wacked
/
blog
Volgen 1
Ster 0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 0 Wiki Activiteit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12 Commits
1 Branch
Tree: 9fd9e66340
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van '9fd9e66340'
${ noResults }
blog/content/projects/hookengs.md

hookengs.md 2.8KB
Ruw Normal View Geschiedenis

hooking engines
4 jaren geleden
 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 
  1. ---

  2. title: "Hooking Engine Deatmatch"

  3. description: "Evaluating various hooking engines, putting them against pathologically hard to hook functions"

  4. date: 2020-02-26T22:00:00+01:00

  5. draft: false

  6. ---

  7. 

  8. For the full code see the [git repo](https://vcs.wacked.codes/wacked/hook_tests).

  9. 

  10. Introduction

  11. ============

  12. This project aims to give a simple overview on how good various x64 hooking

  13. engines (on windows) are. I'll try to write various functions, that are hard to

  14. patch and then see how each hooking engine does.

  15. 

  16. I'll test:

  17. 

  18. * [EasyHook](https://easyhook.github.io/)

  19. * [PolyHook](https://github.com/stevemk14ebr/PolyHook)

  20. * [MinHook](https://www.codeproject.com/Articles/44326/MinHook-The-Minimalistic-x-x-API-Hooking-Libra)

  21. * [Mhook](http://codefromthe70s.org/mhook24.aspx)

  22. 

  23. (I'd like to test detours, but I'm not willing to pay for it. So that isn't

  24. tested :( )

  25. 

  26. There are multiple things that make hooking difficult. Maybe you want to patch

  27. while the application is running -- in that case you might get race conditions,

  28. as the application is executing your half finished hook. Maybe the software has

  29. some self protection features (or other software on the system provides that,

  30. e.g. Trustee Rapport)

  31. 

  32. Evaluating how the hooking engines stack up against that is not the goal here.

  33. Neither are non-functional criteria, like how fast it is or how much memory it

  34. needs for each hook. This is just about the challenges the function to be

  35. hooked itself poses.

  36. 

  37. Namely:

  38. 

  39. * Are jumps relocated?

  40. * What about RIP adressing?

  41. * If there's a loop at the beginning / if it's a tail recurisve function, does

  42.   the hooking engine handle it?

  43. * How good is the dissassembler, how many instructions does it know?

  44. * Can it hook already hooked functions?

  45. 

  46. At first I will give a short walk through of the architecture, then quickly go

  47. over the test cases. After that come the results and an evaluation for each

  48. engine.

  49. 

  50. I think I found a flaw in all of them; I'll publish a small POC which should at

  51. least detect the existence of problematic code.

  52. 

  53. **A word of caution**: my results are worse than expected, so do assume I have

  54. made a mistake in using the libraries. I went into this expecting that some

  55. engines at least would try to detect e.g. the loops back into the first few

  56. bytes. But none did? That's gotta be wrong.

  57. 

  58. **Another word of caution**: parts of this are rushed and/or ugly. Please

  59. double check parts that seem suspicious. And I'd love to get patches, even for

  60. the most trivial things -- spelling mistakes? Yes please.

  61. 

  62. 

  63. Result

  64. ========

  65. 

  66. |      Name|Small|Branch|RIP Relative|AVX|RDRAND|Loop|TailRec|

  67. |----------|-----|------|------------|---|------|----|-------|

  68. |  PolyHook|  X  |   X  |      X     | X |      |    |       |

  69. |   MinHook|  X  |   X  |      X     |   |      |    |   X   |

  70. |     MHook|     |      |      X     |   |      |    |       |

  71.