All Projects → kubo → Funchook

kubo / Funchook

Licence: other
Hook function calls by inserting jump instructions at runtime

Programming Languages

c
50402 projects - #5 most used programming language

Projects that are alternatives of or similar to Funchook

Corehook
A library that simplifies intercepting application function calls using managed code and the .NET Core runtime
Stars: ✭ 191 (-24.51%)
Mutual labels:  hooking, arm64, x86-64
Rappel
A linux-based assembly REPL for x86, amd64, armv7, and armv8
Stars: ✭ 818 (+223.32%)
Mutual labels:  arm64, x86-64
Capstone
Capstone disassembly/disassembler framework: Core (Arm, Arm64, BPF, EVM, M68K, M680X, MOS65xx, Mips, PPC, RISCV, Sparc, SystemZ, TMS320C64x, Web Assembly, X86, X86_64, XCore) + bindings.
Stars: ✭ 5,374 (+2024.11%)
Mutual labels:  arm64, x86-64
Keystone
Keystone assembler framework: Core (Arm, Arm64, Hexagon, Mips, PowerPC, Sparc, SystemZ & X86) + bindings
Stars: ✭ 1,654 (+553.75%)
Mutual labels:  arm64, x86-64
Unicorn
Unicorn CPU emulator framework (ARM, AArch64, M68K, Mips, Sparc, PowerPC, RiscV, X86)
Stars: ✭ 4,934 (+1850.2%)
Mutual labels:  arm64, x86-64
Docker Cloudflare Ddns
A small amd64/ARM/ARM64 Docker image that allows you to use CloudFlare as a DDNS / DynDNS Provider.
Stars: ✭ 467 (+84.58%)
Mutual labels:  arm64, x86-64
Frida Snippets
Hand-crafted Frida examples
Stars: ✭ 1,081 (+327.27%)
Mutual labels:  hooking, arm64
nordvpn
NordVpn Docker Client
Stars: ✭ 475 (+87.75%)
Mutual labels:  x86-64, arm64
Tina
Tina is a teeny tiny, header only, coroutine and job library.
Stars: ✭ 125 (-50.59%)
Mutual labels:  arm64, x86-64
Distormx
The ultimate hooking library
Stars: ✭ 146 (-42.29%)
Mutual labels:  hooking, x86-64
Pine
Dynamic java method hook framework on ART.
Stars: ✭ 171 (-32.41%)
Mutual labels:  hook, hooking
Plthook
Hook function calls by replacing PLT(Procedure Linkage Table) entries.
Stars: ✭ 351 (+38.74%)
Mutual labels:  hook, hooking
docker-unms
All-in-one docker image for Ubiquiti UISP (formerly UNMS). Supports x86_64 and ARM (Raspberry Pi).
Stars: ✭ 153 (-39.53%)
Mutual labels:  x86-64, arm64
Dexcalibur
[Official] Android reverse engineering tool focused on dynamic instrumentation automation. Powered by Frida. It disassembles dex, analyzes it statically, generates hooks, discovers reflected methods, stores intercepted data and does new things from it. Its aim is to be an all-in-one Android reverse engineering platform.
Stars: ✭ 512 (+102.37%)
Mutual labels:  hook, hooking
FEX
A fast usermode x86 and x86-64 emulator for Arm64
Stars: ✭ 650 (+156.92%)
Mutual labels:  x86-64, arm64
Keypatch
Multi-architecture assembler for IDA Pro. Powered by Keystone Engine.
Stars: ✭ 939 (+271.15%)
Mutual labels:  arm64, x86-64
RenHook
An open-source x86 / x86-64 hooking library for Windows.
Stars: ✭ 80 (-68.38%)
Mutual labels:  x86-64, hooking
insaneworks-packer-template
CentOS 7-8 8Stream / AlmaLinux 8 / FreeBSD 12 - 13 x64 + VirtualBox / VMWare for Packer Template + FreeBSD 13 / AlmaLinux 9 + Parallels
Stars: ✭ 38 (-84.98%)
Mutual labels:  x86-64, arm64
Docker Homebridge
Homebridge Docker. HomeKit support for the impatient using Docker on x86_64, Raspberry Pi (armhf) and ARM64. Includes ffmpeg + libfdk-aac.
Stars: ✭ 1,847 (+630.04%)
Mutual labels:  arm64, x86-64
Mandibule
linux elf injector for x86 x86_64 arm arm64
Stars: ✭ 171 (-32.41%)
Mutual labels:  arm64, x86-64

Funchook - an API hook library

Build Status

This library depends on one of the following disassemblers.

On x86_64 and x86

  • diStorm3 (default)
  • zydis (when -DFUNCHOOK_DISASM=zydis is passed to the cmake command)
  • capstone (when -DFUNCHOOK_DISASM=capstone is passed to the cmake command)

On arm64

TODO

  • write documents.

News

1.1.0 (2020-03-22)

  • Arm64 Linux support. capstone is used as the disassembler library on arm64.
  • Options to use zydis and capstone as a disassembler library on x86_64 and x86.
  • extern "C" was added in funchook.h for C++. (#15)
  • Libc-compatible functions were removed to simplify code.

1.0.0 (2020-01-19)

  • diStorm3 is used as the disassembler library.
  • Libc-compatible functions were implemented on Linux in order not to hook function calls issued by funchook itself.

Supported Platforms

Tested on Travis CI

  • Linux x86_64
  • Linux x86
  • Linux arm64 (since 1.1.0)
  • macOS x86_64 (Functions in executables cannot be hooked when Xcode version >= 11.0. (*1))
  • macOS x86 (Xcode version <= 10.1(*2))
  • Windows x64 (except C-runtime functions under Wine)
  • Windows 32-bit

*1 mprotect fails with EACCES.
*2 Xcode 10.2 dropped support for building 32-bit apps.

Compilation and installation

Unix

$ git clone --recursive https://github.com/kubo/funchook.git
$ mkdir build
$ cd build
$ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/path/to/install/directory ../funchook
$ make
$ make install
  • Available CMAKE_BUILD_TYPE values are empty(default), Debug, Release, RelWithDebInfo(release build with debug information) and MinSizeRel.

  • When CMAKE_INSTALL_PREFIX isn't set, funchook is installed at /usr/local.

    installed files:

    • ${CMAKE_INSTALL_PREFIX}/include/funchook.h (header file)
    • ${CMAKE_INSTALL_PREFIX}/lib/libfunchook.so (symbolic link to libfunchook.so.1)
    • ${CMAKE_INSTALL_PREFIX}/lib/libfunchook.so.1 (soname; symbolic link to libfunchook.so.1.1.0)
    • ${CMAKE_INSTALL_PREFIX}/lib/libfunchook.so.1.1.0 (shared library)
    • ${CMAKE_INSTALL_PREFIX}/lib/libfunchook.a (static library)

Windows

Here is an example to compile funchook with Visual Studio 2017 Win64. Change the argument of -G to use other compilers.

$ git clone --recursive https://github.com/kubo/funchook.git
$ mkdir build
$ cd build
$ cmake -G "Visual Studio 15 2017 Win64" -DCMAKE_INSTALL_PREFIX=c:\path\to\install\directory ..\funchook
$ cmake --build . --config Release --target INSTALL
  • Available -G arguments (generators) are listed in the output of cmake --help.

  • Available --config arguments are Debug(default), Release, RelWithDebInfo and MinSizeRel.

  • When CMAKE_INSTALL_PREFIX isn't set, funchook is installed at c:\Program Files\funchook.

    installed files:

    • ${CMAKE_INSTALL_PREFIX}\include\funchook.h (header file)
    • ${CMAKE_INSTALL_PREFIX}\bin\funchook.dll (shared library)
    • ${CMAKE_INSTALL_PREFIX}\bin\funchook.pdb (debug file for funchook.dll when --config is Debug or RelWithDebInfo)
    • ${CMAKE_INSTALL_PREFIX}\lib\funchook.lib (static library)
    • ${CMAKE_INSTALL_PREFIX}\lib\funchook_dll.lib (import library for funchook.dll)

Example

static ssize_t (*send_func)(int sockfd, const void *buf, size_t len, int flags);
static ssize_t (*recv_func)(int sockfd, void *buf, size_t len, int flags);

static ssize_t send_hook(int sockfd, const void *buf, size_t len, int flags);
{
    ssize_t rv;

    ... do your task: logging, etc. ...
    rv = send_func(sockfd, buf, len, flags); /* call the original send(). */
    ... do your task: logging, checking the return value, etc. ...
    return rv;
}

static ssize_t recv_hook(int sockfd, void *buf, size_t len, int flags);
{
    ssize_t rv;

    ... do your task: logging, etc. ...
    rv = recv_func(sockfd, buf, len, flags); /* call the original recv(). */
    ... do your task: logging, checking received data, etc. ...
    return rv;
}

int install_hooks()
{
    funchook_t *funchook = funchook_create();
    int rv;

    /* Prepare hooking.
     * The return value is used to call the original send function
     * in send_hook.
     */
    send_func = send;
    rv = funchook_prepare(funchook, (void**)&send_func, send_hook);
    if (rv != 0) {
       /* error */
       ...
    }

    /* ditto */
    recv_func = recv;
    rv = funchook_prepare(funchook, (void**)&recv_func, recv_hook);
    if (rv != 0) {
       /* error */
       ...
    }

    /* Install hooks.
     * The first 5-byte code of send() and recv() are changed respectively.
     */
    rv = funchook_install(funchook, 0);
    if (rv != 0) {
       /* error */
       ...
    }
}

Example - Using Python ctypes

# should work on python 2.7/3 windows/linux

# load funchook
import ctypes
fh_lib = ctypes.cdll.LoadLibrary('/path/to/funchook/dll/or/so')

# define signatures
funchook_create = fh_lib.funchook_create
funchook_create.restype = ctypes.c_void_p
funchook_create.argtypes = []

funchook_prepare = fh_lib.funchook_prepare
funchook_prepare.restype = ctypes.c_ssize_t
funchook_prepare.argtypes = [ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p]

funchook_install = fh_lib.funchook_install
funchook_install.restype = ctypes.c_ssize_t
funchook_install.argtypes = [ctypes.c_void_p, ctypes.c_int]

PySys_WriteStdout = ctypes.pythonapi.PySys_WriteStdout
PySys_WriteStdout.restype = None
PySys_WriteStdout.argtypes=[ctypes.c_char_p]

# must keep those references alive, or stuff will be GC'd and weird errors will occur
global orig_write, hook, orig_write_ptr

# create hook (this function will replace the original function)
hook_type = ctypes.PYFUNCTYPE(None, ctypes.c_char_p)
orig_write = None
def hook_impl(msg):
    print('about to write: ' + str(msg)) # do what we want
    orig_write(msg)                      # call the original function

hook = hook_type(hook_impl)

fh = funchook_create()
# create a pointer object with the function address
orig_write_ptr = ctypes.c_void_p(ctypes.c_void_p.from_address(ctypes.addressof(PySys_WriteStdout)).value)
# orig_write_ptr.value will get a ptr to the original PySys_WriteStdout and PySys_WriteStdout will now point to the hook
ret = funchook_prepare(fh, ctypes.addressof(orig_write_ptr), hook)
assert not ret, 'ret is ' + str(ret)
ret = funchook_install(fh, 0)
assert not ret, 'ret is ' + str(ret)
orig_write = hook_type.from_address(ctypes.addressof(orig_write_ptr))
PySys_WriteStdout(b'hi there\n')

License

GPLv2 or later with a GPL linking exception.

You can use funchook in any software. Though funchook is licensed under the GPL, it doesn't affect outside of funchook due to the linking exception. You have no need to open your souce code under the GPL except funchook itself.

If you modify funchook itself and release it, the modifed part must be open under the GPL with or without the linking exception because funchook itself is under the GPL.

diStorm3 and capstone are released under the 3-clause BSD license. zydis is released under the MIT license. They are compatible with the GPL.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].