-
Notifications
You must be signed in to change notification settings - Fork 0
/
API.txt
299 lines (177 loc) · 7 KB
/
API.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
NAME
__ihook_version__
SYNOPSIS
const char __ihook_version__[]
DESCRIPTION
Check library version
RETURN VALUE
Version of the library
EXAMPLE
extern char __ihook_version__[];
MessageBoxA(NULL, __ihook_version__, "version", MB_OK);
----------------------------------------
NAME
hookitByName
SYNOPSIS
#define IHOOK_CALL_STDCALL
#include "hookit.h"
IHOOKAPI int IHOOKCALL hookitByName(char *fctname, char *dllname, DWORD hookaddr);
DESCRIPTION
hookitByName function perform an inline patching on the function specified by
"fctname" which belong to "dllname". The patch is a short jump to an address
specified by "hookaddr".
RETURN VALUE
hookitByName function return a positive value (> 0) if succeed. Otherwise one of the
following values is returned:
ERR_ALLOCA(-2) // Can't allocate memory
ERR_ADDR(-3) // Can't get address of function to hook
ERR_PROT(-4) // Can't set permission for the page pointed by the function to hook
UNKNOWN_OPCODE(-1) // BeaEngine return value
OUT_OF_BLOCK(0) // BeaEngine return value
If succeed the value returned by hookit is an ID and it can be used later to
cleanup the hook.
EXAMPLE
DWORD ret;
ret = hookitByName("recv", "ws2_32.dll", (DWORD)MyHookFct);
----------------------------------------
NAME
hookitByAddress
SYNOPSIS
#define IHOOK_CALL_STDCALL
#include "hookit.h"
IHOOKAPI int IHOOKCALL hookitByAddress(DWORD addrToHook, DWORD hookaddr);
DESCRIPTION
hookitByAddress function perform an inline patching on the function specified its
address pointed by "addrToHook". The patch is a short jump to an address specified
by "hookaddr".
RETURN VALUE
hookitByAddress function return a positive value (> 0) if succeed. Otherwise one of the
following values is returned:
ERR_ALLOCA(-2) // Can't allocate memory
ERR_ADDR(-3) // Can't get address of function to hook
ERR_PROT(-4) // Can't set permission for the page pointed by the function to hook
UNKNOWN_OPCODE(-1) // BeaEngine return value
OUT_OF_BLOCK(0) // BeaEngine return value
If succeed the value returned by hookit is an ID and it can be used later to
cleanup the hook.
EXAMPLE
DWORD ret;
ret = hookitByAddress(&function_to_hook, &my_hook_function);
----------------------------------------
NAME
getReturnAddressByName
SYNOPSIS
#define IHOOK_CALL_STDCALL
#include "hookit.h"
IHOOKAPI DWORD IHOOKCALL getReturnAddressByName(char *fctname, char *dllname);
DESCRIPTION
getReturnAddressByName function return a pointer in order to execute the original
function. To do this, it takes the function name pointed by "fctname" and the DLL
name which this function belong to.
RETURN VALUE
getReturnAddressByName function return an address in DWORD format if succeed. This
value need to be casted to a function pointer with the same prototype of the function
hooked.
If failed, the following value is returned:
ERR_NOTLIST(-5) // Function not in list
EXAMPLE
typedef int (WINAPI* hook_recv) (SOCKET, const char*, int , int);
DWORD addr;
hook_recv fct;
addr = getReturnAddressByName("recv", "ws2_32.dll");
if ((int) addr < 0)
printf("You did something wrong\n");
fct = (hook_recv) addr;
----------------------------------------
NAME
getReturnAddressById
SYNOPSIS
#define IHOOK_CALL_STDCALL
#include "hookit.h"
IHOOKAPI DWORD IHOOKCALL getReturnAddressById(DWORD id);
DESCRIPTION
getReturnAddressById function return a pointer in order to execute the original
function. To do this, it takes an ID returned by "hookit" function.
RETURN VALUE
getReturnAddressById function return an address in DWORD format if succeed. This
value need to be casted to a function pointer with the same prototype of the
function hooked.
If failed, the following value is returned:
ERR_NOTLIST(-5) // Function not in list
EXAMPLE
typedef int (WINAPI* hook_recv) (SOCKET, const char*, int , int);
DWORD addr;
hook_recv fct;
addr = getReturnAddressById(0x1000);
if ((int) addr < 0)
printf("You did something wrong\n");
fct = (hook_recv) addr;
----------------------------------------
NAME
getReturnAddressByAddr
SYNOPSIS
#define IHOOK_CALL_STDCALL
#include "hookit.h"
IHOOKAPI DWORD IHOOKCALL getReturnAddressByAddr(DWORD hookedAddr);
DESCRIPTION
getReturnAddressByAddr function return a pointer in order to execute the original
function. To do this, it takes the address of the original function used in hookitByAddress
second parameter.
RETURN VALUE
getReturnAddressByAddr function return an address in DWORD format if succeed. This
value need to be casted to a function pointer with the same prototype of the
function hooked.
If failed, the following value is returned:
ERR_NOTLIST(-5) // Function not in list
EXAMPLE
typedef int (WINAPI* hook_recv) (SOCKET, const char*, int , int);
DWORD addr;
hook_recv fct;
addr = getReturnAddressByAddr(&original_function);
if ((int) addr < 0)
printf("You did something wrong\n");
fct = (hook_recv) addr;
----------------------------------------
NAME
unhookByName
SYNOPSIS
#define IHOOK_CALL_STDCALL
#include "hookit.h"
IHOOKAPI int IHOOKCALL unhookByName(char *fctname, char *dllname);
DESCRIPTION
unhookByName function cleanup the inline patching executed by "hookit" function. To
do this, it takes the function name pointed by "fctname" and the DLL name which this
function belong to.
RETURN VALUE
unhookByName return TRUE if succeed, otherwirse one of the following values is returned:
ERR_PROT(-4) // Can't set permission for the page pointed by the function to hook
ERR_NOTLIST(-5) // Function not in list
ERR_PARAM(-6) // Bad parameters
----------------------------------------
NAME
unhookById
SYNOPSIS
#define IHOOK_CALL_STDCALL
#include "hookit.h"
IHOOKAPI int IHOOKCALL unhookById(DWORD id);
DESCRIPTION
unhookById function cleanup the inline patching executed by "hookit" function. To
do this, it takes the ID returned by a previous call to "hookit".
RETURN VALUE
unhookById return TRUE if succeed, otherwirse one of the following values is returned:
ERR_PROT(-4) // Can't set permission for the page pointed by the function to hook
ERR_NOTLIST(-5) // Function not in list
----------------------------------------
NAME
unhookByAddr
SYNOPSIS
#define IHOOK_CALL_STDCALL
#include "hookit.h"
IHOOKAPI int IHOOKCALL unhookByAddr(DWORD hookedAddr);
DESCRIPTION
unhookByAddr function cleanup the inline patching executed by "hookitByAddress" function. To
do this, it takes the original function address used by a previous call to "hookitByAddress".
RETURN VALUE
unhookByAddr return TRUE if succeed, otherwirse one of the following values is returned:
ERR_PROT(-4) // Can't set permission for the page pointed by the function to hook
ERR_NOTLIST(-5) // Function not in list