hotlib 0.1
a hooking library
by x8esix
Background:
Microsoft Detours has a shitty EULA and is commercial. That is all.
Notes:
To use, include hotlib_public.h in your project and link to hotlib.lib.
Pointers passed do not have to have read/write access to data at that time, but must be able to gain permission via VirtualProtect(). If a separate page protection modification is to be used, do so before calling a function.
XML documentation can be found above each function in hotlib_public.h.
All structs are aligned on single-byte boundaries.
This header is meant for MSVC 2010, and may not link correctly if used with other compilers/linkers.
Function namespace prefix "hl" is used.
Todo:
(in order of priorities):
[ ] Implement IAT/EAT hooking
[ ] Implement DrX hooking
[ ] Implement disassembly-based hooking
[ ] Implement x64 support
Changelist:
0.1: Initial release, only hotpatching is supported
__________________________________________________________________________
Glossary:
Bypass - Pointer to a location that bypasses the hook
Detour - Location that the hook will redirect function calls to
Hotpatch - Microsoft-coined term to refer to a 7-nop sled at the beginning of each "hotpatchable" function to allow for quick fixes that developers may have. Since Windows NT, all exported functions are hotpatchable.
Trampoline - Hook that uses control redirection
Structs:
Trampoline:
Holds information about a hotpatched function.
struct _TRAMPOLINE_T32 {
void *pFunction,
*pBypass,
*pDetour;
BYTE OriginalPre[7];
BYTE bEnabled;
};
__________________________________________________________________________
Checking if a feature is available:
hlIsFeatureAvailable:
int STDCALL hlIsFeatureCompatible(IN HOTLIB_FEATURE hlFeature);
Checks if a feature is available. Returns 1 if available and 0 if unavailable.
v0.1:
HOTPATCH
Setting a hook:
hlSetHotPatch32:
void* STDCALL hlSetHotPatch32(
IN const PTR32 Function,
IN const PTR32 Detour,
OUT TRAMPOLINE_T* Trampoline);
Sets a hotpatch at Function that will bounce to Detour before executing, and returns the relevant information in the Trampoline structure. Memory does not need to already have read/write access, and any original hotpatches will be saved in the Trampoline structure.
On success, a pointer to the bypass is returned. If NULL is returned, there was a problem either writing to the page or applying the proper protection.
Removing a hook:
hlRemoveHotPatch32:
void* STDCALL hlRemoveHotPatch32(
INOUT TRAMPOLINE_T* Trampoline);
Removes a hotpatch at Trampoline->pFunction and restores the original hotpatch [if any] that were there before the hotpatch was applied. Memory does not need to have read/write access.
On success, the Trampoline struct will be zeroed and a pointer to the original function is returned. If NULL is returned, there was a problem either writing to the page or applying the proper protection.