This article takes a lot of time to get to know easyhook.
A simple comparison of the procedure after easyhook and detour are hooked
Detours: After the API function is hooked up, two addresses are generated. One address corresponds to the address of the real hook function, and the other corresponds to the actual API address easyhook: After the API function is hooked up, all APIs direct to the same address, use ACL to control whether to jump to a real API address
Detour: After the hook is obtained, it is related to an API becoming two functions: easyhook: After the hook is obtained, it is related to an API. You can control the ACL to determine whether to jump to the real API.
A special case in easyhook: You need to implement this function to intercept the createfile and getfilesize functions, and obtain the file size when opening the file, that is, both createfile and getfilesize are used in hookcreatefile. Now the problem arises. Createfile calls the real API, while getfilesize calls hookgetfilesize. If there are more functions, it will inevitably lead to problems.
Start and Stop easyhook
Easyhook is a two-way ACL table. One is the inclusion method (lhsetexclusiveacl), the other is the exclusion method (lhsetexclusiveacl), and the other is the inclusion method. For the line hooks added to the ACL, all are hook. Exclude method. For threads added to the ACL, cancel the hook.
You can enable and stop the hook by dynamically adjusting the switch status.
Easyhook Library Series tutorial 4 hook startup and stop
