1 00:00:01,130 --> 00:00:11,030 Hello and welcome to a new section API hooking using the Tools Library, intercepting API function calls. 2 00:00:14,530 --> 00:00:23,320 What is API hugging API hooking is used to add functionality into a program where the source code is 3 00:00:23,320 --> 00:00:24,280 not available. 4 00:00:25,540 --> 00:00:31,750 It is also used to make modifications at runtime without modifying the actual binary. 5 00:00:31,750 --> 00:00:34,210 Far in game cheats. 6 00:00:34,660 --> 00:00:42,910 API hooking can be used to intercept functions with checks for player help and return 100 percent help. 7 00:00:43,030 --> 00:00:48,970 For example, debugging is also use API hooking when you set breakpoints. 8 00:00:51,720 --> 00:00:52,710 What do you do to us? 9 00:00:53,460 --> 00:01:02,490 Detours is a library, a library use for a standing window Win32 functions. 10 00:01:03,480 --> 00:01:09,150 It is created by two researchers from Microsoft Humanity published. 11 00:01:09,150 --> 00:01:14,160 The article detours binary interception of Win32 functions. 12 00:01:14,760 --> 00:01:18,870 So the two researchers, Galen Hund and Rebecca. 13 00:01:22,080 --> 00:01:26,810 Details intercepts Win32 functions by rewriting function images. 14 00:01:27,590 --> 00:01:34,550 It includes utilities to attach arbitrary details and also payloads to any Win32 binary. 15 00:01:36,590 --> 00:01:42,920 This is a diagram explaining this to us calling function with and without deception. 16 00:01:44,030 --> 00:01:50,450 In the first diagram type, this indicates this shows in location the intersection. 17 00:01:52,110 --> 00:02:00,330 So assuming we have two functions, this source function and target function, both are residing in 18 00:02:00,330 --> 00:02:01,350 the same process. 19 00:02:02,310 --> 00:02:10,360 The source function is trying to call the target function, and the target function also returns results 20 00:02:10,360 --> 00:02:12,600 after the execution to the source function. 21 00:02:14,160 --> 00:02:15,480 Now the detours. 22 00:02:16,580 --> 00:02:25,010 You can see in the bottom diagram, invocation of interception, so in the mouth, and again there is 23 00:02:25,010 --> 00:02:31,160 a detour function added to a function to intercept the call mean by decisive action. 24 00:02:32,000 --> 00:02:36,620 And we are in control of the detour function using a detour function. 25 00:02:36,680 --> 00:02:38,000 We can do anything we want. 26 00:02:38,480 --> 00:02:46,790 You can forward the call to the target function, or you can jump to another payload or do something 27 00:02:46,790 --> 00:02:52,280 else, and then you can also written something back to the satisfaction. 28 00:02:53,350 --> 00:03:01,300 If you wanted to pass the car to the target function vehicle, feisty parametres from the assassination, 29 00:03:02,020 --> 00:03:06,970 true, the trampoline function, distance quality target function. 30 00:03:08,450 --> 00:03:15,710 And all equally modify the variables in a bus to the Detour Commission, if you want to do all, we 31 00:03:15,710 --> 00:03:19,310 could simply substitute it with a different function. 32 00:03:20,510 --> 00:03:28,790 So the trampoline function job is merely to set the barometers at a bus from your source to lead to 33 00:03:28,790 --> 00:03:35,540 a function and to forward it to the target function, and it also contains additional code. 34 00:03:35,930 --> 00:03:44,060 We came from the source function after the target -- executes will return the result to the detour 35 00:03:44,060 --> 00:03:51,380 function, which gets forwarded back to the source commission from the point of view of the target function. 36 00:03:51,380 --> 00:03:56,210 Its other function doesn't know that it is dealing with a detour function. 37 00:03:57,740 --> 00:04:02,780 Target and Templin functions before and after hooking in this again. 38 00:04:03,830 --> 00:04:08,840 There are two parts on the left is before hooking and on the right after hooking. 39 00:04:09,530 --> 00:04:15,490 So this is an example of a target function, and the trampoline at is not. 40 00:04:15,710 --> 00:04:22,910 The target function contains the instructions that are to be executed while the trampoline function 41 00:04:23,120 --> 00:04:23,870 is empty. 42 00:04:25,310 --> 00:04:30,090 So after hooking, we will replace the target function as the instruction. 43 00:04:30,110 --> 00:04:31,850 If we jump to the detour function. 44 00:04:33,440 --> 00:04:40,220 And this jumbled definition, since he replaces all these Russians here, except for the last time, 45 00:04:41,120 --> 00:04:45,740 he will need to pull back on his instructions somewhere in memory. 46 00:04:46,220 --> 00:04:49,040 And that is where you use a trampoline function. 47 00:04:49,970 --> 00:04:56,300 So we copy all those instructions who has been replaced by the jump down into the trampoline function 48 00:04:56,300 --> 00:05:00,140 here and add the last line of temporary function. 49 00:05:00,530 --> 00:05:04,100 We jump back to the original quote in the target function. 50 00:05:05,120 --> 00:05:06,200 So it is jam here. 51 00:05:06,230 --> 00:05:12,980 When we come back to the target function plus five plus five is because all these instructions here 52 00:05:12,980 --> 00:05:14,870 take fire instructions. 53 00:05:15,740 --> 00:05:21,500 So that's why you classify it so that you can get back to where you were supposed to go after the jump 54 00:05:21,500 --> 00:05:23,070 returns, it is pushing. 55 00:05:24,230 --> 00:05:27,860 That's why you classify so for different functions. 56 00:05:28,100 --> 00:05:31,190 The number of sets here could be different. 57 00:05:31,820 --> 00:05:35,490 In this case, he happens to be fight again. 58 00:05:35,810 --> 00:05:42,530 He's diagram came from the article written by The Killing Hunting Duke Rebecca. 59 00:05:45,260 --> 00:05:49,580 So that's all for the theoretical background of detours. 60 00:05:50,060 --> 00:05:51,320 Thank you for watching.