Skip to content
This repository has been archived by the owner on Jun 11, 2022. It is now read-only.
stevemk14ebr edited this page Aug 12, 2015 · 9 revisions

Welcome to the PolyHook Wiki This page contains the How-To portion of the project

Setup - Using PolyHook in your project

  1. PolyHook relies on a modified branch of Capstone. To use PolyHook you must download this modified branch, which can be found Here

  2. Follow the build instruction for capstone to generate the .lib files

  3. Set your project's include directory to the include folder for capstone. Navigate to Project->Properties->VC++ Directories->Include Directories->Click Drop Down- Edit->New Folder->Select Capstone Include folder

  4. Set your project's library directory to the correct version for capstone, follow step 3 but click library directories instead.

  5. Now that capstone in included into your project simply copy PolyHook.h into your project!

Hook Types and Implementation

  • x86 Detour

    • E9 Relative Jump

    • Performs code relocation

    • Uses a Capstone as length disassembler to avoid corrupting instructions

  • x64 Detour

    • FF,25 Relative Absolute Jump, reads 64bit address from address pointed to jmp [RIP+Disp]

    • Performs code relocation, including RIP relative code

    • Uses Capstone as length disassembler to avoid corrupting instructions

    • Allocates trampoline within 2GB of source to support 32bit relative instructions

  • Virtual Function Detour

    • Performs either x86 or x64 detour on the function pointed at by the vtable
  • Virtual Function Pointer Swap

    • Replaces the function pointed to by the vtable with a pointer to the hook
  • Virtual Table Pointer Swap

    • Allocates a new virtual table, copies all the virtual function pointers into the new vtable, changes the virtual function pointer for the source to the hook function, then swaps the old vtable pointer to the newly allocated one
  • IAT Hook

    • Walks the import address table, finds the source function, swaps the pointer to the source with a pointer to the hook
Clone this wiki locally