API Hooking Introduction

API Hooking is a useful technique that can be used to monitor and intercept Win32 API calls used by programs, It can be used for extends existing program's functions, but is also used by rootkits and other malicious codes to modify the behaviour of certain APIs to hide files, network transfers, background processes or services.  

API Hooking Techniques

The idea behind API hooking is to allow an API call to be redirected to a replacement function. This replacement function will usually perform some manipulation of the input parameters before transferring control back to the called API. The replacement function could also manipulate the API's return results before passing them back to the caller. This simple idea has been used by rootkits and trojans to hide files, processes and network ports. For example, by hooking FindFirstFileA and FindNextFileA, it is possible to manipulate the list of filenames returned, thus allowing certain files to be hidden from the directory listing.

System Wide API Hooks that are implemented based on the following techniques:

  1. Import / Export Table Modification
  2. Overwriting the start of the Hooked API with a JMP instruction

Import/Export Table Modification

This technique allows APIs to be Hooked by making direct modifications to the Import/Export Tables of the targeted process and all its modules (DLLs). Each process and module have their own Import Address Table (IAT) that contains the entry-point addresses of the APIs that are used. These addreseses will be used whenever the process makes a call to the repective APIs. Therefore, by replacing the entry point address of an API (in the IAT) with that of a replacement function, it is possible to redirect any calls to the API to the replacement function.

However, modifying the IAT alone is insufficient since the targeted process might use the GetProcAddress API to obtain the real entry point address of an API. This problem could be solved by hooking the GetProcAddress API so that the address of the replacement function is returned instead. Alternatively, it is possible to directly modify the Export Address Table of the DLL that exports that particular API. Every DLL has an Export Address Table (EAT) that contains the entry-point addresses of the APIs that are implemented within the DLL. Hence, by replacing the entry point of an API within the EAT with the relative address of the replacement function, we can cause GetProcAddress to return the address of the replacement function instead.

Overwriting the start of the Hooked API with a JMP instruction

Another technique that can be used to implement API Hooking involves overwriting the start of the Hooked API with a JMP instruction that cause execution to be transferred to the replacement function. This technique requires less modifications within the memory space of the hooked process as compared to the previous technique.

Return to Main Page, Go to Order Page