GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Menooker → PFishHook

Menooker / PFishHook

Licence: Apache-2.0 license
An x64 inline hook library

Programming Languages

C++
36643 projects - #6 most used programming language
Makefile
30231 projects
CMake
9771 projects
c
50402 projects - #5 most used programming language

Labels

x64inline-hook

Projects that are alternatives of or similar to PFishHook

Xray 15
X-Ray Engine 1.5 expansion. Original version was used in S.T.A.L.K.E.R.: Clear Sky.
Stars: ✭ 151 (+619.05%)
Mutual labels:  x64
DbgChild
Debug Child Process Tool (auto attach)
Stars: ✭ 221 (+952.38%)
Mutual labels:  x64
kar98k public
pwn & ctf tools for windows
Stars: ✭ 24 (+14.29%)
Mutual labels:  x64
Pwnshop
Exploit Development, Reverse Engineering & Cryptography
Stars: ✭ 167 (+695.24%)
Mutual labels:  x64
Ogsr Engine
OGSR Project - Evolution of X-Ray Engine for S.T.A.L.K.E.R.: Shadow of Chernobyl
Stars: ✭ 213 (+914.29%)
Mutual labels:  x64
oberon-07-compiler
Oberon-07 compiler for x64 (Windows, Linux), x86 (Windows, Linux, KolibriOS), MSP430x{1,2}xx, STM32 Cortex-M3
Stars: ✭ 45 (+114.29%)
Mutual labels:  x64
Asm Cli Rust
interative assembly shell written in rust
Stars: ✭ 133 (+533.33%)
Mutual labels:  x64
Capstone.NET
.NET Core and .NET Framework binding for the Capstone Disassembly Framework
Stars: ✭ 108 (+414.29%)
Mutual labels:  x64
Inline syscall
Inline syscalls made easy for windows on clang
Stars: ✭ 232 (+1004.76%)
Mutual labels:  x64
kasm
Assembler library for Kotlin
Stars: ✭ 40 (+90.48%)
Mutual labels:  x64
Simdjson
Parsing gigabytes of JSON per second
Stars: ✭ 15,115 (+71876.19%)
Mutual labels:  x64
Asm Cli
Interactive shell of assembly language(X86/X64) based on unicorn and keystone
Stars: ✭ 211 (+904.76%)
Mutual labels:  x64
8086-cheatsheet
8086 Microprocessor Cheat sheet with Programs
Stars: ✭ 81 (+285.71%)
Mutual labels:  x64
X86reference
X86 Opcode and Instruction Reference: http://ref.x86asm.net
Stars: ✭ 159 (+657.14%)
Mutual labels:  x64
asm tutorial
Code samples for the Understanding Windows x64 Assembly tutorial.
Stars: ✭ 131 (+523.81%)
Mutual labels:  x64
Dbgchild
Debug Child Process Tool (auto attach)
Stars: ✭ 145 (+590.48%)
Mutual labels:  x64
TempleOS-EE
TempleOS Explorers Edition
Stars: ✭ 45 (+114.29%)
Mutual labels:  x64
async
async is a tiny C++ header-only high-performance library for async calls handled by a thread-pool, which is built on top of an unbounded MPMC lock-free queue.
Stars: ✭ 25 (+19.05%)
Mutual labels:  x64
profiler-api
The portable version of JetBrains profiler API for .NET Framework / .NET Core / .NET / .NET Standard / Mono
Stars: ✭ 21 (+0%)
Mutual labels:  x64
jsix
A hobby operating system for x86_64, boots with UEFI.
Stars: ✭ 60 (+185.71%)
Mutual labels:  x64
View All Similar Projects ➔

PFishHook

PFishHook is an x64 inline hook library. It is developed and tested on Linux, but "should" be working on POSIX-compatible systems, like UNIX and macOS. The support for Windows is planned to be developed.

PFishHook can help you intercept calls to a function, and replace the the target function with yours. It is useful to hook APIs to monitor and change the behavior of them.

Build instructions

PFishHook depends on Zydis, a Fast and lightweight x86/x86-64 disassembler library. First, you need to build Zydis.

git submodule init
git submodule update
mkdir build
cd build
cmake ..
make

Now, you can find libPFishHook.a in "build" directory. To compile with PFishHook, you should add build/libPFishHook.a and build/3rdparty/zydis/libZydis.a to your link arguments.

How to use

The most important API is

HookStatus HookIt(void* oldfunc, void** poutold, void* newfunc);

The parameter "oldfunc" is the target function to hook. "poutold" is the pointer to the pointer to the "shadown function", and "newfunc" is your function to replace the "oldfunc". In your "newfunc", you can call the "shadown" function to call the unmodified version of function.

typedef ssize_t(*ptrread)(int fd, void *buf, size_t nbytes);
ptrread oldread;
extern "C" ssize_t myread(int fd, void *buf, size_t nbytes)
{
	fprintf(stderr, "read\n");
	ssize_t ret= oldread(fd,buf,nbytes);
	fprintf(stderr, "read ret%d\n",ret);
	return ret;
}

void readwrite()
{
	int fd, size;
	char s[] = "Linux Programmer!\n", buffer[80];
	fd = open("/tmp/temp", O_WRONLY | O_CREAT);
	write(fd, s, sizeof(s));
	close(fd);
	fd = open("/tmp/temp", O_RDONLY);
	size = read(fd, buffer, sizeof(buffer));
	close(fd);
	printf("%s", buffer);
}
int main()
{
  void* read= dlsym(RTLD_NEXT, "read"));
	printf("Hook %d\n",HookIt(read, (void**)&oldread, (void*)myread));
	readwrite();
	return 0;
}

How it works

PFishHook copies a few bytes at the head of the target function to a new "shadown function". Then it replace the head of the target function with a jump to the function specified by the user. And it returns the address of the "shadown function" to users.

The "shadown function" has the same functionality of the original function.

Limitations and known issues

  • PFishHook can only deal with functions with length at least 14 bytes (which is the size of "jump" instructions).
  • Some Linux syscall wrapper functions like "read" has RIP-relative instructions in the function's head. We move the function's head to the shadow function, so the RIP has change. In this case, we need to patch RIP-relative instructions' displacement.
  • PFishHook do not allow any jumps into the middle of replaced (hooked) funcion head.

Users should check the functions to hook carefully to see whether the function violates the above limitations.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].