-
-
Notifications
You must be signed in to change notification settings - Fork 172
Home
Welcome to the PolyHook Wiki This page contains the How-To portion of the project
-
PolyHook is a header and cpp only library, it does not create a .dll or .lib
-
PolyHook relies on a modified branch of Capstone. To use PolyHook you must download this modified branch, which can be found Here
-
Follow the build instruction for capstone to generate the .lib files
-
Place the entire capstone folder after building into the PolyHook folder, example structure:
- PolyHook (folder)
- Capstone (folder)
- PolyHook (folder)
- PolyHook.sln
- README.md
- The example PolyHook project should now compile, if you want to use PolyHook in your own project copy PolyHook.h and PolyHook.cpp into your project and then include Capstone.h and link against capstone.lib
-
x86 Detour
-
E9 Relative Jump
-
Performs code relocation
-
Uses a Capstone as length disassembler to avoid corrupting instructions
-
-
x64 Detour
-
FF,25 Relative Absolute Jump, reads 64bit address from address pointed to jmp [RIP+Disp]
-
Performs code relocation, including RIP relative code
-
Uses Capstone as length disassembler to avoid corrupting instructions
-
Allocates trampoline within 2GB of source to support 32bit relative instructions
-
-
Virtual Function Detour
- Performs either x86 or x64 detour on the function pointed at by the vtable
-
Virtual Function Pointer Swap
- Replaces the function pointed to by the vtable with a pointer to the hook
-
Virtual Table Pointer Swap
- Allocates a new virtual table, copies all the virtual function pointers into the new vtable, changes the virtual function pointer for the source to the hook function, then swaps the old vtable pointer to the newly allocated one
-
IAT Hook
- Walks the import address table, finds the source function, swaps the pointer to the source with a pointer to the hook
-
VEH INT3 Hook
- Uses an INT3 breakpoint to generate an exception, catches the exception, changes the instruction pointer to the target where the user can do whatever, and restores the protection using a C++ RAII object.