Developers and administrators may wish to hook executable code to an existing module, function, or other target code for a variety of purposes. Code hooking involves injecting instructions into the target code to cause execution of alternate code, e.g., the hooked code. For instance, code hooking may be used to test the target code, to provide added functionality (e.g., extensions), to update or patch the target code, and so on.
One traditional technique to change an existing function or other target code involves redeveloping the target code to include the new instructions. The software project may then be entirely recompiled and redistributed. This technique relies upon direct changes to the source code and recompilation(s) of the entire software project. Accordingly, the technique is not suited to modifications made at runtime and may involve time consuming and costly redevelopment. Further, such a change may not be an option when the source code is not available.
Another technique to change an existing function or other target code involves overwriting an import address table (TAT) that may dynamically link to external functions. This technique allows code to be hooked by modifications to the TAT that is loaded by an application at runtime. The TAT holds references to imported functions, such as those loaded from a dynamic link library (DLL). By overwriting the address of a function in the TAT with an alternate function, code flow may be redirected to the alternate function. While TAT overwriting is suited for some scenarios, TAT overwriting is typically limited to inter-module calls because the linkers that use the TAT are limited to making local calls within the same module. Further, the TAT overwriting techniques may be defeated by direct calls to a function (e.g., static linking) Thus, TAT overwriting may not be suitable for certain applications, such as counters, tracking, error trapping, and so forth, because some calls to the target function (e.g., direct calls) may be missed.