x64 API hooking without a disassembler library

Question

I need to hook some Windows API functions like MS Detours does without using any external disassembler library.
As most 32 bit WinAPI functions start with the following sequence of bytes: 0x8B 0xFF 0x55 0x8B 0xEC, which translates to

mov edi, edi
push ebp
mov ebp, esp

this task was rather easy. However, when it comes to x64, the situation is different: the instructions at the beginning of the functions vary very much it wouldn't be possible to relocate these instructions to a trampoline without a disassembler engine.

So, the question is: Do I really need a disassembler engine to do this or is there another way?

Answer 1

We used to hook a lot of windows functions using our own library, but then at some point we found this: https://github.com/TsudaKageyu/minhook/, which I can whole-heartedly recommend. It works for both x86 and x64.

We still hook DirectX and Com objects by changing the virtual function pointers in the virtual table because it is easy, but for all other hooking purposes we use minhook.

It does contain a disassembler library so I don't know if this qualifies as an answer, but it is very compact.

Answer 2

Modifying the function code itself is not the only method of hooking. You can use IAT (Import Address Table) hooking as well. Every PE (portable executable) contains a table of functions it needs to import from DLL files. The loader takes this table, looks for the requested functions, and then writes their addresses into your process memory before giving control to your code. API function calls in your code use those addresses to know where the API function is loaded in memory. You can hook functions by modifying the IAT in memory after the loader finished to redirect function calls to your code.

Here are some links with more information and examples:

• http://www.codeproject.com/Articles/2082/API-hooking-revealed
• http://www.adlice.com/userland-rootkits-part-1-iat-hooks/
• https://en.wikipedia.org/wiki/Hooking#Internal_IAT_Hooking