https://github.com/Kara-4search/FullDLLUnhooking_CSharp
https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions

API Hooking - Introduction

BLUF

API hooking is a technique used to intercept and modify the behavior of an API function. It is commonly used for:

• Debugging
• Reverse Engineering
• Game Cheating
• Malware Development (e.g., bypassing security measures)

API hooking replaces an original API function with a custom version that executes additional actions before or after calling the original function. This allows modification of a program's behavior without altering its source code.

API function hook flow

From https://www.lrqa.com/en/cyber-labs/windows-inline-function-hooking/

1. A piece of redirection code overwrites part of the target function which will redirect any calls to it, into a callback function in our code
2. The callback is the second part and informs us that the target function was called. This is the main part of the hook; the part that allows us to change the behaviour of the target function or log the information passed into the target function.
3. The final part is commonly called a trampoline, since it bounces us back into the target function, as if nothing ever happened. The trampoline is created by the hooking code and holds a copy of part of the hooked function we overwrote initially.  The trampoline also contains some code to redirect execution back into to the hooked function just after the code we overwrote.

Why API Hooking?

API Hooking is useful in both security and offensive contexts:

Implementing API Hooking