N-CodeHook - A detours like inline patching lib
API Hooking
API hooking is a well known technique which allows us to modify and extend existing program or operating system logic. By using inline patching mechanisms APIs can be hooked in order to modify results, stop certain functions from being executed at all or to replace existing functionality by a custom implementation. Especially in the case of OS APIs, the only possibility to change program logic is to employ some kind of hooking mechanism in order to redirect control flow to a custom function.
Other techniques like IAT patching don't work if the library in question is loaded dynamically or if you want to hook a function which isn't exported from the dll at all.
A very reliable solution is then to use inline patching techniques in order to redirect the flow of execution to a custom hook function.
N-CodeHook library
The N-CodeHook library offers a (template based) C++ interface to inline patching functionality similar to the popular detours library from Microsoft research. It currently supports the IA32 and X64 architecture (you have to pay a nice bit of money to Microsoft to get the X64 enabled version of detours) and automatically assembles the correct jump opcodes depending on the jump distance (near jump vs. absolute jump).
Besides it's straight forward to use:
typedef BOOL (WINAPI *IsDebuggerPresentFPtr)(); IsDebuggerPresentFPtr origFunc = NULL; BOOL WINAPI IsDebuggerPresentHook() { // tell the truth return origFunc(); } int main() { NCodeHookIA32 nch; origFunc = nch.createHook(IsDebuggerPresent, IsDebuggerPresentHook); }
Whenever the IsDebuggerPresent function is called, our hook function is invoked first. This allows us to replace existing functionality by changing return values or provide a custom implementation or even mix both the original and our own implementation.
In this case we could simply "hide" our debugger by returning FALSE.
How does it work?
Consider the situation where we want to hook into every invocation of an existing function:
In order to dispatch control flow from the function Callee to our hook we write an unconditional jump instruction to the beginning of the original function. By doing this we overwrite instructions and are thus actually breaking program logic.
To preserve original functionality we need to copy a certain amount of instructions to a safe place and execute them as soon as the original function should be called. These instructions are moved to a trampoline. To deduce the correct amount of instructions which need to be copied, we have to disassemble the opcodes at the beginning of our Callee.
The picture above shows the situation where our hook was installed but the hook function decided to skip the original function.
The next picture shows the situation we had in our previous code example:
The hook function gains control and in turn calls the original function. It can't however call it directly because of the overwritten bytes at the beginning. Instead it needs to make a call to the trampoline which executes the overwritten instructions and dispatches control flow to the original function.
Notes and download
The library currently doesn't check if it's overwriting branch instructions, so if the function to be hooked starts with e.g. jump instructions (very rare) the hook will certainly make the application crash. This will be fixed in a future release. The library can be downloaded from the project site.