Overview Home

?
API Hook Plug-in SDK
Overview
Container Functions
GetHookAuthor
GetHookDataSize
GetHookFlags
GetHookName
GetPointerToHookData
Data Types
HOOK_CHAIN_INFO
HOOK_DATA
HOOK_DATA_INFO
PEC_HOST_INFO
Injected Functions
GetProcAddressWithHintHook
Initialize
InitializeEx
LoadLibraryAHook
TranslateAPIAddressToHookAddress
CODEC Plug-in SDK
Codec Host Module
Codec Host Module
Host Functions
CodecGetProcAddress
GetNumberOfCodecs
Codec Functions
Codec Functions
Codec Callbacks
CodecCallback
Functions
DecodeFast
DecodeSmall
Encode
EncodeEx
GetCodecAuthor
GetCodecName
GetCodecVersion
GetDecodeFastFuncSize
GetDecodeSmallFuncSize
GetMaximumEncodingLevel
Structures
PEC2_DECODE_EXTRA
PECompact Documentation
Overview
Using the Console Application
Using the GUI
Configuration Options
CODEC Plug-ins
Loader Plug-ins
API Hook Plugins
.NET executable compression
Using the GetWatermark API
Using IsPacked API Hook Plug-in
PE Suite (Console mode PE tools)
PEHideText
Licensing
Misc. Information
TLS Callbacks
Licensing
Credits and Acknowledgements

?
PECompact 2
 API Hook Plug-ins

An API hook plug-in allows for injection of custom API hooks into a compressed application. This is useful for a variety of things, including aiding in protection against reverse engineering or extending functionality.

API hooks are exposed via a container DLL. This DLL has its own exports that merely describe the API hook plug-in and are not injected into compressed modules. These exports are called Container Functions.

Functions that are injected into compressed modules are called Injected Functions.

Overview of structure of injected code and data:

All injected code and data of an API hook plug-in is encapsulated in a HOOK_DATA object. This is simply a contiguous block of memory prefixed with a HOOK_DATA_INFO structure that describes the location of key functions inside the data block.

A pointer to this object is retrieved with GetPointerToHookData and its size retrieved by GetHookDataSize.

HOOK_DATA


HOOK_DATA_INFO

 Version information
Offset to Initialize
Offset to InitializeEx (optional)
Offset to LoadLibraryAHook
Offset to GetProcAddressWithHintHook
Offset to TranslateAPIAddressToHookAddress
 

API hook functions and data

function: Initialize
function: IntializeEx
function: GetProcAddressWithHintHook
function: LoadLibraryAHook
function: TranslateAPIAddressToHookAddress
function: CustomAPIFilter0
function: CustomAPIFilter1
'Any data'
 

Since code is injected into compressed executables, it can not reference anything outside the bounds of the HOOK_DATA object or reference anything by static addresses, since those addresses will change. Therefore, it inherently can not have any references that require a base relocation.

How a hook is applied:

The PECompact loader will invoke the LoadLibaryAHook and GetProcAddressWithHintHook functions that an API hook plug-in provides each time it needs to load a module or resolve an API address. If a hook needs to be applied, GetProcAddressWithHintHook can return the address of the hook procedure instead of the original API address. Otherwise, both these functions should return the same data that the original LoadLibraryA and GetProcAddress functions return. These API addresses are supplied to the API hook plug-in at runtime via the Initialize function.

Functions injected into compressed modules and called by the PECompact loader:

Initialize
InitializeEx (optional)
LoadLibraryAHook
GetProcAddressWithHintHook
TranslateAPIAddressToHookAddress

Functions NOT injected and existing only in the container DLL to expose information about the plug-in:

GetHookName
GetHookAuthor
GetPointerToHookData
GetHookDataSize
GetHookFlags