Hooking - AbsoluteAstronomy.com

Computer programming

Computer programming is the process of designing, writing, testing, debugging, and maintaining the source code of computer programs. This source code is written in one or more programming languages. The purpose of programming is to create a program that performs specific operations or exhibits a...

, the term hooking covers a range of techniques used to alter or augment the behavior of an operating system

Operating system

An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...

, of applications

Application software

Application software, also known as an application or an "app", is computer software designed to help the user to perform specific tasks. Examples include enterprise software, accounting software, office suites, graphics software and media players. Many application programs deal principally with...

, or of other software components by intercepting function calls

Subroutine

In computer science, a subroutine is a portion of code within a larger program that performs a specific task and is relatively independent of the remaining code....

or messages

Message passing

Message passing in computer science is a form of communication used in parallel computing, object-oriented programming, and interprocess communication. In this model, processes or objects can send and receive messages to other processes...

or events

Event (computing)

In computing an event is an action that is usually initiated outside the scope of a program and that is handled by a piece of code inside the program. Typically events are handled synchronous with the program flow, that is, the program has one or more dedicated places where events are handled...

passed between software components

Module

Module or modular may refer to the concept of modularity. It may also refer to:-Computing and engineering:* Modular design, the engineering discipline of designing complex devices using separately designed sub-components...

. Code that handles such intercepted function calls, events or messages is called a "hook".

Hooking is used for many purposes, including debugging

Debugging

Debugging is a methodical process of finding and reducing the number of bugs, or defects, in a computer program or a piece of electronic hardware, thus making it behave as expected. Debugging tends to be harder when various subsystems are tightly coupled, as changes in one may cause bugs to emerge...

and extending functionality.
Examples might include intercepting keyboard or mouse event messages before they reach an application, or intercepting operating system calls in order to monitor behavior or modify the function of an application or other component.

Hooking can also be used by malicious code. For example, rootkit

Rootkit

A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...

s, pieces of software that try to make themselves invisible by faking the output of API calls that would otherwise reveal their existence, often use hooking techniques. A wallhack is another example of malicious behavior that can stem from hooking techniques. It is done by intercepting function calls in a computer game and altering what is shown to the player to allow them to gain an unfair advantage over other players.

Methods

Typically hooks are inserted while software is already running, but hooking is a tactic that can also be employed prior to the application being started. Both these techniques are described in greater detail below.

Physical modification

By physically modifying an executable

Executable

In computing, an executable file causes a computer "to perform indicated tasks according to encoded instructions," as opposed to a data file that must be parsed by a program to be meaningful. These instructions are traditionally machine code instructions for a physical CPU...

or library before an application is running through techniques of reverse engineering

Reverse engineering

Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation...

you can also achieve hooking. This is typically used to intercept function calls to either monitor or replace them entirely.

For example, by using a disassembler

Disassembler

A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language...

, the entry point of a function within a module

Module

can be found. It can then be altered to instead dynamically load some other library module and then have it execute desired methods within that loaded library. If applicable, another related approach by which hooking can be achieved is by altering the import table of an executable. This table can be modified to load any additional library modules as well as changing what external code is invoked when a function is called by the application.

An alternate method for achieving function hooking is by intercepting function calls through a wrapper library

Wrapper library

In computer programming, a library is a collection of subroutines or classes used to develop software. Libraries expose interfaces which clients of the library use to execute library routines. Wrapper libraries consist of a thin layer of code which translates a library's existing interface into a...

. When creating a wrapper, you make your own version of a library that an application loads, with all the same functionally of the original library that it will replace. That is, all the functions that are accessible are essentially the same between the original and the replacement. This wrapper library can be designed to call any of the functionality from the original library, or replace it with an entirely new set of logic.

Runtime modification

Operating systems and software may provide the means to easily insert event hooks at runtime. It is available provided that the process

Process (computing)

In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...

inserting the hook is granted enough permission to do so. Microsoft Windows for example, allows you to insert hooks that can be used to process or modify system events

Event (computing)

and application events for dialogs

Dialog box

In a graphical user interface of computers, a dialog box is a type of window used to enable reciprocal communication or "dialog" between a computer and its user. It may communicate information to the user, prompt the user for a response, or both...

, scrollbar

Scrollbar

A scrollbar is an object in a graphical user interface with which continuous text, pictures or anything else can be scrolled including time in video applications, i.e., viewed even if it does not fit into the space in a computer display, window, or viewport...

s, and menus

Menu (computing)

In computing and telecommunications, a menu is a list of commands presented to an operator by a computer or communications system. A menu is used in contrast to a command-line interface, where instructions to the computer are given in the form of commands .Choices given from a menu may be selected...

as well as other items. It also allows a hook to insert, remove, process or modify keyboard

Keyboard (computing)

In computing, a keyboard is a typewriter-style keyboard, which uses an arrangement of buttons or keys, to act as mechanical levers or electronic switches...

and mouse

Mouse (computing)

In computing, a mouse is a pointing device that functions by detecting two-dimensional motion relative to its supporting surface. Physically, a mouse consists of an object held under one of the user's hands, with one or more buttons...

events. Linux, provides another example where hooks can be used in a similar manner to process network events within the kernel

Kernel (computing)

In computing, the kernel is the main component of most computer operating systems; it is a bridge between applications and the actual data processing done at the hardware level. The kernel's responsibilities include managing the system's resources...

through NetFilter.

When such functionality is not provided, a special form of hooking employs intercepting the library functions calls made by a process. Function hooking is implemented by changing the very first few code instructions of the target function to jump to an injected code. Alternatively on systems using the shared library concept, the interrupt vector

Interrupt vector

An interrupt vector is the memory address of an interrupt handler, or an index into an array called an interrupt vector table that contains the memory addresses of interrupt handlers...

table or the import descriptor table can be modified in memory. Essentially these tactics employ the same ideas as those of physical modification, but instead altering instructions and structures located in the memory of a process once it is already running.

C# keyboard event hook

The following example will hook into keyboard events in Microsoft Windows using the Microsoft .NET Framework

.NET Framework

The .NET Framework is a software framework that runs primarily on Microsoft Windows. It includes a large library and supports several programming languages which allows language interoperability...

.

using System.Runtime.InteropServices;

namespace Hooks
{
public class KeyHook
{
/* Member variables */
protected static int Hook;
protected static LowLevelKeyboardDelegate Delegate;
protected static readonly object Lock = new object;
protected static bool IsRegistered = false;

/* DLL imports */
[DllImport("user32")]
private static extern int SetWindowsHookEx(int idHook, LowLevelKeyboardDelegate lpfn,
int hmod, int dwThreadId);

[DllImport("user32")]
private static extern int CallNextHookEx(int hHook, int nCode, int wParam, KBDLLHOOKSTRUCT lParam);

[DllImport("user32")]
private static extern int UnhookWindowsHookEx(int hHook);

/* Types & constants */
protected delegate int LowLevelKeyboardDelegate(int nCode, int wParam, ref KBDLLHOOKSTRUCT lParam);
private const int HC_ACTION = 0;
private const int WM_KEYDOWN = 0x0100;
private const int WM_KEYUP = 0x0101;
private const int WH_KEYBOARD_LL = 13;

[StructLayout(LayoutKind.Sequential)]
public struct KBDLLHOOKSTRUCT
{
public int vkCode;
public int scanCode;
public int flags;
public int time;
public int dwExtraInfo;
}

/* Methods */
static private int LowLevelKeyboardHandler(int nCode, int wParam, ref KBDLLHOOKSTRUCT lParam)
{
if (nCode

HC_ACTION)
{
if (wParam

WM_KEYDOWN)
System.Console.Out.WriteLine("Key Down: " + lParam.vkCode);
else if (wParam WM_KEYUP)
System.Console.Out.WriteLine("Key Up: " + lParam.vkCode);
}
return CallNextHookEx(Hook, nCode, wParam, lParam);
}

public static bool RegisterHook
{
lock (Lock)
{
if (IsRegistered)
return true;
Delegate = LowLevelKeyboardHandler;
Hook = SetWindowsHookEx(
WH_KEYBOARD_LL, Delegate,
Marshal.GetHINSTANCE(
System.Reflection.Assembly.GetExecutingAssembly.GetModules[0]
).ToInt32, 0
);

if (Hook != 0)
return IsRegistered = true;
Delegate = null;
return false;
}
}

public static bool UnregisterHook
{
lock (Lock)
{
return IsRegistered = (UnhookWindowsHookEx(Hook) != 0);
}
}
}
}

Hooking Direct3D

The following is an example of hooking Direct3D

Direct3D

Direct3D is part of Microsoft's DirectX application programming interface . Direct3D is available for Microsoft Windows operating systems , and for other platforms through the open source software Wine. It is the base for the graphics API on the Xbox and Xbox 360 console systems...

function calls on Windows. This utilizes a free hooking library called APIHijack. The source is compiled into a DLL. An additional application that will invoke InstallHook is also required. For more information see http://www.codeproject.com/KB/DLL/apihijack.aspx

include
include
include
include "testdll.h"
include "..\apihijack.h"

char temp[256];
HINSTANCE hDLL;

// type defs
typedef HRESULT (WINAPI *DirectDrawCreateEx_Type)( GUID FAR *lpGUID, LPVOID *lplpDD, REFIID iid, IUnknown FAR *pUnkOuter );

// function prototypes
HRESULT WINAPI MyDirectDrawCreateEx( GUID FAR * lpGuid, LPVOID *lplpDD, REFIID iid,IUnknown FAR *pUnkOuter );

// hook structure
enum
{
D3DFN_DirectDrawCreateEx = 0
};

SDLLHook D3DHook =
{
"DDRAW.DLL",
false, NULL,
{
{ "DirectDrawCreateEx", MyDirectDrawCreateEx },
{ NULL, NULL }
}
};

// Hook function.
HRESULT WINAPI MyDirectDrawCreateEx(GUID FAR* lpGuid, LPVOID *lplpDD, REFIID iid,IUnknown FAR *pUnkOuter )
{
DirectDrawCreateEx_Type OldFn = (DirectDrawCreateEx_Type)D3DHook.Functions[D3DFN_DirectDrawCreateEx].OrigFn;
return OldFn( lpGuid, lplpDD, iid, pUnkOuter );
}

// CBT Hook-style injection.
BOOL APIENTRY DllMain( HINSTANCE hModule, DWORD fdwReason, LPVOID lpReserved )
{
if ( fdwReason DLL_PROCESS_ATTACH ) // When initializing....
{
hDLL = hModule;

// Only hook the APIs if this is the fsim proess.
GetModuleFileName(GetModuleHandle(NULL), temp, sizeof(temp));
PathStripPath(temp);

if(stricmp(temp, "fsim.exe" ) 0)
HookAPICalls( &D3DHook );
}

return TRUE;
}

// This segment must be defined as SHARED in the .DEF

pragma data_seg (".HookSection")

// Shared instance for all processes.
HHOOK hHook = NULL;

pragma data_seg

TESTDLL_API LRESULT CALLBACK HookProc(int nCode, WPARAM wParam, LPARAM lParam)
{
return CallNextHookEx( hHook, nCode, wParam, lParam);
}

TESTDLL_API void InstallHook
{
hHook = SetWindowsHookEx(WH_CBT, HookProc, hDLL, 0);
}

TESTDLL_API void RemoveHook
{
UnhookWindowsHookEx( hHook );
}

API/Function Hooking/Interception Using JMP Instruction

The following source code is an example of API/function hooking using the open source Chrom Library, which hooks by overwriting the first six bytes of a destination function with a JMP instruction to a new function. The code is compiled into a DLL file then loaded into the target process using any method of code injection. This example code hooks the "PR_Write" function of nspr4.dll (used in Firefox to write to a file description) and logs all HTTP/HTTPS requests to file "c:/log.txt". For more information, see http://code.google.com/p/chrom-lib/.

/*
Firefox_hook (C) Raja Jamwal 2011
Distributed under GNU GPL License

Firefox_hook is a example code for Chrom Library, Firefox_hook log every
HTTP/HTTPS requests that firefox makes

Chrom, is API/Funtion interception/hijacking library for windows systems
Copyright (C) 2011 Raja Jamwal

This file is part of Chrom.

include "stdafx.h"
include "chrom.h"

Hook Firefox; // Hook firefox
DWORD PR_Write_H (DWORD *fd, void *buf,DWORD amount); // this is our overiding-function
typedef DWORD (*prWrite)(DWORD*,void*,DWORD); // defination of our original function

prWrite prw = NULL; // create a original function, we later point this to original function
// address

char log_file[]="c://log.txt"; // logfile

// this will log our data
int write_log(char * log, char * data)
{
ofstream fout(log, ios::app);
fout << data;
fout.close;
return TRUE;
}

// initialize hooking, this adds the jump instruction to original function address
int create_hooks
{
// Override PR_Write function in nspr4.dll with our PR_Write_H,
// Note nspr4.dll must already be
// loaded in process space
Firefox.Initialize("PR_Write", "nspr4.dll", PR_Write_H);
// Write jump instruction on original function address
Firefox.Start;
return TRUE;
}

// our overriding function
DWORD PR_Write_H (DWORD *fd, void *buf,DWORD amount)
{
// reset hooks, this will replace the jump instruction to original data
Firefox.Reset;
// You may skip the code shown below and call the original function directly
// since after calling Firefox.Reset the address of the original function,
// now contains the original function's data
// point prw(function) to original function (optional)
prw = (prWrite)Firefox.original_function;
// log the headers
write_log(log_file, (char*) buf);
// call the real PR_Write function
DWORD ret = prw(fd, buf, amount);
// again place the jump instruction on the original function
Firefox.Place_Hook;
return ret;
}

Netfilter hook

This example shows how to use hook to alter network

Computer network

A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....

traffic in the Linux kernel using Netfilter.

include
include
include

include
include
include
include
include

/* Port we want to drop packets on */
static const uint16_t port = 25;

/* This is the hook function itself */
static unsigned int hook_func(unsigned int hooknum,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
struct iphdr *iph = ip_hdr(*pskb);
struct tcphdr *tcph, tcpbuf;

if (iph->protocol != IPPROTO_TCP)
return NF_ACCEPT;

tcph = skb_header_pointer(*pskb, ip_hdrlen(*pskb), sizeof(*tcph), &tcpbuf);
if (tcph NULL)
return NF_ACCEPT;

return (tcph->dest port) ? NF_DROP : NF_ACCEPT;
}

/* Used to register our hook function */
static struct nf_hook_ops nfho = {
.hook = hook_func,
.hooknum = NF_IP_PRE_ROUTING,
.pf = NFPROTO_IPV4,
.priority = NF_IP_PRI_FIRST,
};

static __init int my_init(void)
{
return nf_register_hook(&nfho);
}

static __exit void my_exit(void)
{
nf_unregister_hook(&nfho);
}

module_init(my_init);
module_exit(my_exit);

Windows

Information on Import Address Table function hooking.
information from Microsoft on hooking
APISpy32 is an application used to hook win32 API.
Detours is a general purpose function hooking library created by Microsoft Research which works in C / C++.
winspy Three ways to inject code into another process.
hooksys Additional API Hooking techniques in Windows.
Mad Hook Commercial hooking for delphi.
EasyHook is an open source hooking engine supporting x86 and x64 in Windows in both user and kernel land.
rohitab.com API Monitor is a freeware application that can hook and display 10,000+ Windows APIs and COM Interfaces in 32-bit and 64-bit applications and services.
Deviare API Hook Deviare is a freeware inter-process hook framework that can be used to intercept other processes' API calls and show full-parameter information or create API monitors.

Linux

http://web.archive.org/web/20070610083142/http://rtg.informatik.tu-chemnitz.de/docs/da-sa-txt/sa-dienelt.pdf A student research project that utilizes hooking.
http://www.linuxmanpages.com/man2/ptrace.2.php Functionality that allows a piece of software to observe and control the execution of another process.
http://securityvulns.ru/articles/reveng/ Use of LD_PRELOAD to hook shared library calls.

Emacs

Emacs Hooks Hooks are an important mechanism for customization of Emacs. A hook is a Lisp variable which holds a list of functions, to be called on some well-defined occasion. (This is called running the hook.)

iOS

MobileSubstrate Framework for jailbroken iOS devices allowing developers to hook into any other framework or application.