Skip to content

List of API Hook Libraries

Kubo Takehiro edited this page Apr 22, 2020 · 17 revisions
Clone this wiki locally

I have not checked whether the followings work well or not. I checked their documents and source code.

Name Github stars Method OS Architecture License
BoxedApp SDK   HotPatch(*1) Windows x64, x86 Commercial
cpp-stub stars HotPatch(*2) Windows, Unixes x64, x86 MIT
Detours (Microsoft) stars HotPatch(*1) Windows x64, x86, arm, arm64, IA64 MIT
Detours (Nukem) stars HotPatch(*1) IATHook(*4) Windows x64, x86 MIT
DetoursNT stars HotPatch(*1) Windows x64, x86, arm, arm64 MIT
Deviare In-Process   HotPatch(*1) Windows x64, x86 Commercial and GPLv3
diStormX stars HotPatch(*1) Windows x64, x86 4-clause BSD
EasyHook stars HotPatch(*1) Windows x64, x86, .Net MIT
ELF-Hook stars IATHook(*4) Unixes? any? CPOL
ELFspy stars IATHook(*4) Linux x64, x86? GPLv2
Funchook stars HotPatch(*1) Windows, Linux, macOS x64, x86, arm64 GPL with linking exception
harpoon stars HotPatch(*1) macOS x64, x86 ?
madCodeHook   ? Windows x64, x86 Commercial
Mhook stars HotPatch(*1) Windows x64, x86 MIT
MinHook stars HotPatch(*1) Windows x64, x86 2-clause BSD
PLT Hook stars IAT Hook(*4) Windows, Linux, macOS, Solaris, FreeBSD x64, x86, arm, aarch64, powerpc, powerpc64le 2-clause BSD
SubHook stars HotPatch(*1 and *2) Windows, Linux, macOS x64, x86 2-clause BSD
urmem stars HotPatch(*3) Windows, Unixes x86 MIT

*1 hook by JMP instruction insertion. The original code can be called via trampoline. Some tools don't check whether the trampoline code works well at the address different from the original and cause unexpected behaviors.

*2 hook by JMP instruction insertion. The original code can be called by manually restoring instructions temporarily.

*3 hook by JMP instruction insertion. The original code can be called by automatically restoring instructions temporarily.

*4 hook by IAT(Import Address Table)/PLT(Procedure Linkage Table) patching