ├── Trampoline Hook x86.vcxproj
│ │ ├── Trampoline Hook x86.vcxproj.filters
│ │ ├── Trampoline_X86.cpp
│ │ ├── Trampoline_X86.h
│ │ └── main.cpp
└── bin
│ ├── Detours Explorer CreateProc.dll
│ ├── Detours Hook x64.dll
│ ├── Detours Hook x86.dll
│ ├── EAT Hook x64.dll
│ ├── EAT Hook x86.dll
│ ├── IAT Hook x64.dll
│ ├── IAT Hook x86.dll
│ ├── Injector64.exe
│ ├── Injector86.exe
│ ├── TestApp64.exe
│ ├── TestApp64EAT.exe
│ ├── TestApp86.exe
│ ├── TestApp86EAT.exe
│ ├── TestApp86OptOff.exe
│ ├── Trampoline Hook x64.dll
│ └── Trampoline Hook x86.dll
└── img
├── 1.gif
├── 2.png
├── PE.svg
└── btc.png
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2022 Mahmoud M. Almazari
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # API Hooking Techniques
2 |
3 | This repostiroty contains some tecniques for Windows API Hooking for research and educational purposes only!
4 |
5 | ## Ring 3
6 | The included techniques are:
7 | - [X] Detours Hook (x64/86)
8 | - [X] Trampoline Hook (x64/x86)
9 | - [X] Import Address Table (IAT) Hook (x64/x86)
10 | - [X] Export Address Table (EAT) Hook (x64/x86)
11 |
12 | #### Notes:
13 | - Treampoline Hook needs a fix when copying the instruction from the original function into the new function address. The addresses in the instructions must be changed, otherwise the hook won't work.
14 | - The TestApp is simply a while statement that contains a call into the MessageBoxA function. In TestApp86.exe, and in a rare case, the visual studio optimizer has stored the original API address in the ESI register which makes the IAT hook useless in that case. As a result, I compiled another version after turning off the optimizer (TestApp86OptOff.exe) to validate the hook results!
15 | 
16 | - EAT hook won't work for x64 bits because the relative addresses in EAT are 4 bytes for both x32 and x64 bits PE files. As a result, a jump instruction has been created in the same targeted module that is being hooked which will solve the issue.
17 |
18 | #### Example
19 | 
20 |
21 | ## Buy me a Coffee:
22 | BTC: bc1q2kqvggm552h0csyr0awa2zepdapxdqnacw0z5w
23 |
24 | 
25 |
--------------------------------------------------------------------------------
/Ring 3/Detours Explorer CreateProc/Detours Explorer CreateProc.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.31101.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Detours Explorer CreateProc", "Detours Explorer CreateProc\Detours Explorer CreateProc.vcxproj", "{E3D44204-C725-4865-81BA-21204865A3A0}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {E3D44204-C725-4865-81BA-21204865A3A0}.Debug|x64.ActiveCfg = Debug|x64
15 | {E3D44204-C725-4865-81BA-21204865A3A0}.Debug|x64.Build.0 = Debug|x64
16 | {E3D44204-C725-4865-81BA-21204865A3A0}.Release|x64.ActiveCfg = Release|x64
17 | {E3D44204-C725-4865-81BA-21204865A3A0}.Release|x64.Build.0 = Release|x64
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | EndGlobal
23 |
--------------------------------------------------------------------------------
/Ring 3/Detours Explorer CreateProc/Detours Explorer CreateProc.v12.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/Detours Explorer CreateProc/Detours Explorer CreateProc.v12.suo
--------------------------------------------------------------------------------
/Ring 3/Detours Explorer CreateProc/Detours Explorer CreateProc/Detours Explorer CreateProc.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {E3D44204-C725-4865-81BA-21204865A3A0}
23 | Win32Proj
24 | DetoursExplorerCreateProc
25 |
26 |
27 |
28 | DynamicLibrary
29 | true
30 | v120
31 | Unicode
32 |
33 |
34 | DynamicLibrary
35 | true
36 | v120
37 | Unicode
38 |
39 |
40 | DynamicLibrary
41 | false
42 | v120
43 | true
44 | Unicode
45 |
46 |
47 | DynamicLibrary
48 | false
49 | v120
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 |
84 |
85 | Level3
86 | Disabled
87 | WIN32;_DEBUG;_WINDOWS;_USRDLL;DETOURSEXPLORERCREATEPROC_EXPORTS;%(PreprocessorDefinitions)
88 | MultiThreaded
89 |
90 |
91 | Windows
92 | true
93 |
94 |
95 |
96 |
97 |
98 |
99 | Level3
100 | Disabled
101 | WIN32;_DEBUG;_WINDOWS;_USRDLL;DETOURSEXPLORERCREATEPROC_EXPORTS;%(PreprocessorDefinitions)
102 | MultiThreaded
103 |
104 |
105 | Windows
106 | true
107 |
108 |
109 |
110 |
111 | Level3
112 |
113 |
114 | MaxSpeed
115 | true
116 | true
117 | WIN32;NDEBUG;_WINDOWS;_USRDLL;DETOURSEXPLORERCREATEPROC_EXPORTS;%(PreprocessorDefinitions)
118 |
119 |
120 | Windows
121 | true
122 | true
123 | true
124 |
125 |
126 |
127 |
128 | Level3
129 |
130 |
131 | MaxSpeed
132 | true
133 | true
134 | WIN32;NDEBUG;_WINDOWS;_USRDLL;DETOURSEXPLORERCREATEPROC_EXPORTS;%(PreprocessorDefinitions)
135 | MultiThreaded
136 |
137 |
138 | Windows
139 | true
140 | true
141 | true
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
--------------------------------------------------------------------------------
/Ring 3/Detours Explorer CreateProc/Detours Explorer CreateProc/Detours Explorer CreateProc.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 |
--------------------------------------------------------------------------------
/Ring 3/Detours Explorer CreateProc/Detours Explorer CreateProc/Detours_x64.cpp:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | BYTE MOV[10] = { 0x48, 0xB8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; // __asm { MOV rax, Address_8Bytes }
4 | BYTE JMP_RAX[2] = { 0xFF, 0xE0 }; // __asm { JMP rax }
5 |
6 | #define JMP_BUFF_SIZE (sizeof(MOV) + sizeof(JMP_RAX))
7 |
8 |
9 | BOOL hookDetoursX64(char libName[], char API_Name[], LPVOID newFun, BYTE **orgBytes, DWORD *len) {
10 | DWORD oldProtect;
11 | DWORD64 orgAddress;
12 |
13 | orgAddress = (DWORD64)GetProcAddress(LoadLibraryA(libName), API_Name);
14 | if (orgAddress == NULL)
15 | return 0;
16 |
17 | memcpy(&MOV[2], &newFun, 8);
18 |
19 | VirtualProtect((LPVOID)orgAddress, JMP_BUFF_SIZE, PAGE_EXECUTE_READWRITE, &oldProtect);
20 |
21 | *orgBytes = new BYTE[JMP_BUFF_SIZE];
22 | *len = JMP_BUFF_SIZE;
23 | memcpy(*orgBytes, (LPVOID)orgAddress, JMP_BUFF_SIZE);
24 |
25 | memcpy((LPVOID)orgAddress, MOV, sizeof(MOV));
26 | memcpy((LPVOID)(orgAddress + sizeof(MOV)), JMP_RAX, sizeof(JMP_RAX));
27 |
28 | VirtualProtect((LPVOID)orgAddress, JMP_BUFF_SIZE, oldProtect, &oldProtect);
29 |
30 | return 1;
31 | }
32 |
33 |
34 | BOOL unhookDetoursX64(char libName[], char API_Name[], BYTE *orgBytes, DWORD len) {
35 | DWORD oldProtect;
36 | DWORD64 orgAddress;
37 |
38 | orgAddress = (DWORD64)GetProcAddress(LoadLibraryA(libName), API_Name);
39 | if (orgAddress == NULL)
40 | return 0;
41 |
42 | VirtualProtect((LPVOID)orgAddress, len, PAGE_EXECUTE_READWRITE, &oldProtect);
43 |
44 | memcpy((LPVOID)orgAddress, orgBytes, len);
45 |
46 | VirtualProtect((LPVOID)orgAddress, len, oldProtect, &oldProtect);
47 |
48 | return 1;
49 | }
--------------------------------------------------------------------------------
/Ring 3/Detours Explorer CreateProc/Detours Explorer CreateProc/Detours_x64.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | BOOL hookDetoursX64(char libName[], char API_Name[], LPVOID newFun, BYTE **orgBytes, DWORD *len);
4 |
5 | BOOL unhookDetoursX64(char libName[], char API_Name[], BYTE *orgBytes, DWORD len);
--------------------------------------------------------------------------------
/Ring 3/Detours Explorer CreateProc/Detours Explorer CreateProc/main.cpp:
--------------------------------------------------------------------------------
1 | #include "Detours_x64.h"
2 | #include
3 | #include
4 |
5 | BYTE *orgBytes;
6 | DWORD len;
7 |
8 | BOOL WINAPI CreateProcessWHooked(
9 | _In_opt_ LPCWSTR lpApplicationName,
10 | _Inout_opt_ LPWSTR lpCommandLine,
11 | _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
12 | _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
13 | _In_ BOOL bInheritHandles,
14 | _In_ DWORD dwCreationFlags,
15 | _In_opt_ LPVOID lpEnvironment,
16 | _In_opt_ LPCWSTR lpCurrentDirectory,
17 | _In_ LPSTARTUPINFOW lpStartupInfo,
18 | _Out_ LPPROCESS_INFORMATION lpProcessInformation
19 | ) {
20 |
21 | int msgResult = MessageBoxA(0, CW2A(lpApplicationName), "This function has been hooked, do you want really to open this program?", MB_YESNO);
22 |
23 | if (msgResult == IDYES) {
24 | unhookDetoursX64("Kernel32", "CreateProcessW", orgBytes, len);
25 |
26 | BOOL retValue = CreateProcessW(
27 | lpApplicationName,
28 | lpCommandLine,
29 | lpProcessAttributes,
30 | lpThreadAttributes,
31 | bInheritHandles,
32 | dwCreationFlags,
33 | lpEnvironment,
34 | lpCurrentDirectory,
35 | lpStartupInfo,
36 | lpProcessInformation
37 | );
38 |
39 | hookDetoursX64("Kernel32", "CreateProcessW", CreateProcessWHooked, &orgBytes, &len);
40 |
41 | return retValue;
42 | }
43 |
44 | return TRUE;
45 | }
46 |
47 | BOOL WINAPI DllMain(HMODULE hModule, DWORD Call_Reason, LPVOID lpReserved) {
48 |
49 | switch (Call_Reason) {
50 | case DLL_PROCESS_ATTACH:
51 | hookDetoursX64("Kernel32", "CreateProcessW", CreateProcessWHooked, &orgBytes, &len);
52 | }
53 |
54 | return 1;
55 | }
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x64/Detours Hook x64.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.31101.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Detours Hook x64", "Detours Hook x64\Detours Hook x64.vcxproj", "{E0B7F943-CCC9-461B-A0D2-C318FC17FF48}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Win32 = Debug|Win32
11 | Debug|x64 = Debug|x64
12 | Release|Win32 = Release|Win32
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {E0B7F943-CCC9-461B-A0D2-C318FC17FF48}.Debug|Win32.ActiveCfg = Debug|Win32
17 | {E0B7F943-CCC9-461B-A0D2-C318FC17FF48}.Debug|Win32.Build.0 = Debug|Win32
18 | {E0B7F943-CCC9-461B-A0D2-C318FC17FF48}.Debug|x64.ActiveCfg = Debug|x64
19 | {E0B7F943-CCC9-461B-A0D2-C318FC17FF48}.Debug|x64.Build.0 = Debug|x64
20 | {E0B7F943-CCC9-461B-A0D2-C318FC17FF48}.Release|Win32.ActiveCfg = Release|Win32
21 | {E0B7F943-CCC9-461B-A0D2-C318FC17FF48}.Release|Win32.Build.0 = Release|Win32
22 | {E0B7F943-CCC9-461B-A0D2-C318FC17FF48}.Release|x64.ActiveCfg = Release|x64
23 | {E0B7F943-CCC9-461B-A0D2-C318FC17FF48}.Release|x64.Build.0 = Release|x64
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | EndGlobal
29 |
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x64/Detours Hook x64.v12.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/Detours Hook x64/Detours Hook x64.v12.suo
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x64/Detours Hook x64/Detours Hook x64.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {E0B7F943-CCC9-461B-A0D2-C318FC17FF48}
23 | Win32Proj
24 | DetoursHookx64
25 |
26 |
27 |
28 | DynamicLibrary
29 | true
30 | v120
31 | Unicode
32 |
33 |
34 | DynamicLibrary
35 | true
36 | v120
37 | Unicode
38 |
39 |
40 | DynamicLibrary
41 | false
42 | v120
43 | true
44 | Unicode
45 |
46 |
47 | DynamicLibrary
48 | false
49 | v120
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 |
84 |
85 | Level3
86 | Disabled
87 | WIN32;_DEBUG;_WINDOWS;_USRDLL;DETOURSHOOKX64_EXPORTS;%(PreprocessorDefinitions)
88 |
89 |
90 | Windows
91 | true
92 |
93 |
94 |
95 |
96 |
97 |
98 | Level3
99 | Disabled
100 | WIN32;_DEBUG;_WINDOWS;_USRDLL;DETOURSHOOKX64_EXPORTS;%(PreprocessorDefinitions)
101 |
102 |
103 | Windows
104 | true
105 |
106 |
107 |
108 |
109 | Level3
110 |
111 |
112 | MaxSpeed
113 | true
114 | true
115 | WIN32;NDEBUG;_WINDOWS;_USRDLL;DETOURSHOOKX64_EXPORTS;%(PreprocessorDefinitions)
116 |
117 |
118 | Windows
119 | true
120 | true
121 | true
122 |
123 |
124 |
125 |
126 | Level3
127 |
128 |
129 | MaxSpeed
130 | true
131 | true
132 | WIN32;NDEBUG;_WINDOWS;_USRDLL;DETOURSHOOKX64_EXPORTS;%(PreprocessorDefinitions)
133 | MultiThreaded
134 |
135 |
136 | Windows
137 | true
138 | true
139 | true
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x64/Detours Hook x64/Detours Hook x64.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Source Files
25 |
26 |
27 | Source Files
28 |
29 |
30 |
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x64/Detours Hook x64/Detours Hook x64.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x64/Detours Hook x64/Detours_x64.cpp:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | BYTE MOV[10] = { 0x48, 0xB8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; // __asm { MOV rax, Address_8Bytes }
4 | BYTE JMP_RAX[2] = { 0xFF, 0xE0 }; // __asm { JMP rax }
5 |
6 | #define JMP_BUFF_SIZE (sizeof(MOV) + sizeof(JMP_RAX))
7 |
8 |
9 | BOOL hookDetoursX64(char libName[], char API_Name[], LPVOID newFun, BYTE **orgBytes, DWORD *len) {
10 | DWORD oldProtect;
11 | DWORD64 orgAddress;
12 |
13 | orgAddress = (DWORD64)GetProcAddress(LoadLibraryA(libName), API_Name);
14 | if (orgAddress == NULL)
15 | return 0;
16 |
17 | memcpy(&MOV[2], &newFun, 8);
18 |
19 | VirtualProtect((LPVOID)orgAddress, JMP_BUFF_SIZE, PAGE_EXECUTE_READWRITE, &oldProtect);
20 |
21 | *orgBytes = new BYTE[JMP_BUFF_SIZE];
22 | *len = JMP_BUFF_SIZE;
23 | memcpy(*orgBytes, (LPVOID)orgAddress, JMP_BUFF_SIZE);
24 |
25 | memcpy((LPVOID)orgAddress, MOV, sizeof(MOV));
26 | memcpy((LPVOID)(orgAddress + sizeof(MOV)), JMP_RAX, sizeof(JMP_RAX));
27 |
28 | VirtualProtect((LPVOID)orgAddress, JMP_BUFF_SIZE, oldProtect, &oldProtect);
29 |
30 | return 1;
31 | }
32 |
33 |
34 | BOOL unhookDetoursX64(char libName[], char API_Name[], BYTE *orgBytes, DWORD len) {
35 | DWORD oldProtect;
36 | DWORD64 orgAddress;
37 |
38 | orgAddress = (DWORD64)GetProcAddress(LoadLibraryA(libName), API_Name);
39 | if (orgAddress == NULL)
40 | return 0;
41 |
42 | VirtualProtect((LPVOID)orgAddress, len, PAGE_EXECUTE_READWRITE, &oldProtect);
43 |
44 | memcpy((LPVOID)orgAddress, orgBytes, len);
45 |
46 | VirtualProtect((LPVOID)orgAddress, len, oldProtect, &oldProtect);
47 |
48 | return 1;
49 | }
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x64/Detours Hook x64/Detours_x64.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | BOOL hookDetoursX64(char libName[], char API_Name[], LPVOID newFun, BYTE **orgBytes, DWORD *len);
4 |
5 | BOOL unhookDetoursX64(char libName[], char API_Name[], BYTE *orgBytes, DWORD len);
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x64/Detours Hook x64/main.cpp:
--------------------------------------------------------------------------------
1 | #include "Detours_x64.h"
2 | #include
3 |
4 |
5 | BYTE *orgBytes;
6 | DWORD len;
7 |
8 | int WINAPI MessageBoxHooked(
9 | _In_opt_ HWND hWnd,
10 | _In_opt_ LPCSTR lpText,
11 | _In_opt_ LPCSTR lpCaption,
12 | _In_ UINT uType
13 | ) {
14 |
15 | unhookDetoursX64("user32", "MessageBoxA", orgBytes, len);
16 |
17 | int retValue = MessageBoxA(0, "Hooked Successfully ...", "By Mahmoud M. Almazari", 0);
18 |
19 | hookDetoursX64("user32", "MessageBoxA", MessageBoxHooked, &orgBytes, &len);
20 |
21 | return retValue;
22 | }
23 |
24 |
25 | BOOL WINAPI DllMain(HMODULE hModule, DWORD Call_Reason, LPVOID lpReserved) {
26 |
27 | switch (Call_Reason) {
28 | case DLL_PROCESS_ATTACH:
29 | hookDetoursX64("user32", "MessageBoxA", MessageBoxHooked, &orgBytes, &len);
30 | }
31 |
32 | return 1;
33 | }
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x86/Detours Hook x86.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.31101.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Detours Hook x86", "Detours Hook x86\Detours Hook x86.vcxproj", "{0E90B585-C3DB-4443-A80E-2DB3DAEB39CF}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Win32 = Debug|Win32
11 | Release|Win32 = Release|Win32
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {0E90B585-C3DB-4443-A80E-2DB3DAEB39CF}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {0E90B585-C3DB-4443-A80E-2DB3DAEB39CF}.Debug|Win32.Build.0 = Debug|Win32
16 | {0E90B585-C3DB-4443-A80E-2DB3DAEB39CF}.Release|Win32.ActiveCfg = Release|Win32
17 | {0E90B585-C3DB-4443-A80E-2DB3DAEB39CF}.Release|Win32.Build.0 = Release|Win32
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | EndGlobal
23 |
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x86/Detours Hook x86.v12.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/Detours Hook x86/Detours Hook x86.v12.suo
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x86/Detours Hook x86/Detours Hook x86.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 |
14 | {0E90B585-C3DB-4443-A80E-2DB3DAEB39CF}
15 | Win32Proj
16 | DetoursHookx86
17 |
18 |
19 |
20 | DynamicLibrary
21 | true
22 | v120
23 | Unicode
24 |
25 |
26 | DynamicLibrary
27 | false
28 | v120
29 | true
30 | Unicode
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 | true
44 |
45 |
46 | false
47 |
48 |
49 |
50 |
51 |
52 | Level3
53 | Disabled
54 | WIN32;_DEBUG;_WINDOWS;_USRDLL;DETOURSHOOKX86_EXPORTS;%(PreprocessorDefinitions)
55 |
56 |
57 | Windows
58 | true
59 |
60 |
61 |
62 |
63 | Level3
64 |
65 |
66 | MaxSpeed
67 | true
68 | true
69 | WIN32;NDEBUG;_WINDOWS;_USRDLL;DETOURSHOOKX86_EXPORTS;%(PreprocessorDefinitions)
70 | MultiThreaded
71 |
72 |
73 | Windows
74 | true
75 | true
76 | true
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x86/Detours Hook x86/Detours Hook x86.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 |
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x86/Detours Hook x86/Detours Hook x86.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x86/Detours Hook x86/Detours_x86.cpp:
--------------------------------------------------------------------------------
1 | #include "Detours_x86.h"
2 |
3 | BYTE JMP[5] = { 0xE9, 0x0, 0x0, 0x0, 0x0 }; // __asm { JMP Address_4Bytes }
4 |
5 | #define JMP_BUFF_SIZE sizeof(JMP)
6 |
7 |
8 | BOOL hookDetoursX86(char libName[], char API_Name[], LPVOID newFun, BYTE **orgBytes, DWORD *len) {
9 | DWORD orgAddress;
10 | DWORD oldProtect;
11 | DWORD JMP_Dist;
12 |
13 |
14 | orgAddress = (DWORD)GetProcAddress(LoadLibraryA(libName), API_Name);
15 | if (orgAddress == NULL)
16 | return 0;
17 |
18 | JMP_Dist = (DWORD)newFun - orgAddress - JMP_BUFF_SIZE;
19 |
20 | memcpy(&JMP[1], &JMP_Dist, 4);
21 |
22 | VirtualProtect((LPVOID)orgAddress, JMP_BUFF_SIZE, PAGE_EXECUTE_READWRITE, &oldProtect);
23 |
24 | *orgBytes = new BYTE[JMP_BUFF_SIZE];
25 | *len = JMP_BUFF_SIZE;
26 | memcpy((LPVOID)*orgBytes, (LPVOID)orgAddress, JMP_BUFF_SIZE);
27 |
28 | memcpy((LPVOID)orgAddress, JMP, JMP_BUFF_SIZE);
29 |
30 | VirtualProtect((LPVOID)orgAddress, JMP_BUFF_SIZE, oldProtect, &oldProtect);
31 |
32 |
33 | return 1;
34 | }
35 |
36 |
37 | BOOL unhookDetoursX86(char libName[], char API_Name[], BYTE *orgBytes, DWORD len) {
38 | DWORD orgAddress;
39 | DWORD oldProtect;
40 |
41 | orgAddress = (DWORD)GetProcAddress(LoadLibraryA(libName), API_Name);
42 | if (orgAddress == NULL)
43 | return 0;
44 |
45 | VirtualProtect((LPVOID)orgAddress, len, PAGE_EXECUTE_READWRITE, &oldProtect);
46 |
47 | memcpy((LPVOID)orgAddress, orgBytes, len);
48 |
49 | VirtualProtect((LPVOID)orgAddress, len, oldProtect, &oldProtect);
50 |
51 | return 1;
52 | }
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x86/Detours Hook x86/Detours_x86.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | BOOL hookDetoursX86(char libName[], char API_Name[], LPVOID newFun, BYTE **orgBytes, DWORD *len);
4 |
5 | BOOL unhookDetoursX86(char libName[], char API_Name[], BYTE *orgBytes, DWORD len);
--------------------------------------------------------------------------------
/Ring 3/Detours Hook x86/Detours Hook x86/main.cpp:
--------------------------------------------------------------------------------
1 | #include "Detours_x86.h"
2 | #include
3 |
4 |
5 | BYTE *orgBytes;
6 | DWORD len;
7 |
8 | int WINAPI MessageBoxHooked(
9 | _In_opt_ HWND hWnd,
10 | _In_opt_ LPCSTR lpText,
11 | _In_opt_ LPCSTR lpCaption,
12 | _In_ UINT uType
13 | ) {
14 |
15 | unhookDetoursX86("user32", "MessageBoxA", orgBytes, len);
16 |
17 | int retValue = MessageBoxA(0, "Hooked Successfully ...", "By Mahmoud M. Almazari", 0);
18 |
19 | hookDetoursX86("user32", "MessageBoxA", MessageBoxHooked, &orgBytes, &len);
20 |
21 | return retValue;
22 | }
23 |
24 |
25 | BOOL WINAPI DllMain(HMODULE hModule, DWORD Call_Reason, LPVOID lpReserved) {
26 |
27 | switch (Call_Reason) {
28 | case DLL_PROCESS_ATTACH:
29 | hookDetoursX86("user32", "MessageBoxA", MessageBoxHooked, &orgBytes, &len);
30 | }
31 |
32 | return 1;
33 | }
--------------------------------------------------------------------------------
/Ring 3/EAT Hook/EAT Hook.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.31101.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EAT Hook", "EAT Hook\EAT Hook.vcxproj", "{D865D198-0871-4AFD-99D8-8609F647EB86}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Win32 = Debug|Win32
11 | Debug|x64 = Debug|x64
12 | Release|Win32 = Release|Win32
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {D865D198-0871-4AFD-99D8-8609F647EB86}.Debug|Win32.ActiveCfg = Debug|Win32
17 | {D865D198-0871-4AFD-99D8-8609F647EB86}.Debug|Win32.Build.0 = Debug|Win32
18 | {D865D198-0871-4AFD-99D8-8609F647EB86}.Debug|x64.ActiveCfg = Debug|x64
19 | {D865D198-0871-4AFD-99D8-8609F647EB86}.Debug|x64.Build.0 = Debug|x64
20 | {D865D198-0871-4AFD-99D8-8609F647EB86}.Release|Win32.ActiveCfg = Release|Win32
21 | {D865D198-0871-4AFD-99D8-8609F647EB86}.Release|Win32.Build.0 = Release|Win32
22 | {D865D198-0871-4AFD-99D8-8609F647EB86}.Release|x64.ActiveCfg = Release|x64
23 | {D865D198-0871-4AFD-99D8-8609F647EB86}.Release|x64.Build.0 = Release|x64
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | EndGlobal
29 |
--------------------------------------------------------------------------------
/Ring 3/EAT Hook/EAT Hook.v12.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/EAT Hook/EAT Hook.v12.suo
--------------------------------------------------------------------------------
/Ring 3/EAT Hook/EAT Hook/EAT Hook.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {D865D198-0871-4AFD-99D8-8609F647EB86}
23 | Win32Proj
24 | EATHook
25 |
26 |
27 |
28 | DynamicLibrary
29 | true
30 | v120
31 | Unicode
32 |
33 |
34 | DynamicLibrary
35 | true
36 | v120
37 | Unicode
38 |
39 |
40 | DynamicLibrary
41 | false
42 | v120
43 | true
44 | Unicode
45 |
46 |
47 | DynamicLibrary
48 | false
49 | v120
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 |
84 |
85 | Level3
86 | Disabled
87 | WIN32;_DEBUG;_WINDOWS;_USRDLL;EATHOOK_EXPORTS;%(PreprocessorDefinitions)
88 |
89 |
90 | Windows
91 | true
92 |
93 |
94 |
95 |
96 |
97 |
98 | Level3
99 | Disabled
100 | WIN32;_DEBUG;_WINDOWS;_USRDLL;EATHOOK_EXPORTS;%(PreprocessorDefinitions)
101 |
102 |
103 | Windows
104 | true
105 |
106 |
107 |
108 |
109 | Level3
110 |
111 |
112 | MaxSpeed
113 | true
114 | true
115 | WIN32;NDEBUG;_WINDOWS;_USRDLL;EATHOOK_EXPORTS;%(PreprocessorDefinitions)
116 | MultiThreaded
117 |
118 |
119 | Windows
120 | true
121 | true
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 |
129 |
130 | MaxSpeed
131 | true
132 | true
133 | WIN32;NDEBUG;_WINDOWS;_USRDLL;EATHOOK_EXPORTS;%(PreprocessorDefinitions)
134 | MultiThreaded
135 |
136 |
137 | Windows
138 | true
139 | true
140 | true
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
--------------------------------------------------------------------------------
/Ring 3/EAT Hook/EAT Hook/EAT Hook.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 |
--------------------------------------------------------------------------------
/Ring 3/EAT Hook/EAT Hook/EAT.cpp:
--------------------------------------------------------------------------------
1 | #include "EAT.h"
2 |
3 |
4 | BYTE MOV[10] = { 0x48, 0xB8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; // __asm { MOV rax, Address_8Bytes }
5 | BYTE JMP_RAX[2] = { 0xFF, 0xE0 }; // __asm { JMP rax }
6 |
7 | DWORD_PTR findEmptyLocation(LPVOID memoryAddress) {
8 | char *memAddr = (char*)memoryAddress;
9 | const int jmpInstructions = sizeof(MOV) + sizeof(JMP_RAX);
10 | const int maxInstructionSize = 15;
11 | const unsigned int maxMemRange = 2 ^ (8 * sizeof(DWORD)) - 2 * maxInstructionSize - jmpInstructions - 1;
12 |
13 | char lastValue = 0x00;
14 | int sum = 0;
15 | for (size_t i = 0; i < maxMemRange; i++)
16 | {
17 | if (memAddr[i] != 0xCC && memAddr[i] != 0x00) {
18 | sum = 0;
19 | lastValue = 0;
20 | continue;
21 | }
22 |
23 | if (lastValue != memAddr[i]) {
24 | lastValue = memAddr[i];
25 | sum = 0;
26 | continue;
27 | }
28 |
29 | sum++;
30 |
31 | if (sum >= 2 * maxInstructionSize + jmpInstructions) {
32 | DWORD_PTR newAddr = (DWORD_PTR)memoryAddress + i - sum + maxInstructionSize + 1;
33 | return newAddr;
34 | }
35 | }
36 |
37 | return 0;
38 | }
39 |
40 |
41 | DWORD_PTR hookEAT(char libName[], char API_Name[], LPVOID newFun) {
42 | DWORD_PTR imageBase = (DWORD_PTR)(LoadLibraryA(libName));
43 | PIMAGE_DOS_HEADER dosHeaders = (PIMAGE_DOS_HEADER)imageBase;
44 | PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)(imageBase + dosHeaders->e_lfanew);
45 | IMAGE_OPTIONAL_HEADER optionalHeader = ntHeaders->OptionalHeader;
46 | PIMAGE_EXPORT_DIRECTORY exportDir = (PIMAGE_EXPORT_DIRECTORY)(imageBase + optionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
47 | // Recall: Export Directory but Import Descriptor (1 Export, and More Than One Import)
48 |
49 |
50 | DWORD *funNamesRVAs = (DWORD*)(imageBase + exportDir->AddressOfNames); // 32bit
51 | DWORD *funAddressesRVAs = (DWORD*)(imageBase + exportDir->AddressOfFunctions); // 32bit
52 | WORD *funNamesOrdinalRVAs = (WORD*)(imageBase + exportDir->AddressOfNameOrdinals); // 16bit
53 | /*
54 | * AddressOfNames is RVA of RVAs (list of RVA) for functions names
55 | * because the function name length is not static, so it can't be (char**)
56 | */
57 |
58 |
59 | char* funcName;
60 | DWORD_PTR *realFunctionAddress;
61 | DWORD oldProtection;
62 | DWORD *pointerToFuncAddressRVA;
63 | DWORD newRVAFunValue = (DWORD_PTR)newFun - (DWORD_PTR)imageBase;
64 |
65 | #if defined(_WIN64)
66 | /*
67 | * If (DWORD_PTR)newFun - (DWORD_PTR)imageBase > DWORD (4Bytes),
68 | * then the function can't be hooked!
69 | * Because funAddressesRVAs is a list of DWORD for both, x64 and x32 systems.
70 | *
71 | * As a solution, we will search for empty location in the module to write a jump instruction into the hook function
72 | */
73 | DWORD_PTR jmpLocation;
74 | jmpLocation = findEmptyLocation((LPVOID)imageBase);
75 | VirtualProtect((LPVOID)jmpLocation, sizeof(MOV) + sizeof(JMP_RAX), PAGE_EXECUTE_READWRITE, &oldProtection);
76 |
77 | memcpy(&MOV[2], &newFun, sizeof(newFun));
78 | memcpy((LPVOID)jmpLocation, MOV, sizeof(MOV));
79 | memcpy((LPVOID)(jmpLocation + sizeof(MOV)), JMP_RAX, sizeof(JMP_RAX));
80 |
81 | VirtualProtect((LPVOID)jmpLocation, sizeof(MOV) + sizeof(JMP_RAX), PAGE_EXECUTE_READ, &oldProtection);
82 | newRVAFunValue = jmpLocation - imageBase;
83 | #endif
84 |
85 |
86 | for (size_t i = 0; i < exportDir->NumberOfNames; i++) {
87 | funcName = (char*)(imageBase + funNamesRVAs[i]);
88 |
89 | if (_stricmp(funcName, API_Name) == 0) {
90 | realFunctionAddress = (DWORD_PTR*)(imageBase + funAddressesRVAs[funNamesOrdinalRVAs[i]]);
91 | pointerToFuncAddressRVA = &funAddressesRVAs[funNamesOrdinalRVAs[i]];
92 |
93 | VirtualProtect((LPVOID)pointerToFuncAddressRVA, sizeof(DWORD), PAGE_READWRITE, &oldProtection);
94 | memcpy(pointerToFuncAddressRVA, &newRVAFunValue, sizeof(DWORD));
95 | VirtualProtect((LPVOID)pointerToFuncAddressRVA, sizeof(DWORD), oldProtection, &oldProtection);
96 |
97 | return (DWORD_PTR)realFunctionAddress;
98 | }
99 | }
100 |
101 |
102 | return 0;
103 | }
104 |
105 |
106 |
107 | BOOL unhookEAT(char libName[], char API_Name[], LPVOID originalFuncAddress) {
108 | return (BOOL)hookEAT(libName, API_Name, originalFuncAddress);
109 | }
--------------------------------------------------------------------------------
/Ring 3/EAT Hook/EAT Hook/EAT.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | DWORD_PTR hookEAT(char libName[], char API_Name[], LPVOID newFun);
4 |
5 | BOOL unhookEAT(char libName[], char API_Name[], LPVOID originalFuncAddress);
--------------------------------------------------------------------------------
/Ring 3/EAT Hook/EAT Hook/main.cpp:
--------------------------------------------------------------------------------
1 | #include "EAT.h"
2 | #include
3 |
4 |
5 | typedef int (WINAPI* NewMessageBoxA)(
6 | _In_opt_ HWND hWnd,
7 | _In_opt_ LPCSTR lpText,
8 | _In_opt_ LPCSTR lpCaption,
9 | _In_ UINT uType);
10 | NewMessageBoxA ReCall;
11 |
12 |
13 | int WINAPI MessageBoxHooked(
14 | HWND hWnd,
15 | LPCSTR lpText,
16 | LPCSTR lpCaption,
17 | UINT uType) {
18 |
19 | return ReCall(hWnd, lpText, "Hooked By Almazari ...", uType);
20 | }
21 |
22 |
23 | BOOL WINAPI DllMain(HMODULE hModule, DWORD Call_Reason, LPVOID lpReserved) {
24 |
25 | switch (Call_Reason) {
26 | case DLL_PROCESS_ATTACH:
27 | ReCall = (NewMessageBoxA)hookEAT("User32", "MessageBoxA", MessageBoxHooked);
28 | }
29 |
30 | return 1;
31 | }
--------------------------------------------------------------------------------
/Ring 3/IAT Hook/IAT Hook.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.31101.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "IAT Hook", "IAT Hook\IAT Hook.vcxproj", "{2A927A79-A3A8-4434-8E7B-16A389597745}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Win32 = Debug|Win32
11 | Debug|x64 = Debug|x64
12 | Release|Win32 = Release|Win32
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {2A927A79-A3A8-4434-8E7B-16A389597745}.Debug|Win32.ActiveCfg = Debug|Win32
17 | {2A927A79-A3A8-4434-8E7B-16A389597745}.Debug|Win32.Build.0 = Debug|Win32
18 | {2A927A79-A3A8-4434-8E7B-16A389597745}.Debug|x64.ActiveCfg = Debug|x64
19 | {2A927A79-A3A8-4434-8E7B-16A389597745}.Debug|x64.Build.0 = Debug|x64
20 | {2A927A79-A3A8-4434-8E7B-16A389597745}.Release|Win32.ActiveCfg = Release|Win32
21 | {2A927A79-A3A8-4434-8E7B-16A389597745}.Release|Win32.Build.0 = Release|Win32
22 | {2A927A79-A3A8-4434-8E7B-16A389597745}.Release|x64.ActiveCfg = Release|x64
23 | {2A927A79-A3A8-4434-8E7B-16A389597745}.Release|x64.Build.0 = Release|x64
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | EndGlobal
29 |
--------------------------------------------------------------------------------
/Ring 3/IAT Hook/IAT Hook.v12.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/IAT Hook/IAT Hook.v12.suo
--------------------------------------------------------------------------------
/Ring 3/IAT Hook/IAT Hook/IAT Hook.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {2A927A79-A3A8-4434-8E7B-16A389597745}
23 | Win32Proj
24 | IATHook
25 |
26 |
27 |
28 | DynamicLibrary
29 | true
30 | v120
31 | Unicode
32 |
33 |
34 | DynamicLibrary
35 | true
36 | v120
37 | Unicode
38 |
39 |
40 | DynamicLibrary
41 | false
42 | v120
43 | true
44 | Unicode
45 |
46 |
47 | DynamicLibrary
48 | false
49 | v120
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 |
84 |
85 | Level3
86 | Disabled
87 | WIN32;_DEBUG;_WINDOWS;_USRDLL;IATHOOK_EXPORTS;%(PreprocessorDefinitions)
88 |
89 |
90 | Windows
91 | true
92 |
93 |
94 |
95 |
96 |
97 |
98 | Level3
99 | Disabled
100 | WIN32;_DEBUG;_WINDOWS;_USRDLL;IATHOOK_EXPORTS;%(PreprocessorDefinitions)
101 |
102 |
103 | Windows
104 | true
105 |
106 |
107 |
108 |
109 | Level3
110 |
111 |
112 | MaxSpeed
113 | true
114 | true
115 | WIN32;NDEBUG;_WINDOWS;_USRDLL;IATHOOK_EXPORTS;%(PreprocessorDefinitions)
116 | MultiThreaded
117 |
118 |
119 | Windows
120 | true
121 | true
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 |
129 |
130 | MaxSpeed
131 | true
132 | true
133 | WIN32;NDEBUG;_WINDOWS;_USRDLL;IATHOOK_EXPORTS;%(PreprocessorDefinitions)
134 | MultiThreaded
135 |
136 |
137 | Windows
138 | true
139 | true
140 | true
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
--------------------------------------------------------------------------------
/Ring 3/IAT Hook/IAT Hook/IAT Hook.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 |
--------------------------------------------------------------------------------
/Ring 3/IAT Hook/IAT Hook/IAT Hook.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Ring 3/IAT Hook/IAT Hook/IAT.cpp:
--------------------------------------------------------------------------------
1 | #include "IAT.h"
2 |
3 |
4 | DWORD_PTR hookIAT(char libName[], char API_Name[], LPVOID newFun) {
5 | DWORD_PTR imageBase = (DWORD_PTR)GetModuleHandleA(0);
6 | PIMAGE_DOS_HEADER dosHeaders = (PIMAGE_DOS_HEADER)imageBase;
7 | PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)(imageBase + dosHeaders->e_lfanew);
8 | IMAGE_OPTIONAL_HEADER optionalHeader = ntHeaders->OptionalHeader;
9 | PIMAGE_IMPORT_DESCRIPTOR importDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(imageBase + optionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
10 |
11 |
12 | DWORD oldProtect;
13 | PIMAGE_IMPORT_BY_NAME functionName;
14 | PIMAGE_THUNK_DATA originalFirstThunk = NULL, firstThunk = NULL;
15 | /*
16 | Initially FirstThunk is the same as OriginalFirstThunk
17 | The OriginalFirstThunk is array of names ---> Uses the AddressOfData element of the IMAGE_THUNK_DATA structure to point to IMAGE_IMPORT_BY_NAME structure that contains the Name element, function name.
18 | The FirstThunk is array of addresses -------> Uses the Function element of the IMAGE_THUNK_DATA structure, which points to the address of the imported function.
19 |
20 | When the executable is loaded, the loader goes through the OriginalFirstThunk array and finds all imported function names the executable is using.
21 | Then it calculates the addresses of the functions and populates the FirstThunk array so that real functions can be accessed.
22 | As a result, we need to change the real loaded addresses which are found in FirstThunk not in OriginalFirstThunk
23 | */
24 |
25 |
26 | LoadLibraryA(libName);
27 | while (importDescriptor->Name) {
28 |
29 | if (strnicmp(libName, (LPCSTR)(imageBase + importDescriptor->Name), strlen(libName)) != 0) {
30 | importDescriptor++;
31 | continue;
32 | }
33 |
34 | originalFirstThunk = (PIMAGE_THUNK_DATA)(imageBase + importDescriptor->OriginalFirstThunk);
35 | firstThunk = (PIMAGE_THUNK_DATA)(imageBase + importDescriptor->FirstThunk);
36 |
37 | while (originalFirstThunk->u1.AddressOfData) {
38 | functionName = (PIMAGE_IMPORT_BY_NAME)(imageBase + originalFirstThunk->u1.AddressOfData);
39 |
40 | if (strcmp(functionName->Name, API_Name) == 0) {
41 | VirtualProtect((LPVOID)(&firstThunk->u1.Function), sizeof(DWORD_PTR), PAGE_READWRITE, &oldProtect);
42 | firstThunk->u1.Function = (DWORD_PTR)newFun;
43 | VirtualProtect((LPVOID)(&firstThunk->u1.Function), sizeof(DWORD_PTR), oldProtect, &oldProtect);
44 |
45 | return (DWORD_PTR)GetProcAddress(LoadLibraryA(libName), API_Name);
46 | }
47 |
48 | originalFirstThunk++;
49 | firstThunk++;
50 | }
51 | }
52 |
53 |
54 | return NULL;
55 | }
56 |
57 |
58 | BOOL unhookIAT(char libName[], char API_Name[]) {
59 | return (BOOL)hookIAT(libName, API_Name, GetProcAddress(LoadLibraryA(libName), API_Name));
60 | }
--------------------------------------------------------------------------------
/Ring 3/IAT Hook/IAT Hook/IAT.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | DWORD_PTR hookIAT(char libName[], char API_Name[], LPVOID newFun);
4 |
5 | BOOL unhookIAT(char libName[], char API_Name[]);
--------------------------------------------------------------------------------
/Ring 3/IAT Hook/IAT Hook/main.cpp:
--------------------------------------------------------------------------------
1 | #include "IAT.h"
2 | #include
3 |
4 |
5 | typedef int (WINAPI* NewMessageBoxA)(
6 | _In_opt_ HWND hWnd,
7 | _In_opt_ LPCSTR lpText,
8 | _In_opt_ LPCSTR lpCaption,
9 | _In_ UINT uType);
10 | NewMessageBoxA ReCall;
11 |
12 |
13 | int WINAPI MessageBoxHooked(
14 | HWND hWnd,
15 | LPCSTR lpText,
16 | LPCSTR lpCaption,
17 | UINT uType) {
18 |
19 | return ReCall(hWnd, lpText, "Hooked By Almazari ...", uType);
20 | }
21 |
22 |
23 | BOOL WINAPI DllMain(HMODULE hModule, DWORD Call_Reason, LPVOID lpReserved) {
24 |
25 | switch (Call_Reason) {
26 | case DLL_PROCESS_ATTACH:
27 | ReCall = (NewMessageBoxA)hookIAT("User32", "MessageBoxA", MessageBoxHooked);
28 | }
29 |
30 | return 1;
31 | }
--------------------------------------------------------------------------------
/Ring 3/Injector/Injector.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.31101.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Injector", "Injector\Injector.vcxproj", "{AEE9A1C5-7022-4ED5-BA58-B0154922968E}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Win32 = Debug|Win32
11 | Debug|x64 = Debug|x64
12 | Release|Win32 = Release|Win32
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {AEE9A1C5-7022-4ED5-BA58-B0154922968E}.Debug|Win32.ActiveCfg = Debug|Win32
17 | {AEE9A1C5-7022-4ED5-BA58-B0154922968E}.Debug|Win32.Build.0 = Debug|Win32
18 | {AEE9A1C5-7022-4ED5-BA58-B0154922968E}.Debug|x64.ActiveCfg = Debug|x64
19 | {AEE9A1C5-7022-4ED5-BA58-B0154922968E}.Debug|x64.Build.0 = Debug|x64
20 | {AEE9A1C5-7022-4ED5-BA58-B0154922968E}.Release|Win32.ActiveCfg = Release|Win32
21 | {AEE9A1C5-7022-4ED5-BA58-B0154922968E}.Release|Win32.Build.0 = Release|Win32
22 | {AEE9A1C5-7022-4ED5-BA58-B0154922968E}.Release|x64.ActiveCfg = Release|x64
23 | {AEE9A1C5-7022-4ED5-BA58-B0154922968E}.Release|x64.Build.0 = Release|x64
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | EndGlobal
29 |
--------------------------------------------------------------------------------
/Ring 3/Injector/Injector.v12.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/Injector/Injector.v12.suo
--------------------------------------------------------------------------------
/Ring 3/Injector/Injector/Injector.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {AEE9A1C5-7022-4ED5-BA58-B0154922968E}
23 | Win32Proj
24 | Injector
25 |
26 |
27 |
28 | Application
29 | true
30 | v120
31 | Unicode
32 |
33 |
34 | Application
35 | true
36 | v120
37 | Unicode
38 |
39 |
40 | Application
41 | false
42 | v120
43 | true
44 | Unicode
45 |
46 |
47 | Application
48 | false
49 | v120
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 |
84 |
85 | Level3
86 | Disabled
87 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
88 | MultiThreaded
89 |
90 |
91 | Console
92 | true
93 |
94 |
95 |
96 |
97 |
98 |
99 | Level3
100 | Disabled
101 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
102 | MultiThreaded
103 |
104 |
105 | Console
106 | true
107 |
108 |
109 |
110 |
111 | Level3
112 |
113 |
114 | MaxSpeed
115 | true
116 | true
117 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
118 | MultiThreaded
119 |
120 |
121 | Console
122 | true
123 | true
124 | true
125 |
126 |
127 |
128 |
129 | Level3
130 |
131 |
132 | MaxSpeed
133 | true
134 | true
135 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
136 | MultiThreaded
137 |
138 |
139 | Console
140 | true
141 | true
142 | true
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
--------------------------------------------------------------------------------
/Ring 3/Injector/Injector/Injector.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/Ring 3/Injector/Injector/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | using namespace std;
7 |
8 |
9 | DWORD getProcessIdByName(LPCSTR procName) {
10 | DWORD procID;
11 | HANDLE snapshot;
12 | PROCESSENTRY32 entry;
13 |
14 | entry.dwSize = sizeof(PROCESSENTRY32);
15 | snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
16 |
17 | while (Process32Next(snapshot, &entry) == TRUE) {
18 | if (stricmp(CW2A(entry.szExeFile), procName) == 0)
19 | {
20 | procID = entry.th32ProcessID;
21 | CloseHandle(snapshot);
22 | break;
23 | }
24 | }
25 |
26 | return procID;
27 | }
28 |
29 |
30 | void main() {
31 | char libPath[MAX_PATH];
32 | string processName;
33 | string libName;
34 | HANDLE hProc;
35 | LPVOID hookLib;
36 | HANDLE threadHandle;
37 |
38 | while (1) {
39 | cout << "Enter Process Name : ";
40 | getline(cin, processName);
41 |
42 | cout << "Enter Dll File Name : ";
43 | getline(cin, libName);
44 |
45 | GetFullPathNameA(libName.c_str(), MAX_PATH, libPath, nullptr);
46 | hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, getProcessIdByName(processName.c_str()));
47 | hookLib = VirtualAllocEx(hProc, NULL, strlen(libPath) + 1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
48 | WriteProcessMemory(hProc, hookLib, libPath, strlen(libPath), NULL);
49 | threadHandle = CreateRemoteThread(
50 | hProc,
51 | NULL,
52 | NULL,
53 | (LPTHREAD_START_ROUTINE)GetProcAddress(LoadLibraryA("Kernel32"), "LoadLibraryA"),
54 | hookLib,
55 | NULL,
56 | NULL
57 | );
58 | CloseHandle(hProc);
59 |
60 | if (threadHandle == 0 || hProc == 0)
61 | cout << "Injection Failed.\n";
62 | else
63 | cout << "Injected Successfully.\n";
64 |
65 | system("pause");
66 | }
67 | }
--------------------------------------------------------------------------------
/Ring 3/TestApp EAT/TestApp.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.31101.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TestApp", "TestApp\TestApp.vcxproj", "{6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Win32 = Debug|Win32
11 | Debug|x64 = Debug|x64
12 | Release x64|Win32 = Release x64|Win32
13 | Release x64|x64 = Release x64|x64
14 | Release x86|Win32 = Release x86|Win32
15 | Release x86|x64 = Release x86|x64
16 | EndGlobalSection
17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Debug|Win32.ActiveCfg = Debug|Win32
19 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Debug|Win32.Build.0 = Debug|Win32
20 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Debug|x64.ActiveCfg = Debug|x64
21 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Debug|x64.Build.0 = Debug|x64
22 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x64|Win32.ActiveCfg = TestApp x64|Win32
23 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x64|Win32.Build.0 = TestApp x64|Win32
24 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x64|x64.ActiveCfg = TestApp x64|x64
25 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x64|x64.Build.0 = TestApp x64|x64
26 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x86|Win32.ActiveCfg = Release|Win32
27 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x86|Win32.Build.0 = Release|Win32
28 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x86|x64.ActiveCfg = Release|x64
29 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x86|x64.Build.0 = Release|x64
30 | EndGlobalSection
31 | GlobalSection(SolutionProperties) = preSolution
32 | HideSolutionNode = FALSE
33 | EndGlobalSection
34 | EndGlobal
35 |
--------------------------------------------------------------------------------
/Ring 3/TestApp EAT/TestApp.v12.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/TestApp EAT/TestApp.v12.suo
--------------------------------------------------------------------------------
/Ring 3/TestApp EAT/TestApp/TestApp.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release x86 OptOff
14 | Win32
15 |
16 |
17 | Release x86 OptOff
18 | x64
19 |
20 |
21 | Release
22 | Win32
23 |
24 |
25 | Release
26 | x64
27 |
28 |
29 | TestApp x64
30 | Win32
31 |
32 |
33 | TestApp x64
34 | x64
35 |
36 |
37 |
38 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}
39 | Win32Proj
40 | TestApp
41 |
42 |
43 |
44 | Application
45 | true
46 | v120
47 | Unicode
48 |
49 |
50 | Application
51 | true
52 | v120
53 | Unicode
54 |
55 |
56 | Application
57 | false
58 | v120
59 | true
60 | Unicode
61 |
62 |
63 | Application
64 | false
65 | v120
66 | true
67 | Unicode
68 |
69 |
70 | v120
71 |
72 |
73 | v120
74 |
75 |
76 | v120
77 |
78 |
79 | v120
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 | true
99 |
100 |
101 | true
102 |
103 |
104 | false
105 |
106 |
107 | false
108 |
109 |
110 |
111 |
112 |
113 | Level3
114 | Disabled
115 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
116 | true
117 |
118 |
119 | Console
120 | true
121 |
122 |
123 |
124 |
125 |
126 |
127 | Level3
128 | Disabled
129 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
130 | true
131 |
132 |
133 | Console
134 | true
135 |
136 |
137 |
138 |
139 | Level3
140 |
141 |
142 | MaxSpeed
143 | true
144 | true
145 | WIN32;_CRT_SECURE_NO_WARNINGS ;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
146 | true
147 | MultiThreaded
148 |
149 |
150 | Console
151 | true
152 | true
153 | true
154 |
155 |
156 |
157 |
158 | Level3
159 |
160 |
161 | MaxSpeed
162 | true
163 | true
164 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
165 | true
166 |
167 |
168 | Console
169 | true
170 | true
171 | true
172 |
173 |
174 |
175 |
176 | MultiThreadedDLL
177 |
178 |
179 |
180 |
181 | Disabled
182 | MultiThreaded
183 |
184 |
185 |
186 |
187 |
188 |
189 |
190 |
191 |
--------------------------------------------------------------------------------
/Ring 3/TestApp EAT/TestApp/TestApp.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/Ring 3/TestApp EAT/TestApp/TestApp.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Ring 3/TestApp EAT/TestApp/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | using namespace std;
5 |
6 | typedef int (WINAPI* NewMessageBoxA)(
7 | _In_opt_ HWND hWnd,
8 | _In_opt_ LPCSTR lpText,
9 | _In_opt_ LPCSTR lpCaption,
10 | _In_ UINT uType);
11 | NewMessageBoxA ReCall;
12 |
13 | /*
14 | * IMPORTANT: Switch bit version before compiling and testing ...
15 | */
16 |
17 | int main() {
18 |
19 | char title[100] = {0};
20 | strcpy(title, "Hook Challenge ... ");
21 | strcpy(title + strlen(title), to_string(GetCurrentProcessId()).c_str());
22 |
23 | while (1) {
24 | ReCall = (NewMessageBoxA)GetProcAddress(LoadLibraryA("User32"), "MessageBoxA");
25 | ReCall(0, "Can you change this message?!", title, 0);
26 | }
27 |
28 | return 0;
29 | }
--------------------------------------------------------------------------------
/Ring 3/TestApp/TestApp.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.31101.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TestApp", "TestApp\TestApp.vcxproj", "{6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Win32 = Debug|Win32
11 | Debug|x64 = Debug|x64
12 | Release x64|Win32 = Release x64|Win32
13 | Release x64|x64 = Release x64|x64
14 | Release x86 OptOff|Win32 = Release x86 OptOff|Win32
15 | Release x86 OptOff|x64 = Release x86 OptOff|x64
16 | Release x86|Win32 = Release x86|Win32
17 | Release x86|x64 = Release x86|x64
18 | EndGlobalSection
19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Debug|Win32.ActiveCfg = Debug|Win32
21 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Debug|Win32.Build.0 = Debug|Win32
22 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Debug|x64.ActiveCfg = Debug|x64
23 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Debug|x64.Build.0 = Debug|x64
24 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x64|Win32.ActiveCfg = TestApp x64|Win32
25 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x64|Win32.Build.0 = TestApp x64|Win32
26 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x64|x64.ActiveCfg = TestApp x64|x64
27 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x64|x64.Build.0 = TestApp x64|x64
28 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x86 OptOff|Win32.ActiveCfg = Release x86 OptOff|Win32
29 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x86 OptOff|Win32.Build.0 = Release x86 OptOff|Win32
30 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x86 OptOff|x64.ActiveCfg = Release x86 OptOff|x64
31 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x86 OptOff|x64.Build.0 = Release x86 OptOff|x64
32 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x86|Win32.ActiveCfg = Release|Win32
33 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x86|Win32.Build.0 = Release|Win32
34 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x86|x64.ActiveCfg = Release|x64
35 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}.Release x86|x64.Build.0 = Release|x64
36 | EndGlobalSection
37 | GlobalSection(SolutionProperties) = preSolution
38 | HideSolutionNode = FALSE
39 | EndGlobalSection
40 | EndGlobal
41 |
--------------------------------------------------------------------------------
/Ring 3/TestApp/TestApp.v12.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/TestApp/TestApp.v12.suo
--------------------------------------------------------------------------------
/Ring 3/TestApp/TestApp/TestApp.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release x86 OptOff
14 | Win32
15 |
16 |
17 | Release x86 OptOff
18 | x64
19 |
20 |
21 | Release
22 | Win32
23 |
24 |
25 | Release
26 | x64
27 |
28 |
29 | TestApp x64
30 | Win32
31 |
32 |
33 | TestApp x64
34 | x64
35 |
36 |
37 |
38 | {6F8C8F2C-57CD-4AC1-A25B-3F57D8B27859}
39 | Win32Proj
40 | TestApp
41 |
42 |
43 |
44 | Application
45 | true
46 | v120
47 | Unicode
48 |
49 |
50 | Application
51 | true
52 | v120
53 | Unicode
54 |
55 |
56 | Application
57 | false
58 | v120
59 | true
60 | Unicode
61 |
62 |
63 | Application
64 | false
65 | v120
66 | true
67 | Unicode
68 |
69 |
70 | v120
71 |
72 |
73 | v120
74 |
75 |
76 | v120
77 |
78 |
79 | v120
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 | true
99 |
100 |
101 | true
102 |
103 |
104 | false
105 |
106 |
107 | false
108 |
109 |
110 |
111 |
112 |
113 | Level3
114 | Disabled
115 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
116 | true
117 |
118 |
119 | Console
120 | true
121 |
122 |
123 |
124 |
125 |
126 |
127 | Level3
128 | Disabled
129 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
130 | true
131 |
132 |
133 | Console
134 | true
135 |
136 |
137 |
138 |
139 | Level3
140 |
141 |
142 | MaxSpeed
143 | true
144 | true
145 | WIN32;_CRT_SECURE_NO_WARNINGS ;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
146 | true
147 | MultiThreaded
148 |
149 |
150 | Console
151 | true
152 | true
153 | true
154 |
155 |
156 |
157 |
158 | Level3
159 |
160 |
161 | MaxSpeed
162 | true
163 | true
164 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)
165 | true
166 |
167 |
168 | Console
169 | true
170 | true
171 | true
172 |
173 |
174 |
175 |
176 | MultiThreadedDLL
177 |
178 |
179 |
180 |
181 | Disabled
182 | MultiThreaded
183 |
184 |
185 |
186 |
187 |
188 |
189 |
190 |
191 |
--------------------------------------------------------------------------------
/Ring 3/TestApp/TestApp/TestApp.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/Ring 3/TestApp/TestApp/TestApp.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Ring 3/TestApp/TestApp/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | using namespace std;
5 |
6 | /*
7 | * IMPORTANT: Switch bit version before compiling and testing ...
8 | */
9 |
10 | int main() {
11 |
12 | char title[100] = {0};
13 | strcpy(title, "Hook Challenge ... ");
14 | strcpy(title + strlen(title), to_string(GetCurrentProcessId()).c_str());
15 |
16 | while (1) {
17 | MessageBoxA(0, "Can you change this message?!", title, 0);
18 | }
19 |
20 | return 0;
21 | }
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x64/Trampoline Hook x64.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.31101.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Trampoline Hook x64", "Trampoline Hook x64\Trampoline Hook x64.vcxproj", "{1E82292C-B3E8-462B-AAB6-1ACC028778BE}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {1E82292C-B3E8-462B-AAB6-1ACC028778BE}.Debug|x64.ActiveCfg = Debug|x64
15 | {1E82292C-B3E8-462B-AAB6-1ACC028778BE}.Debug|x64.Build.0 = Debug|x64
16 | {1E82292C-B3E8-462B-AAB6-1ACC028778BE}.Release|x64.ActiveCfg = Release|x64
17 | {1E82292C-B3E8-462B-AAB6-1ACC028778BE}.Release|x64.Build.0 = Release|x64
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | EndGlobal
23 |
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x64/Trampoline Hook x64.v12.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/Trampoline Hook x64/Trampoline Hook x64.v12.suo
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x64/Trampoline Hook x64/LDE64x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/Trampoline Hook x64/Trampoline Hook x64/LDE64x64.lib
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x64/Trampoline Hook x64/Trampoline Hook x64.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Debug
10 | x64
11 |
12 |
13 | Release
14 | Win32
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {1E82292C-B3E8-462B-AAB6-1ACC028778BE}
23 | Win32Proj
24 | TrampolineHookx64
25 |
26 |
27 |
28 | DynamicLibrary
29 | true
30 | v120
31 | Unicode
32 |
33 |
34 | DynamicLibrary
35 | true
36 | v120
37 | Unicode
38 |
39 |
40 | DynamicLibrary
41 | false
42 | v120
43 | true
44 | Unicode
45 |
46 |
47 | DynamicLibrary
48 | false
49 | v120
50 | true
51 | Unicode
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 | true
71 |
72 |
73 | true
74 |
75 |
76 | false
77 |
78 |
79 | false
80 |
81 |
82 |
83 |
84 |
85 | Level3
86 | Disabled
87 | WIN32;_DEBUG;_WINDOWS;_USRDLL;TRAMPOLINEHOOKX64_EXPORTS;%(PreprocessorDefinitions)
88 | MultiThreaded
89 |
90 |
91 | Windows
92 | true
93 |
94 |
95 |
96 |
97 |
98 |
99 | Level3
100 | Disabled
101 | WIN32;_DEBUG;_WINDOWS;_USRDLL;TRAMPOLINEHOOKX64_EXPORTS;%(PreprocessorDefinitions)
102 | MultiThreaded
103 |
104 |
105 | Windows
106 | true
107 |
108 |
109 |
110 |
111 | Level3
112 |
113 |
114 | MaxSpeed
115 | true
116 | true
117 | WIN32;NDEBUG;_WINDOWS;_USRDLL;TRAMPOLINEHOOKX64_EXPORTS;%(PreprocessorDefinitions)
118 |
119 |
120 | Windows
121 | true
122 | true
123 | true
124 |
125 |
126 |
127 |
128 | Level3
129 |
130 |
131 | MaxSpeed
132 | true
133 | true
134 | WIN32;NDEBUG;_WINDOWS;_USRDLL;TRAMPOLINEHOOKX64_EXPORTS;%(PreprocessorDefinitions)
135 | MultiThreaded
136 |
137 |
138 | Windows
139 | true
140 | true
141 | true
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x64/Trampoline Hook x64/Trampoline Hook x64.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 |
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x64/Trampoline Hook x64/Trampoline Hook x64.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x64/Trampoline Hook x64/Trampoline_X64.cpp:
--------------------------------------------------------------------------------
1 | #include "Trampoline_X64.h"
2 |
3 |
4 | BYTE PUSH_RAX[1] = { 0x50 }; // __asm { PUSH rax }
5 | BYTE POP_RAX[1] = { 0x58 }; // __asm { POP rax }
6 | BYTE MOV[10] = { 0x48, 0xB8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; // __asm { MOV rax, Address_8Bytes }
7 | BYTE JMP_RAX[2] = { 0xFF, 0xE0 }; // __asm { JMP rax }
8 |
9 |
10 | DWORD64 hookTrampolineX64(char libName[], char API_Name[], LPVOID newFun) {
11 | DWORD64 orgFun;
12 | DWORD oldProtect;
13 | DWORD bytesLen;
14 | BYTE* overWritten;
15 | DWORD64 newBuff;
16 |
17 | orgFun = (DWORD64)GetProcAddress(GetModuleHandleA(libName), API_Name);
18 | if (orgFun == NULL)
19 | return 0;
20 |
21 | // Prepare JMP instruction
22 | memcpy(&MOV[2], &newFun, 8);
23 |
24 | // Store the original instructions
25 | bytesLen = instructionsLength(orgFun, sizeof(MOV) + sizeof(JMP_RAX) + sizeof(POP_RAX));
26 | overWritten = new BYTE[bytesLen];
27 | memcpy(overWritten, (LPVOID)orgFun, bytesLen);
28 |
29 | // Hook the original function (MOV RAX, JMP RAX, POP RAX) after changing memory protection
30 | VirtualProtect((LPVOID)orgFun, bytesLen, PAGE_EXECUTE_READWRITE, &oldProtect);
31 | memcpy((LPVOID)orgFun, MOV, sizeof(MOV));
32 | memcpy((LPVOID)(orgFun + sizeof(MOV)), JMP_RAX, sizeof(JMP_RAX));
33 | memcpy((LPVOID)(orgFun + bytesLen - sizeof(POP_RAX)), POP_RAX, sizeof(POP_RAX));
34 | VirtualProtect((LPVOID)orgFun, bytesLen, oldProtect, &oldProtect);
35 |
36 | // Allocate new buffer
37 | newBuff = (DWORD64)VirtualAlloc(NULL, bytesLen + sizeof(MOV) + sizeof(JMP_RAX) + sizeof(PUSH_RAX), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
38 |
39 | // Prepare JMP instruction
40 | orgFun += bytesLen - sizeof(POP_RAX);
41 | memcpy(&MOV[2], &orgFun, 8);
42 |
43 | // Prepare the new function and write (originalInstructions, PUSH RAX, MOV RAX, JMP RAX)
44 | memcpy((LPVOID)newBuff, overWritten, bytesLen);
45 | memcpy((LPVOID)(newBuff + bytesLen), PUSH_RAX, sizeof(PUSH_RAX));
46 | memcpy((LPVOID)(newBuff + bytesLen + sizeof(PUSH_RAX)), MOV, sizeof(MOV));
47 | memcpy((LPVOID)(newBuff + bytesLen + sizeof(PUSH_RAX) + sizeof(MOV)), JMP_RAX, sizeof(JMP_RAX));
48 |
49 | return newBuff;
50 | }
51 |
52 |
53 | /*
54 | * This functions will return the length of instructions in bytes such that the length is bigger than minimumLength variable
55 | */
56 | DWORD instructionsLength(DWORD64 address, unsigned int minimumLength) {
57 | DWORD num = 0;
58 |
59 | while (num < minimumLength) {
60 | num += LDE(address + num, 0);
61 | }
62 |
63 | return num;
64 | }
65 |
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x64/Trampoline Hook x64/Trampoline_X64.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #pragma comment(lib, "LDE64x64")
4 | extern "C" DWORD __stdcall LDE(const DWORD64 lpData, unsigned int ProcType);
5 |
6 | DWORD instructionsLength(DWORD64 address, unsigned int minimumLength);
7 |
8 | DWORD64 hookTrampolineX64(char libName[], char API_Name[], LPVOID newFun);
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x64/Trampoline Hook x64/main.cpp:
--------------------------------------------------------------------------------
1 | #include "Trampoline_X64.h"
2 | #include
3 |
4 | typedef int (WINAPI* NewMessageBoxA)(
5 | _In_opt_ HWND hWnd,
6 | _In_opt_ LPCSTR lpText,
7 | _In_opt_ LPCSTR lpCaption,
8 | _In_ UINT uType);
9 |
10 | NewMessageBoxA ReCall;
11 |
12 |
13 | int WINAPI MessageBoxHooked(
14 | HWND hWnd,
15 | LPCSTR lpText,
16 | LPCSTR lpCaption,
17 | UINT uType) {
18 |
19 | return ReCall(hWnd, lpText, "Hooked By Almazari ...", uType);
20 | }
21 |
22 |
23 | BOOL WINAPI DllMain(HMODULE hModule, DWORD Call_Reason, LPVOID lpReserved) {
24 |
25 | switch (Call_Reason) {
26 | case DLL_PROCESS_ATTACH:
27 | ReCall = (NewMessageBoxA)hookTrampolineX64("user32", "MessageBoxA", MessageBoxHooked);
28 | }
29 |
30 | return 1;
31 | }
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x86/Trampoline Hook x86.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2013
4 | VisualStudioVersion = 12.0.31101.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Trampoline Hook x86", "Trampoline Hook x86\Trampoline Hook x86.vcxproj", "{90D11C93-4928-478E-AA41-A936B3477B9F}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Win32 = Debug|Win32
11 | Release|Win32 = Release|Win32
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {90D11C93-4928-478E-AA41-A936B3477B9F}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {90D11C93-4928-478E-AA41-A936B3477B9F}.Debug|Win32.Build.0 = Debug|Win32
16 | {90D11C93-4928-478E-AA41-A936B3477B9F}.Release|Win32.ActiveCfg = Release|Win32
17 | {90D11C93-4928-478E-AA41-A936B3477B9F}.Release|Win32.Build.0 = Release|Win32
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | EndGlobal
23 |
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x86/Trampoline Hook x86.v12.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/Trampoline Hook x86/Trampoline Hook x86.v12.suo
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x86/Trampoline Hook x86/LDE64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/Trampoline Hook x86/Trampoline Hook x86/LDE64.lib
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x86/Trampoline Hook x86/Trampoline Hook x86.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 |
14 | {90D11C93-4928-478E-AA41-A936B3477B9F}
15 | Win32Proj
16 | TrampolineHookx86
17 |
18 |
19 |
20 | DynamicLibrary
21 | true
22 | v120
23 | Unicode
24 |
25 |
26 | DynamicLibrary
27 | false
28 | v120
29 | true
30 | Unicode
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 | true
44 |
45 |
46 | false
47 |
48 |
49 |
50 |
51 |
52 | Level3
53 | Disabled
54 | WIN32;_DEBUG;_WINDOWS;_USRDLL;TRAMPOLINEHOOKX86_EXPORTS;%(PreprocessorDefinitions)
55 |
56 |
57 | Windows
58 | true
59 |
60 |
61 |
62 |
63 | Level3
64 |
65 |
66 | MaxSpeed
67 | true
68 | true
69 | WIN32;NDEBUG;_WINDOWS;_USRDLL;TRAMPOLINEHOOKX86_EXPORTS;%(PreprocessorDefinitions)
70 | MultiThreaded
71 |
72 |
73 | Windows
74 | true
75 | true
76 | true
77 | false
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x86/Trampoline Hook x86/Trampoline Hook x86.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Source Files
25 |
26 |
27 | Source Files
28 |
29 |
30 |
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x86/Trampoline Hook x86/Trampoline_X86.cpp:
--------------------------------------------------------------------------------
1 | #include "Trampoline_X86.h"
2 |
3 | BYTE JMP[5] = { 0xE9, 0x0, 0x0, 0x0, 0x0 }; // __asm { JMP Address_4Bytes }
4 | #define BuffSize sizeof(JMP)
5 |
6 | DWORD hookTrampolineX86(char libName[], char API_Name[], LPVOID newFun) {
7 | DWORD orgFun;
8 | DWORD JMP_GAP;
9 | DWORD oldProtect;
10 | DWORD instLen;
11 | BYTE* overWritten;
12 | DWORD newBuff;
13 |
14 | orgFun = (DWORD)GetProcAddress(GetModuleHandleA(libName), API_Name);
15 | if (orgFun == NULL)
16 | return 0;
17 |
18 | JMP_GAP = (DWORD)newFun - orgFun - BuffSize;
19 | memcpy(&JMP[1], &JMP_GAP, 4);
20 |
21 | VirtualProtect((LPVOID)orgFun, BuffSize, PAGE_EXECUTE_READWRITE, &oldProtect);
22 | instLen = instructionsLength(orgFun, BuffSize);
23 | overWritten = new BYTE[instLen];
24 | memcpy(overWritten, (LPVOID)orgFun, instLen);
25 | memcpy((LPVOID)orgFun, JMP, BuffSize);
26 | VirtualProtect((LPVOID)orgFun, BuffSize, oldProtect, &oldProtect);
27 |
28 | newBuff = (DWORD)VirtualAlloc(NULL, instLen + BuffSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
29 | JMP_GAP = (orgFun + instLen) - (newBuff + instLen) - BuffSize;
30 | memcpy(&JMP[1], &JMP_GAP, 4);
31 | memcpy((LPVOID)newBuff, overWritten, instLen);
32 | memcpy((LPVOID)(newBuff + instLen), JMP, BuffSize);
33 |
34 | return newBuff;
35 | }
36 |
37 |
38 | /*
39 | * This functions will return the length of instructions in bytes such that the length is bigger than minimumLength variable
40 | */
41 | DWORD instructionsLength(DWORD address, unsigned int minimumLength) {
42 | DWORD num = 0;
43 |
44 | while (num < minimumLength) {
45 | num += LDE(address + num, 0);
46 | }
47 |
48 | return num;
49 | }
50 |
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x86/Trampoline Hook x86/Trampoline_X86.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #pragma comment(lib, "LDE64")
4 | extern "C" DWORD __stdcall LDE(const DWORD lpData, unsigned int ProcType);
5 |
6 | DWORD instructionsLength(DWORD address, unsigned int minimumLength);
7 |
8 | DWORD hookTrampolineX86(char libName[], char API_Name[], LPVOID newFun);
--------------------------------------------------------------------------------
/Ring 3/Trampoline Hook x86/Trampoline Hook x86/main.cpp:
--------------------------------------------------------------------------------
1 | #include "Trampoline_X86.h"
2 | #include
3 |
4 | typedef int (WINAPI* NewMessageBoxA)(
5 | _In_opt_ HWND hWnd,
6 | _In_opt_ LPCSTR lpText,
7 | _In_opt_ LPCSTR lpCaption,
8 | _In_ UINT uType);
9 |
10 | NewMessageBoxA ReCall;
11 |
12 |
13 | int WINAPI MessageBoxHooked(
14 | HWND hWnd,
15 | LPCSTR lpText,
16 | LPCSTR lpCaption,
17 | UINT uType) {
18 |
19 | return ReCall(hWnd, lpText, "Hooked By Almazari ...", uType);
20 | }
21 |
22 |
23 | BOOL WINAPI DllMain(HMODULE hModule, DWORD Call_Reason, LPVOID lpReserved) {
24 |
25 | switch (Call_Reason) {
26 | case DLL_PROCESS_ATTACH:
27 | ReCall = (NewMessageBoxA)hookTrampolineX86("user32", "MessageBoxA", MessageBoxHooked);
28 | }
29 |
30 | return 1;
31 | }
--------------------------------------------------------------------------------
/Ring 3/bin/Detours Explorer CreateProc.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/Detours Explorer CreateProc.dll
--------------------------------------------------------------------------------
/Ring 3/bin/Detours Hook x64.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/Detours Hook x64.dll
--------------------------------------------------------------------------------
/Ring 3/bin/Detours Hook x86.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/Detours Hook x86.dll
--------------------------------------------------------------------------------
/Ring 3/bin/EAT Hook x64.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/EAT Hook x64.dll
--------------------------------------------------------------------------------
/Ring 3/bin/EAT Hook x86.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/EAT Hook x86.dll
--------------------------------------------------------------------------------
/Ring 3/bin/IAT Hook x64.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/IAT Hook x64.dll
--------------------------------------------------------------------------------
/Ring 3/bin/IAT Hook x86.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/IAT Hook x86.dll
--------------------------------------------------------------------------------
/Ring 3/bin/Injector64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/Injector64.exe
--------------------------------------------------------------------------------
/Ring 3/bin/Injector86.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/Injector86.exe
--------------------------------------------------------------------------------
/Ring 3/bin/TestApp64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/TestApp64.exe
--------------------------------------------------------------------------------
/Ring 3/bin/TestApp64EAT.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/TestApp64EAT.exe
--------------------------------------------------------------------------------
/Ring 3/bin/TestApp86.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/TestApp86.exe
--------------------------------------------------------------------------------
/Ring 3/bin/TestApp86EAT.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/TestApp86EAT.exe
--------------------------------------------------------------------------------
/Ring 3/bin/TestApp86OptOff.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/TestApp86OptOff.exe
--------------------------------------------------------------------------------
/Ring 3/bin/Trampoline Hook x64.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/Trampoline Hook x64.dll
--------------------------------------------------------------------------------
/Ring 3/bin/Trampoline Hook x86.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/Ring 3/bin/Trampoline Hook x86.dll
--------------------------------------------------------------------------------
/img/1.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/img/1.gif
--------------------------------------------------------------------------------
/img/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/img/2.png
--------------------------------------------------------------------------------
/img/btc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcsig/API-Hooking/9d3ea009407418d638dfcba7a8db3ae391609368/img/btc.png
--------------------------------------------------------------------------------