Description
This library was created as a free alternative to Microsoft Detours. It is originally developed by Marton Anka and currently is supported and developed by Apriorit.
Mhook alternatives and similar libraries
Based on the "Hooking" category.
Alternatively, view Mhook alternatives based on common mentions on social networks and blogs.
-
Microsoft Research Detours Package
Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form.
Do you think we are missing an alternative of Mhook or a related project?
README
Mhook - a Windows API hooking library 
Introduction
This library was created as a free alternative to Microsoft Detours. It is originally developed by Marton Anka and currently is supported and developed by Apriorit.
How to use
// Include a header
#include <mhook-lib/mhook.h>
// Save the original function
typedef ULONG (WINAPI* _NtClose)(IN HANDLE Handle);
_NtClose TrueNtClose = (_NtClose)GetProcAddress(GetModuleHandle(L"ntdll"), "NtClose");
// Declare your function that will be handle a hook:
ULONG WINAPI HookNtClose(HANDLE hHandle)
{
printf("***** Call to NtClose(0x%p)\n", hHandle);
return TrueNtClose(hHandle);
}
//...
// Set the hook
BOOL isHookSet = Mhook_SetHook((PVOID*)&TrueNtClose, HookNtClose);
//...
// After finishing using the hook – remove it
Mhook_Unhook((PVOID*)&TrueNtClose);
You can also set a bunch of hooks in one call:
HOOK_INFO hooks[] =
{
{ (PVOID*)&TrueNtOpenProcess, HookNtOpenProcess },
{ (PVOID*)&TrueSelectObject, HookSelectobject },
{ (PVOID*)&Truegetaddrinfo, Hookgetaddrinfo },
{ (PVOID*)&TrueHeapAlloc, HookHeapAlloc },
{ (PVOID*)&TrueNtClose, HookNtClose }
};
int numberOfSetHooks = Mhook_SetHookEx(hooks, 5);
//...
// Removing hooks
int numberOfRemovedHooks = Mhook_UnhookEx(hooks, 5);
That way of setting multiple hooks is also much better in performance.
License
Mhook is freely distributed under an MIT license.
Version history
Version 2.5.1 (30 March 2018)
- Fix #1: VirtualAlloc hooking reports anomaly
- New #2: Add integration to vcpkg package
- New #3: Add AppVeyor CI
- Fix #4: Add ability to hook functions with call in first 5 bytes
Version 2.5 (20 Oct 2017)
- 10x performance boost
- CMake build system
- Change tabs to spaces
- Ability to hook functions with
je/jnein the first 5 bytes - Fix hook recursion
- Other fixes
Version 2.4 (05 Mar 2014, the last from the original author)
- A number of improvements: hot patch location (mov edi, edi) handling, support for REX-prefixed EIP-relative jumps on x64, removal of compile-time limit on the number of hooks
Version 2.3 (15 Jan 2012)
- A bugfix that allows hooking more API functions
Version 2.2 (27 Jun 2008)
- Support for instructions using IP-relative addressing
Version 2.1 (15 Oct 2007)
- Fixes
Version 2.0 (08 Jul 2007)
- Built-in disassembler
Version 1.0 (24 Jun 2007)
- Original release
Acknowledgements
Mhook contains a disassembler that is a stripped-down version of the excellent tDisasm package by Matt Conover. Thank you Matt! tDisasm comes with a BSD-style license and re-releasig a derivative of it under the MIT license has been confirmed to be OK by its author.
Alexandr Filenkov submitted bugfixes in Sept-2007. Michael Syrovatsky submitted fixes for IP-relative addressing in Jun-2008. Andrey Kubyshev submitted a bugfix in Jul-2011 and Jan-2013. John McDonald enabled unlimited hooks. Kasper Brandt provided a fix for hot patch function prologues.
*Note that all licence references and agreements mentioned in the Mhook README section above
are relevant to that project's source code only.