Reputation: 827
What are the ways hooks can be applied to an x86 process (at the lowest levels)?
Previously when I thought of hooking I was thinking at a bit too high of a level, perhaps. I was thinking of an OS's debugging API which I assumed added a flag to some kernel or OS process responsible for handling for that event, so if a certain process we add a hook to triggers that syscall, or that exception, or higher level API call we're hooking, our hook would execute.
But now I'm seeing examples of what looks like actual instructions patched into the process as hooks. Clearly I need to study this a bit more but it seems like it could be done a number of ways, whether that be patching/injection, debugging APIs, etc. I want to understand all the ways hooks are applied at the lowest level.
How can this be done (in terms of low-level methods, CPU capabilities, kernel APIs, etc)? If it's highly OS API specific, or highly CPU specific, then I'd just like to know that.
Upvotes: 0
Views: 299
Answers (1)
Reputation: 13689
I think you mean those "hooks" that are able to override some functions. They are implemented with either of the following methods:
- Rewrite function body with a jump instruction, saving overwritten instructions somewhere to be able to call the original function.
- Know where the target function is called by pointer and change that pointer, saving the original pointer to be able to call the original function.
Upvotes: 2
Related Questions
- How to hook an unknown number of functions - x86
- Hooking functions located in the executable (not in shared libraries)
- How to hook any API call on windows x64, x86?
- Win32, How can i hook functions in compiled programs with C++?
- Hooking a 64 bit process from 32 bit app
- Hooking - hotpatching
- How to intercept API method calls in a 64bit process?
- API Hooking without Detours
- API Hooking which takes effect across entire process - both EXE and DLLs
- Application hooking :: x64 system