Shulou(Shulou.com)06/01 Report--

Detours Hook Detours is a function library developed by Microsoft, which is mainly used for running programs in dynamic Hook. For a specific introduction, see http://research.microsoft.com/en-us/projects/detours/. In the game or plug-in analysis, you can use the interface provided by the Detours library to dynamically Hook any address, intercept function calls and output print information. Three key Concepts of Detours Hook in order to understand Detours Hook, we must first understand three key concepts in Detours. Angular Target function: that is, the target function or target address of the Hook. ^ Trampoline function: the springboard function, which is mainly responsible for saving the if instruction of the original Target function header and adding a jump instruction to maintain the semantic integrity of the call to the original Target function. The @ Detour function: the custom function to be executed after intercepting the call to the Target function. In Detours Hook, the relationship between the generated Trampoline function and the Target function is shown in figure 6-10. Figure 6-10 the relationship between the Trampoline function and the Target function you can see from figure 6-10 that the Trampoline function consists of a Target function header plus an jmp instruction. The relationship among the Target function, Detour function, and Trampoline function is shown in figure 6-11. Figure 6-11 the relationship between the Target function, the Detour function and the Trampoline function can be seen from figure 6-11. Once the Target function is executed, the program will be executed in the order of 1 → 2 → 3, that is, Traget → Detour → Trampoline, and then return to the execution process of the Target function. Detours Hook engine Detours Hook engine adopts the Detours Hook mechanism described above. After careful design, this Hook engine supports almost any address of dynamic Hook to facilitate management without adding code and recompiling code for an address of Hook (note: the "arbitrary address" here is in the address area that can be modified). First, let's take a look at the outline design of the engine shown in figure 6-12, and then describe the details of each block in detail. Figure 6-12 Detours Hook engine outline design shows the Detours Hook engine shown in figure 6-12. From the memory structure involved, it is mainly composed of four blocks, namely, JMP block, HOOK_INFO block, Trampoline block and HKC block, while in terms of processing function, it is mainly composed of DispatchHook and ProcessHook. See section 6.4 for details. Published by Electronic Industry Press

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.