|
|
|
|
|
|
|
|
Introduction |
|
|
|
|
|
============ |
|
|
|
|
|
|
|
|
|
|
|
This project aims to give a simple overview on how good various x64 hooking |
|
|
|
|
|
engines (on windows) are. I'll try to write various functions, that are hard to |
|
|
|
|
|
patch and then see how each hooking engine does. |
|
|
|
|
|
|
|
|
|
|
|
I'll test: |
|
|
|
|
|
* [EasyHook](https://easyhook.github.io/) |
|
|
|
|
|
* [PolyHook](https://github.com/stevemk14ebr/PolyHook) |
|
|
|
|
|
* [MinHook](https://www.codeproject.com/Articles/44326/MinHook-The-Minimalistic-x-x-API-Hooking-Libra) |
|
|
|
|
|
* [Mhook](http://codefromthe70s.org/mhook24.aspx) |
|
|
|
|
|
|
|
|
|
|
|
(I'd like to test detours, but I'm not willing to pay for it. So that isn't |
|
|
|
|
|
tested :( ) |
|
|
|
|
|
|
|
|
|
|
|
There are multiple things that make hooking difficult. Maybe you want to patch |
|
|
|
|
|
while the application is running -- in that case you might get race conditions, |
|
|
|
|
|
as the application is executing your half finished hook. Maybe the software has |
|
|
|
|
|
some self protection features (or other software on the system provides that, |
|
|
|
|
|
e.g. Trustee Rapport) |
|
|
|
|
|
|
|
|
|
|
|
Evaluating how the hooking engines stack up against that is not the goal here. |
|
|
|
|
|
Neither are non-functional criteria, like how fast it is or how much memory it |
|
|
|
|
|
needs for each hook. This is just about the challenges the function to be |
|
|
|
|
|
hooked itself poses. |
|
|
|
|
|
|
|
|
|
|
|
Namely: |
|
|
|
|
|
* Are jumps relocated? |
|
|
|
|
|
* What about RIP adressing? |
|
|
|
|
|
* If there's a loop at the beginning / if it's a tail recurisve function, does |
|
|
|
|
|
the hooking engine handle it? |
|
|
|
|
|
* How good is the dissassembler, how many instructions does it know? |
|
|
|
|
|
* Can it hook already hooked functions? |
|
|
|
|
|
|
|
|
|
|
|
Test cases |
|
|
|
|
|
========== |
|
|
|