XOR Hooks

This is a Simple Loader (Hooking) module to XOR mask a DLL when a hooked function is called.

Project Files

🔨  Makefile
📃  tcg.h
📃  xorhooks.c
🔮  xorhooks.spec
📃  xorhooks_setup.c

NOTES

xorhooks.c is the implementation of our XOR hooks tradecraft. It hooks one function: MessageBoxA. _MessageBoxA defines our MessageBoxA hook. When creating a hook function, it's important to get the details right:

  • The hook must accept the same number of arguments as the original function
  • The hook must use the same decorators as the original function (e.g., WINAPI here). This makes sure the hook and the original function have the same calling convention. This is critical for x86 programs.
  • The hook should not use __declspec(dllimport) or something that aliases it (e.g., WINBASEAPI, DECLSEC_IMPORT, etc.)

The _MessageBoxA hook masks the loaded DLL content, calls USER32$MessageBoxA, and then unmasks the DLL content. The masking relies on the xorkey global variable.

XOR Hooks' Hooks

The hooks label in xorhooks.spec composes our tradecraft onto the base hooking PICO. This is done with the merge command.

attach "USER32$MessageBoxA" "_xMessageBoxA" rewrites calls to USER32$MessageBoxA in our PIC to _xMessageBoxA. attach hooks are chainable too. addhook "USER32$MessageBoxA" without another argument registers USER32$MessageBoxA's attach chain with the dynamically generated __resolve_hook intrinsic.

Our XOR hooks (merged into the hooking PICO), by default, knows nothing about the DLL we want to mask. This is where setupHooksXor from xorhooks_setup.c comes in. The setuphooksXor function calls configHooksXor exported by our hooking PICO and passes the needed pointer and length to mask our DLL content in memory.

The hooks label in xorhooks.spec also generates and adds our XOR key to the XOR hooks module. generate $HKEY 128 generates a 128b random key. patch "xorkey" $HKEY patches this value into our XOR hooks module.

XOR Hooks Setup

The setup label in xorhooks.spec composes our masking capability setup onto the loader PIC. This is done by merging xorhooks_setup.x64.o with the loader. And, redirect "setupHooks" "setupHooksXor" lays a chainable local function hook over the loader's setupHooks function.

License

This project is licensed under the BSD License.

© 2025 Adversary Fan Fiction Writers Guild