|
PECompact 2 API Hook Plug-ins An API hook plug-in allows for injection of custom API hooks into a compressed application. This is useful for a variety of things, including aiding in protection against reverse engineering or extending functionality. API hooks are exposed via a container DLL. This DLL has its own exports that merely describe the API hook plug-in and are not injected into compressed modules. These exports are called Container Functions. Functions that are injected into compressed modules are called
Injected Functions. All injected code and data of an API hook plug-in is encapsulated in a HOOK_DATA object. This is simply a contiguous block of memory prefixed with a HOOK_DATA_INFO structure that describes the location of key functions inside the data block. A pointer to this object is retrieved with GetPointerToHookData and its size retrieved by GetHookDataSize.
Since code is injected into compressed executables, it can not reference anything outside the bounds of the HOOK_DATA object or reference anything by static addresses, since those addresses will change. Therefore, it inherently can not have any references that require a base relocation. How a hook is applied: The PECompact loader will invoke the LoadLibaryAHook and GetProcAddressWithHintHook functions that an API hook plug-in provides each time it needs to load a module or resolve an API address. If a hook needs to be applied, GetProcAddressWithHintHook can return the address of the hook procedure instead of the original API address. Otherwise, both these functions should return the same data that the original LoadLibraryA and GetProcAddress functions return. These API addresses are supplied to the API hook plug-in at runtime via the Initialize function. Functions injected into compressed modules and called by the PECompact loader:
Initialize Functions NOT injected and existing only in the container DLL to expose information about the plug-in:
GetHookName
|
||