From 9fd9e66340144fbe6e03e8dccaf79470b4c31361 Mon Sep 17 00:00:00 2001 From: wacked Date: Wed, 26 Feb 2020 22:08:09 +0100 Subject: [PATCH] hooking engines --- content/projects/hookengs.md | 71 ++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 content/projects/hookengs.md diff --git a/content/projects/hookengs.md b/content/projects/hookengs.md new file mode 100644 index 0000000..0d8dd71 --- /dev/null +++ b/content/projects/hookengs.md @@ -0,0 +1,71 @@ +--- +title: "Hooking Engine Deatmatch" +description: "Evaluating various hooking engines, putting them against pathologically hard to hook functions" +date: 2020-02-26T22:00:00+01:00 +draft: false +--- + +For the full code see the [git repo](https://vcs.wacked.codes/wacked/hook_tests). + +Introduction +============ +This project aims to give a simple overview on how good various x64 hooking +engines (on windows) are. I'll try to write various functions, that are hard to +patch and then see how each hooking engine does. + +I'll test: + +* [EasyHook](https://easyhook.github.io/) +* [PolyHook](https://github.com/stevemk14ebr/PolyHook) +* [MinHook](https://www.codeproject.com/Articles/44326/MinHook-The-Minimalistic-x-x-API-Hooking-Libra) +* [Mhook](http://codefromthe70s.org/mhook24.aspx) + +(I'd like to test detours, but I'm not willing to pay for it. So that isn't +tested :( ) + +There are multiple things that make hooking difficult. Maybe you want to patch +while the application is running -- in that case you might get race conditions, +as the application is executing your half finished hook. Maybe the software has +some self protection features (or other software on the system provides that, +e.g. Trustee Rapport) + +Evaluating how the hooking engines stack up against that is not the goal here. +Neither are non-functional criteria, like how fast it is or how much memory it +needs for each hook. This is just about the challenges the function to be +hooked itself poses. + +Namely: + +* Are jumps relocated? +* What about RIP adressing? +* If there's a loop at the beginning / if it's a tail recurisve function, does + the hooking engine handle it? +* How good is the dissassembler, how many instructions does it know? +* Can it hook already hooked functions? + +At first I will give a short walk through of the architecture, then quickly go +over the test cases. After that come the results and an evaluation for each +engine. + +I think I found a flaw in all of them; I'll publish a small POC which should at +least detect the existence of problematic code. + +**A word of caution**: my results are worse than expected, so do assume I have +made a mistake in using the libraries. I went into this expecting that some +engines at least would try to detect e.g. the loops back into the first few +bytes. But none did? That's gotta be wrong. + +**Another word of caution**: parts of this are rushed and/or ugly. Please +double check parts that seem suspicious. And I'd love to get patches, even for +the most trivial things -- spelling mistakes? Yes please. + + +Result +======== + +| Name|Small|Branch|RIP Relative|AVX|RDRAND|Loop|TailRec| +|----------|-----|------|------------|---|------|----|-------| +| PolyHook| X | X | X | X | | | | +| MinHook| X | X | X | | | | X | +| MHook| | | X | | | | | +