Simple Loader (Hooking)
This is a Simple Loader (w/ free COFF) that also implements a simple DLL masking when a hooked function is called.
Project Files
NOTES
This loader doesn't create new eXecutable memory for our persistent PICOs. Rather, it places the executable .text section of these programs inline with the loaded DLL. A good reminder that our loader has control over where these things go in memory.
The hook.c file implements our hooking. The go function is the entry point. It's helpful to think of go as an initializer. This function accepts the base address and size of our DLL in memory as arguments. This is to enable obfuscating this content, later, when a blocking function we've hooked is called.
How does the hooking happen?
The go function in hook.c simply overrides the pointer in our IMPORTFUNCS struct with its own GetProcAddress. This is the struct used by our loader, later on, to resolve the APIs of our loaded DLL (or PICOs, for that matter). From this perch, we can examine any function requested, and determine if we want to hook it. To make sure the gift keeps on giving, we also look for requests for GetProcAddress itself, and return the pointer to our special GetProcAddress. This allows anything that our DLL might load (e.g., a BOF, PICO, another DLL via a custom loader) to benefit from this hooking too.
When declaring a function hook, make sure you declare the right decorator (e.g., WINAPI, NTAPI, etc.) with it. Many of these alias to __stdcall, which is the expected Win32 API calling convention on x86. x86 C programs tend to default to __cdecl and this mismatch can create unexpected behavior. x64 this isn't an issue as __fastcall is used for almost everything.
This is a basic demonstration, but it shows a way to modify a DLL's behavior via hooking--while trying to remain agnostic to everything else going on.
License
This project is licensed under the GNU General Public License version 2 (GPLv2) or later..