Whence came function hooking?
A friend is digging around trying to find out when function prologue hooking was invented, and who did it. Does anyone out there know of any old-time uses of function prologue hooking?
I’m NOT talking about:
- Interrupt hooking
- system call hooking
- window hooks
- VxD service hooking
- hot patching
- any “architected” hook
I’m interested only in programs that disassemble a C (or similar) function prologue and replace it with some sort of jump or call or something.
Anyone have any old examples?
UPDATE: One commenter pointed out Detours. Their paper was published in 1999. I was hoping for something before that, as I can’t bring myself to believe that they invented the technique of function prologue hooks that recently.
June 14th, 2007 at 12:28 am
http://research.microsoft.com/sn/detours/
June 14th, 2007 at 8:02 am
[…] http://kernelmustard.com/2007/06/13/whence-came-function-hooking/ http://msmvps.com/blogs/kernelmustard/archive/2005/04/25/44413.aspx http://www.openrce.org/articles/full_view/22 http://www.apihooks.com/EliCZ/export.htm […]
June 14th, 2007 at 9:33 am
well, i think it relates to the virus-scene …. i remember back in dos time the technique was already used in some .exe (LE,non PE) viruses, for file infection purposes. they put jmp $viruscode at the entrypoint, then in the end of the file (or somewhere else,depending on the free caveats in the file) were the copied bytes from the function start, which trampolined back after the initial jmp inserted by the virus. Then, going further back in time, the same technique was used on amiga too, maybe even on c64… so it was really nothing new.
regards,
valerio
June 14th, 2007 at 9:36 am
Yeah, that sounds reasonable. It’s certainly not “new” any more, but it was new at some point. I’m looking for that point. When was it invented?
June 14th, 2007 at 9:43 am
look at the first file infectors who came with the amiga (i remember the first one was the SCA virus, made by a swiss cracking group named, indeed, SCA). As far as i remember, it hooked the interrupt relative to file access in the “detour” way to append itself to the file, then executing the real interrupt code. So well … it was 1985 maybe, anyway mid ’80s.
regards,
valerio
June 14th, 2007 at 9:44 am
Thanks for the lead.
June 15th, 2007 at 2:54 pm
Viruses aside, I would guess products that did compile time instrumentation would hook prologue/epilog. E.g., would be profilers, code coverage tools among other developer tools. The first product that *I encountered* that did this was BoundsChecker (Or TrueTime/TrueCoverage, not sure which one did this first though they are all from the same company).
July 18th, 2007 at 6:58 am
I think the technique is nearly as old as machine code itself.
Unlike today where we tend to replace whole load modules, in the olden days bug fixes were mainly distributed as binary ‘patches’ replacing a minimal sequence of instructions.
I know this, because I spent a summer in the mid-80s ‘patching instructions’ in an entire room full of microfiche files of mostly IBM 370 assembler. Here’s an example from 1983: http://www-1.ibm.com/support/docview.wss?uid=isg1OZ74233
“Systems” guys (i.e., assembler coders) considered the repetitive function prologues wasteful of the precious instructions. Patching there would have been an obvious way to replace an entire routine, but it would have been preferable to replace the offending instructions in the body.
Doing it programmatically probably wasn’t done much until the internet allowed users to upgrade system dlls more often than every few years. Before then, customers generally expected to need a new Norton Utilities, etc. whenever they upgraded DOS.