Join VipMods site Today!

"Its' free and it takes less than 1 minute!"


No announcement yet.

WarFace Hooking?

  • Filter
  • Time
  • Show
Clear All
new posts

  • WarFace Hooking?

    So, I was looking at the game WarFace for the fun of it.
    I don't own my own pc so what I do is over at an Internet Cafe.
    Anyone has attempted to this except Luda??
    I was quite curious to see the game.
    Luda gave it an interest why not me?
    So, hard patching the Direct 3D API using a detour or just VMT hook ??
    Just asking btw

  • #2

    In computer programming, the term hooking covers a range of techniques used to alter or augment the behavior of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components[disambiguation needed]. Code that handles such intercepted function calls, events or messages is called a "hook".

    Hooking is used for many purposes, including debugging and extending functionality. Examples might include intercepting keyboard or mouse event messages before they reach an application, or intercepting operating system calls in order to monitor behavior or modify the function of an application or other component. It is also widely used in benchmarking programs, for example frame rate measuring in 3D games, where the output and input is done through hooking.

    Hooking can also be used by malicious code. For example, rootkits, pieces of software that try to make themselves invisible by faking the output of API calls that would otherwise reveal their existence, often use hooking techniques. A wallhack is another example of malicious behavior that can stem from hooking techniques. It is done by intercepting function calls in a computer game and altering what is shown to the player to allow them to gain an unfair advantage over other players.

    Contents [hide]
    1 Methods
    1.1 Physical modification
    1.2 Runtime modification
    2 Sample code
    2.1 Virtual Method Table hooking
    2.2 C# keyboard event hook
    2.3 API/Function Hooking/Interception Using JMP Instruction
    2.4 Netfilter hook
    2.5 Internal IAT Hooking
    3 See also
    4 References
    5 External links
    5.1 General
    5.2 Windows
    5.3 Linux
    5.4 Emacs
    5.5 OS X and iOS
    5.6 In Depth API Hooking
    6 References
    Typically hooks are inserted while software is already running, but hooking is a tactic that can also be employed prior to the application being started. Both these techniques are described in greater detail below.

    Physical modification[edit]
    By physically modifying an executable or library before an application is running through techniques of reverse engineering you can also achieve hooking. This is typically used to intercept function calls to either monitor or replace them entirely.

    For example, by using a disassembler, the entry point of a function within a module[disambiguation needed] can be found. It can then be altered to instead dynamically load some other library module and then have it execute desired methods within that loaded library. If applicable, another related approach by which hooking can be achieved is by altering the import table of an executable. This table can be modified to load any additional library modules as well as changing what external code is invoked when a function is called by the application.

    An alternate method for achieving function hooking is by intercepting function calls through a wrapper library. When creating a wrapper, you make your own version of a library that an application loads, with all the same functionality of the original library that it will replace. That is, all the functions that are accessible are essentially the same between the original and the replacement. This wrapper library can be designed to call any of the functionality from the original library, or replace it with an entirely new set of logic.

    Runtime modification[edit]
    Operating systems and software may provide the means to easily insert event hooks at runtime. It is available provided that the process inserting the hook is granted enough permission to do so. Microsoft Windows for example, allows you to insert hooks that can be used to process or modify system events and application events for dialogs, scrollbars, and menus as well as other items. It also allows a hook to insert, remove, process or modify keyboard and mouse events. Linux provides another example where hooks can be used in a similar manner to process network events within the kernel through NetFilter.

    When such functionality is not provided, a special form of hooking employs intercepting the library function calls made by a process. Function hooking is implemented by changing the very first few code instructions of the target function to jump to an injected code. Alternatively on systems using the shared library concept, the interrupt vector table or the import descriptor table can be modified in memory. Essentially these tactics employ the same ideas as those of physical modification, but instead altering instructions and structures located in the memory of a process once it is already running.

    Sample code[edit]
    Virtual Method Table hooking[edit]
    Whenever a class defines a virtual function (or method), most compilers add a hidden member variable to the class which points to a virtual method table (VMT or Vtable). This VMT is basically an array of pointers to (virtual) functions. At runtime these pointers will be set to point to the right function, because at compile time, it is not yet known if the base function is to be called or a derived one implemented by a class that inherits from the base class. The code below shows an example of a typical VMT hook in Microsoft Windows.

    class VirtualTable { // example class
    virtual void VirtualFunction01( void );

    void VirtualTable::VirtualFunction01( void ) {
    printf("VirtualFunction01 called");

    typedef void ( __thiscall* VirtualFunction01_t )( void* thisptr );
    VirtualFunction01_t g_org_VirtualFunction01;

    //our detour function
    void __fastcall hk_VirtualFunction01( void* thisptr, int edx ) {
    printf("Custom function called");
    //call the original function
    int _tmain(int argc, _TCHAR* argv[]) {

    DWORD oldProtection;

    VirtualTable* myTable = new VirtualTable();
    void** base = *(void***)myTable;

    VirtualProtect( &base[0], 4, PAGE_EXECUTE_READWRITE, &oldProtection );
    //save the original function
    g_org_VirtualFunction01 = (VirtualFunction01_t)base[0];
    base[0] = &hk_VirtualFunction01;
    VirtualProtect( &base[0], 4, oldProtection, 0 );

    //call the virtual function (now hooked) from our class instance

    return 0;
    C# keyboard event hook[edit]
    The following example will hook into keyboard events in Microsoft Windows using the Microsoft .NET Framework.

    using System.Runtime.InteropServices;

    namespace Hooks
    public class KeyHook
    /* Member variables */
    protected static int Hook;
    protected static LowLevelKeyboardDelegate Delegate;
    protected static readonly object Lock = new object();
    protected static bool IsRegistered = false;

    /* DLL imports */
    private static extern int SetWindowsHookEx(int idHook, LowLevelKeyboardDelegate lpfn,
    int hmod, int dwThreadId);

    private static extern int CallNextHookEx(int hHook, int nCode, int wParam, KBDLLHOOKSTRUCT lParam);

    private static extern int UnhookWindowsHookEx(int hHook);

    /* Types & constants */
    protected delegate int LowLevelKeyboardDelegate(int nCode, int wParam, ref KBDLLHOOKSTRUCT lParam);
    private const int HC_ACTION = 0;
    private const int WM_KEYDOWN = 0x0100;
    private const int WM_KEYUP = 0x0101;
    private const int WH_KEYBOARD_LL = 13;

    public struct KBDLLHOOKSTRUCT
    public int vkCode;
    public int scanCode;
    public int flags;
    public int time;
    public int dwExtraInfo;

    /* Methods */
    static private int LowLevelKeyboardHandler(int nCode, int wParam, ref KBDLLHOOKSTRUCT lParam)
    if (nCode == HC_ACTION)
    if (wParam == WM_KEYDOWN)
    System.Console.Out.WriteLine("Key Down: " + lParam.vkCode);
    else if (wParam == WM_KEYUP)
    System.Console.Out.WriteLine("Key Up: " + lParam.vkCode);
    return CallNextHookEx(Hook, nCode, wParam, lParam);

    public static bool RegisterHook()
    lock (Lock)
    if (IsRegistered)
    return true;
    Delegate = LowLevelKeyboardHandler;
    Hook = SetWindowsHookEx(
    WH_KEYBOARD_LL, Delegate,
    System.Reflection.Assembly.GetExecutingAssembly(). GetModules()[0]
    ).ToInt32(), 0

    if (Hook != 0)
    return IsRegistered = true;
    Delegate = null;
    return false;

    public static bool UnregisterHook()
    lock (Lock)
    return IsRegistered = (UnhookWindowsHookEx(Hook) != 0);
    API/Function Hooking/Interception Using JMP Instruction[edit]
    The following source code is an example of an API/function hooking method which hooks by overwriting the first six bytes of a destination function with a JMP instruction to a new function. The code is compiled into a DLL file then loaded into the target process using any method of DLL injection. Using a backup of the original function one might then restore the first six bytes again so the call will not be interrupted. In this example the win32 API function MessageBoxW is hooked.[1]

    #include <windows.h>
    #define SIZE 6

    typedef int (WINAPI *pMessageBoxW)(HWND, LPCWSTR, LPCWSTR, UINT); // Messagebox prototype
    int WINAPI MyMessageBoxW(HWND, LPCWSTR, LPCWSTR, UINT); // Our detour

    void BeginRedirect(LPVOID);
    pMessageBoxW pOrigMBAddress = NULL; // address of original
    BYTE oldBytes[SIZE] = {0}; // backup
    BYTE JMP[SIZE] = {0}; // 6 byte JMP instruction
    DWORD oldProtect, myProtect = PAGE_EXECUTE_READWRITE;

    case DLL_PROCESS_ATTACH: // if attached
    pOrigMBAddress = (pMessageBoxW)
    GetProcAddress(GetModuleHandle("user32.dll"), // get address of original
    if(pOrigMBAddress != NULL)
    BeginRedirect(MyMessageBoxW); // start detouring

    memcpy(pOrigMBAddress, oldBytes, SIZE); // restore backup

    return TRUE;

    void BeginRedirect(LPVOID newFunction)
    BYTE tempJMP[SIZE] = {0xE9, 0x90, 0x90, 0x90, 0x90, 0xC3}; // 0xE9 = JMP 0x90 = NOP oxC3 = RET
    memcpy(JMP, tempJMP, SIZE); // store jmp instruction to JMP
    DWORD JMPSize = ((DWORD)newFunction - (DWORD)pOrigMBAddress - 5); // calculate jump distance
    VirtualProtect((LPVOID)pOrigMBAddress, SIZE, // assign read write protection
    memcpy(oldBytes, pOrigMBAddress, SIZE); // make backup
    memcpy(&JMP[1], &JMPSize, 4); // fill the nop's with the jump distance (JMP,distance(4bytes),RET)
    memcpy(pOrigMBAddress, JMP, SIZE); // set jump instruction at the beginning of the original function
    VirtualProtect((LPVOID)pOrigMBAddress, SIZE, oldProtect, NULL); // reset protection

    int WINAPI MyMessageBoxW(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uiType)
    VirtualProtect((LPVOID)pOrigMBAddress, SIZE, myProtect, NULL); // assign read write protection
    memcpy(pOrigMBAddress, oldBytes, SIZE); // restore backup
    int retValue = MessageBoxW(hWnd, lpText, lpCaption, uiType); // get return value of original function
    memcpy(pOrigMBAddress, JMP, SIZE); // set the jump instruction again
    VirtualProtect((LPVOID)pOrigMBAddress, SIZE, oldProtect, NULL); // reset protection
    return retValue; // return original return value

    Netfilter hook[edit]
    This example shows how to use hook to alter network traffic in the Linux kernel using Netfilter.

    #include <linux/module.h>
    #include <linux/kernel.h>
    #include <linux/skbuff.h>

    #include <linux/ip.h>
    #include <linux/tcp.h>
    #include <linux/in.h>
    #include <linux/netfilter.h>
    #include <linux/netfilter_ipv4.h>

    /* Port we want to drop packets on */
    static const uint16_t port = 25;

    /* This is the hook function itself */
    static unsigned int hook_func(unsigned int hooknum,
    struct sk_buff **pskb,
    const struct net_device *in,
    const struct net_device *out,
    int (*okfn)(struct sk_buff *))
    struct iphdr *iph = ip_hdr(*pskb);
    struct tcphdr *tcph, tcpbuf;

    if (iph->protocol != IPPROTO_TCP)
    return NF_ACCEPT;

    tcph = skb_header_pointer(*pskb, ip_hdrlen(*pskb), sizeof(*tcph), &tcpbuf);
    if (tcph == NULL)
    return NF_ACCEPT;

    return (tcph->dest == port) ? NF_DROP : NF_ACCEPT;

    /* Used to register our hook function */
    static struct nf_hook_ops nfho = {
    .hook = hook_func,
    .hooknum = NF_IP_PRE_ROUTING,
    .pf = NFPROTO_IPV4,
    .priority = NF_IP_PRI_FIRST,

    static __init int my_init(void)
    return nf_register_hook(&nfho);

    static __exit void my_exit(void)

    Internal IAT Hooking[edit]
    The following code demonstrates how to hook functions that are imported from another module. This can be used to hook functions in a different process from the calling process. For this the code must be compiled into a DLL file then loaded into the target process using any method of DLL injection. The advantage of this method is that it is less detectable by antivirus software and/or anti-cheat software, one might make this into a external hook that doesn't make use of any malicious calls. The Portable Executable header contains the Import Address Table (IAT), which can be manipulated as shown in the source below. The source below runs under Microsoft Windows.

    void __stdcall NewMessageBoxA(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType)
    printf("The String Sent to Message Box was :%s",lpText);
    int _tmain(int argc, _TCHAR* argv[])
    DetourIATptr("MessageBoxA",(void*)NewMessageBoxA,0 );
    MessageBoxA(NULL, "aa", "aa", 0);
    return 0;
    void** IATfind(const char* function, HMODULE module){
    int ip = 0;
    if (module == 0)
    module = GetModuleHandle(0);
    PIMAGE_NT_HEADERS pImgNTHeaders = (PIMAGE_NT_HEADERS)((LPBYTE)pImgDosHeaders + pImgDosHeaders->e_lfanew);
    PIMAGE_IMPORT_DESCRIPTOR pImgImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)((LPBYTE)pImgDosHeaders + pImgNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);

    if (pImgDosHeaders->e_magic != IMAGE_DOS_SIGNATURE)
    printf("libPE Error : e_magic is no valid DOS signature\n");

    for (IMAGE_IMPORT_DESCRIPTOR* iid = pImgImportDesc; iid->Name != NULL; iid++){
    for (int funcIdx = 0; *(funcIdx + (LPVOID*)(iid->FirstThunk + (SIZE_T)module)) != NULL; funcIdx++){
    char* modFuncName = (char*)(*(funcIdx + (SIZE_T*)(iid->OriginalFirstThunk + (SIZE_T)module)) + (SIZE_T)module + 2);
    const uintptr_t nModFuncName = (uintptr_t)modFuncName;
    bool isString = !(nModFuncName & (sizeof(nModFuncName) == 4 ? 0x80000000 : 0x8000000000000000));
    if (isString){
    if (!_stricmp(function, modFuncName))
    return funcIdx + (LPVOID*)(iid->FirstThunk + (SIZE_T)module);
    return 0;

    void DetourIATptr(const char* function, void* newfunction, HMODULE module){
    void** funcptr = IATfind(function, module);
    if (*funcptr == newfunction)

    DWORD oldrights, newrights = PAGE_READWRITE;
    VirtualProtect(funcptr, sizeof(LPVOID), newrights, &oldrights);
    oldfunctionptr = *funcptr;
    *funcptr = newfunction;
    VirtualProtect(funcptr, sizeof(LPVOID), oldrights, &newrights);
    See also[edit]
    Delegation (programming)
    Callback (computer science)
    Terminate and Stay Resident
    Jonathan Daniel (2013-11-27). "Hooking explained: detouring library calls and vtable patching in Windows/Linux/MAC-OSX". Retrieved 2014-01-01.
    Binh Nguyen (2004-08-16). "Hacking-Lexicon / Linux Dictionary V 0.16". Retrieved 2008-02-23. "Hook"
    [2012-06-29: Link appears to be dead] Author: Holy Father (2002-06-10). "Hooking Windows API - Technics of hooking API functions on Windows 1.1 english". Retrieved 2008-02-21.
    External links[edit]
    Various hooking methods explained for Linux/Windows/Macintosh.
    Information on Import Address Table function hooking.
    Information from Microsoft on hooking
    Information and various techniques regarding x86 hooking.
    APISpy32 is an application used to hook win32 API.
    Detours is a general purpose function hooking library created by Microsoft Research which works in C / C++.
    winspy Three ways to inject code into another process.
    HookTool SDK (ACF SDK) Provides a comprehensive overview on API hooking and code injection. A commercial product available too.
    madCodeHook is a commercial x86 and x64 API hooking and DLL injection library for C++ and Delphi.
    EasyHook is an open source hooking engine supporting x86 and x64 in Windows in both user and kernel land.
    SpyStudio Application Trace SpyStudio is an Application tracer which hook calls, displaying the results in a structured way. API Monitor is a freeware application that can hook and display 10,000+ Windows APIs and COM Interfaces in 32-bit and 64-bit applications and services.
    Deviare API Hook Deviare is a freeware inter-process hook framework that can be used to intercept other processes' API calls and show full-parameter information or create API monitors.
    [1] A student research project that utilizes hooking.
    [2] Functionality that allows a piece of software to observe and control the execution of another process.
    [3] Use of LD_PRELOAD to hook shared library calls.
    Emacs Hooks Hooks are an important mechanism for customization of Emacs. A hook is a Lisp variable which holds a list of functions, to be called on some well-defined occasion. (This is called running the hook.)
    OS X and iOS[edit]
    Cydia Substrate is a framework for jailbroken iOS devices allowing developers to hook into any other framework or application.
    In Depth API Hooking[edit]
    x86 API Hooking Demystified Article on various API Hooking methods, for the x86 architecture.


    • #3

      Google copy/paste?
      Also you just did not answer my question.


      Back to Top