GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → chen-charles → PEDetour

chen-charles / PEDetour

Licence: GPL-3.0 license
modify binary Portable Executable to hook its export functions

Programming Languages

c
50402 projects - #5 most used programming language
C++
36643 projects - #6 most used programming language
assembly
5116 projects

Labels

windowshookdllkeystonecapstone

Projects that are alternatives of or similar to PEDetour

Android Disassembler
Disassemble ANY files including .so (NDK, JNI), Windows PE(EXE, DLL, SYS, etc), linux binaries, libraries, and any other files such as pictures, audios, etc(for fun)files on Android. Capstone-based disassembler application on android. 안드로이드 NDK 공유 라이브러리, Windows 바이너리, etc,... 리버싱 앱
Stars: ✭ 250 (+323.73%)
Mutual labels:  dll, capstone
ProcessInjector.NET
Learning Process Injection and Hollowing techniques
Stars: ✭ 23 (-61.02%)
Mutual labels:  hook, dll
Monohook
hook C# method at runtime without modify dll file (such as UnityEditor.dll)
Stars: ✭ 348 (+489.83%)
Mutual labels:  hook, dll
ARMStrong
A fast and simple ARM Simulator made for education based upon Unicorn and Keystone engines
Stars: ✭ 99 (+67.8%)
Mutual labels:  keystone
KeyBoardTool
Keyboard key detection software realized by Qt(Qt实现的键盘按键检测软件)
Stars: ✭ 35 (-40.68%)
Mutual labels:  hook
Nano-Degree-Projects
🎓 Udacity Nano Degree Android Projects. All Needed projects you can check out my work here. Submitted and accepted projects.
Stars: ✭ 68 (+15.25%)
Mutual labels:  capstone
dlib
Dynamic loading library for C/C++
Stars: ✭ 19 (-67.8%)
Mutual labels:  dll
BlindAid
Capstone Project: Assist the blind in moving around safely by warning them of impending obstacles using depth sensing, computer vision, and tactile glove feedback.
Stars: ✭ 14 (-76.27%)
Mutual labels:  capstone
example-app
Example app showcasing fulls1z3's Angular libraries
Stars: ✭ 27 (-54.24%)
Mutual labels:  dll
keystone-email
⚠️ Archived - Legacy email helper for KeystoneJS Apps
Stars: ✭ 30 (-49.15%)
Mutual labels:  keystone
Uatu
Android方法调用跟踪 ; 方法耗时统计 ; 方法调用参数以及返回值跟踪 ; 方法调用替换;方法hook
Stars: ✭ 93 (+57.63%)
Mutual labels:  hook
Capstone.NET
.NET Core and .NET Framework binding for the Capstone Disassembly Framework
Stars: ✭ 108 (+83.05%)
Mutual labels:  capstone
BaiDuYunCrack
iOS百度云盘 破解速度限制、去广告、去更新 无需越狱~
Stars: ✭ 82 (+38.98%)
Mutual labels:  hook
objects-hooks-remover
Package to remove WordPress hook callbacks that uses object methods or closures.
Stars: ✭ 44 (-25.42%)
Mutual labels:  hook
storken
🦩 Storken is a React State Manager. Simple as `useState`.
Stars: ✭ 22 (-62.71%)
Mutual labels:  hook
usehooks-ts
React hook library, ready to use, written in Typescript.
Stars: ✭ 2,873 (+4769.49%)
Mutual labels:  hook
SwiftLoadHook
Use a hack way to achieve similar functions as Load() or initialize() in OC
Stars: ✭ 21 (-64.41%)
Mutual labels:  hook
svg-to-swiftui-core
Headless package for converting SVG to SwiftUI
Stars: ✭ 25 (-57.63%)
Mutual labels:  hook
nxdk-rdt
Remote Dev Tool is a tool to remote control an Xbox using memory access and RPC
Stars: ✭ 23 (-61.02%)
Mutual labels:  hook
klyva
A state management library that follows the React component model
Stars: ✭ 53 (-10.17%)
Mutual labels:  hook
View All Similar Projects ➔

PEDetour

modify binary Portable Executable to hook its export functions

Dependencies

This project uses Capstone disassembly framework and Keystone assembly framework.
Their licenses and compiled binaries are included in the capstone-win32 and keystone-win32 folders.
Further information are available at Capstone and Keystone.
LLVM's license is also included as a part of Capstone and Keystone.

Compile

This project uses relative library paths so you don't have to adjust paths.
SDK version is set to 10.0.14393.0 with Toolset Visual Studio 2017 (v141).
You do not need any modifications if you are using the exact same SDK version and Toolset.
Otherwise, you might need to recompile capstone and keystone for your specific toolset.

Platform

There are two platforms available in the VisualStudio solution: x86 and x64(x86_64)
x86: The binary compiled will only support 32-bit PE files, it will throw an exception for 64-bit files.
x64(x86_64): The binary compiled will only support 64-bit PE files, it will throw an exception for 32-bit files.

Usage

PEDetour currently supports two usages: viewExports and injectFunction

viewExports (Print all export functions listed in the Export Directory)

PEDetour PEFileName
PEFileName          the PE file you want to look at

PEDetour C:\Windows\System32\kernel32.dll   // this is a 64-bit file if you don't know :)

injectFunction (Inject a piece of code to replace the original export function)

PEDetour inputFileName outputFileName functionToInject InjectFileName ...
inputFileName       the PE file you want to inject to (this file itself will not be modified)
outputFileName      where the modified PE will be written to
functionToInject    the function you want to inject (its name as it appears in *viewExports*)
InjectFileName      the assembly file to replace the original function in intel assembly format  
...                 OPTIONAL additional imports you want to add into the output PE

Additional imports must be in the format of "filename.whatever::functionName" (import file name must be in lower cases, functionName is case sensitive).
If this field is not specified, the following functions will be imported by default,

  • kernel32.dll::GetProcessHeap
  • kernel32.dll::HeapAlloc
  • kernel32.dll::LoadLibraryA
  • kernel32.dll::GetProcAddress
  • kernel32.dll::Beep
  • user32.dll::MessageBoxA
  • inputFileName::functionToInject
PEDetour TestDLL.bak TestDLL.dll ?fnTestDLL@@YAHXZ inject.x86.asm   // you can find this in Release binaries

Demo

For notes on injection assembly files, see inject.x86.asm and inject.x86_64.asm
You can find demos in Release binaries.

License

Version 3 of the GNU General Public Licence (GPLv3)

Known Limitations

As of v1.0:

  • IMAGE_DIRECTORY_ENTRY_SECURITY, IMAGE_DIRECTORY_ENTRY_DEBUG, IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG and IMAGE_DIRECTORY_ENTRY_EXCEPTION are dropped from the data directories
  • IMAGE_DIRECTORY_ENTRY_GLOBALPTR, IMAGE_DIRECTORY_ENTRY_TLS, IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT, IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT, and IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR are not fixed
  • there is an issue with capstone(3.0.4) and keystone(0.9.1) for x86_64 REX prefix handling, see line 200 in PE.h (code generated by Visual Studio), and is currently bypassed through hard coding (ikr)
  • for x86_64, you must use full 64-bit addressing for library function calls (as described in inject.x86_64.asm)
  • .xdata sections are not available for injected function, you must use either the stack space, or kernel32::GetProcessHeap with kernel32::HeapAlloc
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].