Kong : hooking library and executable parser
(This project is dead due to lack of interest)
Hooking represents a useful method of modifying the runtime behavior of an application. This is achieved through rerouting API/function calls to alternate code locations while still allowing the original code to be called from other contexts (ie. from the replacement function). Hooking, combined with class wrapping, such as the case with COM objects, can completely alter the behavior of the target application without having access to its source code.
Executable image parsing allows this to be extended further. Instead of globally hooking a procedure we can now modify behavior privately, within the context of each DLL or shared object (IAT/PLT:GOT method).
In some cases, hooking requires that code be inserted into a target process. This is usually achieved through OS specific system calls, but can also be done using the PE/ELF classes to edit an images library dependencies (see examples/import_dephook.d for win32). The latter method being more viable when several unrelated packages need to hook/extend an application - when the order that hooks are installed is important (some hooking libraries enforce that their hooks are not modified once installed), or multiple loaders are undesired.
GNU/Linux 2.6, Windows XP SP2
- Phobos 1
- Phobos 2
- ALPHA_002: SVN - http://svn.dsource.org/projects/kong/trunk/
- ELF API now transparently handles 32bit/64bit ELF and endian conversion.
- Tango support.
- Replaced the full-blown IA32 disassembler with Radim Picha's compact instruction length parser.
- 64-bit PE code still untested.
- PE API still uses ALPHA_001 style templates and only supports native endian.
- kong.linux.memory_layout depends on /proc/self/maps.
- kong.win32.DSO depends on NtQueryInformationProcess.
- PE / ELF from-memory library loading (partially complete).
- Improved analysis of to-be-hooked functions.