A cpp multi-method API internal/external Hooking library for x86/x86-64 Windows.
Hook implementation supports both internal and external(TODO) hooking.
- VEH hook: Trigger exception with page guard violation, then intercept the exception with our VehHandler and change instruction pointer to detoured function.
- Trampoline hook: Modifies opcode to jmp to hook and allocates a trampoline for jmp back.
- INT3VEH hook: Alike VEH hook, except that exception is triggered by patching the first byte of target function to 0xCC(int 3)
- VMT: Find the right disp to target virtual method through disassembling vcall thunk bytes or traversing vtable, then patch vtable of a class to detoured function. (Warning: My Current implementation of vmt hook will probably not work if the target class has multiple inheritance. eg. class Derived : public Base1, public Base2;)
- IAT: TODO
git clone git@github.com:leo4048111/winhookupp.git --recurse-submodules
- Installed Visual Studio
- Generate solution with tests
cmake . -G "Visual Studio 17 2022" -A [win32/x64]
- Generate solution library only
cmake . -G "Visual Studio 17 2022" -A [win32/x64] -DBUILD_TESTS=OFF
- Example trampoline hooking(Interfaces of hooking methods are the same):
// include header for a hooking method
#include "trampoline.h"
int main(int argc, char** argv) {
using namespace WINHOOKUPP_NM;
// define a hook instance
Trampoline tramp;
// enabling hooking
LPVOID origin; // a pointer to original target function(nullptr if calling original target is not possible after hooking)
tramp.Enable(&TargetFunction, &YourDetouredFunction, &origin);
// calling the target function, your detoured function should be called instead
TargetFunction(...);
// calling the original function
if(origin != nullptr) {
decltype(TargetFunction)* pOrigin = reinterpret_cast<decltype(TargetFunction)*>(origin);
pOrigin(...);
}
// disabling hooking(note that hook will be automatically disabled if the hook instance is deconstructed)
tramp.Disable();
}
- To enable external hooking interfaces, define WINHOOKUPP_EXTERNAL_USAGE before including winhookupp headers(External hooks haven't been thoroughly tested yet, use with caution)
#define WINHOOKUPP_EXTERNAL_USAGE
#include "trampoline.h"
int main(int argc, char** argv) {
using namespace WINHOOKUPP_NM;
// To enable remote hooks, you need to pass in a handle to remote process
HANDLE hProc = ...;
Tramp tramp;
tramp.EnableEx(hProc, &TargetFunction, &YourDetouredFunction, &origin);
...
}
- See example and unit-tests for more detailed usages.