EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationapi-hookinginline-hookiat-hook

API Hooking

How malware intercepts Windows API calls using inline trampoline hooks and IAT hooks — the mechanics of each, what trampolines are, rootkit hiding via NtQueryDirectoryFile, and detection tools.

Ashish Revar12 May 202616 min read2 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

The Malicious Process Lifecycle: From Execution to Evasion

How malware executes, establishes persistence, injects into legitimate processes, and evades detection inside modern operating systems.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

MITRE ATT&CK — Hijack Execution Flow: Import Address Table (T1574.006)

ATT&CK entry for IAT hooking with real-world examples and detection recommendations.

reference
API Monitor — Hook-Based API Tracing Tool

Free tool that hooks hundreds of Windows APIs and logs all calls with arguments. Essential for observing hook behaviour during dynamic analysis.

tool
More articlesTest your knowledge

What is API Hooking?

API hooking intercepts calls to operating system or library functions by modifying the call path. The malware's code executes instead of — or before/after — the original function.

Why malware uses hooks:

  • Rootkits hook system enumeration APIs to hide processes, files, and registry keys from the OS itself
  • Banking trojans hook browser SSL functions to intercept decrypted HTTPS traffic before it is displayed
  • Credential stealers hook authentication APIs to capture passwords at the point of entry

Technique 1: Inline Trampoline Hooking

Overwrites the first bytes of the target function with a JMP to the malware's handler. The original bytes are saved in a trampoline — a small code stub the handler can call to execute the original function.

Installation

; Target function: NtQueryDirectoryFile at 0x7C910000
; Malware writes a JMP to its hook handler at the start

; Original bytes (first 5 bytes):
;   MOV EAX, 0x91   ; syscall number
;   MOV EDX, 0x7FFE0300

; After hook installation:
;   JMP  hook_handler   ; 5-byte relative JMP
;   (remaining original bytes intact after offset 5)

The trampoline

; Trampoline stub (saved by malware before patching):
trampoline:
    MOV  EAX, 0x91          ; original first bytes (saved)
    MOV  EDX, 0x7FFE0300    ; original second instruction
    JMP  0x7C910005         ; jump past the patched bytes to continue

The hook handler:

  1. Intercepts the call
  2. Inspects or modifies arguments
  3. Calls the trampoline to run the real function
  4. Modifies the return value if needed
  5. Returns to the original caller

Refer to REMA eBook 2026, Figure 3.12 for the inline hook diagram showing the call flow before and after hook installation.

Rootkit example: hiding files

A rootkit hooks NtQueryDirectoryFile. When an application lists a directory:

  1. The hook intercepts the result
  2. Scans the returned file list
  3. Removes entries belonging to the rootkit's files
  4. Returns the filtered list to the caller

The user's Explorer and dir command see a clean directory. The malware files exist on disk but are invisible through the OS.

Technique 2: IAT Hooking

Modifies the Import Address Table entries in the target process to redirect API calls to a replacement function. Simpler to implement than inline hooking — no code patching required.

Before IAT hook:
  IAT entry for CreateFile → 0x7C801000 (real CreateFileA in kernel32.dll)

After IAT hook:
  IAT entry for CreateFile → 0x00401500 (malware's hook function)

Any call to CreateFile via the IAT now goes to the malware handler instead.

Detection

IAT hooks are detected by comparing IAT entries against the actual addresses of the corresponding functions in the loaded DLLs. If an IAT entry points outside the DLL it claims to import from, it is hooked.

Tools: API Monitor, x64dbg Imports panel, Scylla (checks IAT integrity).

Detection Tools

ToolMethodWhat It Finds
GMERCompares function prologues against disk copyInline hooks in kernel and user mode
Rootkit RevealerCross-view comparisonDiscrepancies between API output and raw disk/registry
x64dbg + HookSharkPrologue byte comparisonInline hooks in loaded DLLs
Volatility ssdtScans SSDT for modified entriesKernel-level SSDT hooks

Inline vs IAT Comparison

PropertyInline TrampolineIAT Hook
What is modifiedFunction code bytes in memoryImport table pointer
Persistence across DLL reloadNo — reloading the DLL removes the hookYes — IAT entry persists until process exits
DifficultyHigher — requires code patchingLower — pointer replacement only
DetectionPrologue byte comparisonIAT pointer validation
BypassesASLR makes address prediction harderOnly affects code using IAT (not direct calls)

Identifying Hooks During Analysis

In x64dbg:

1. Run the sample
2. View → Modules → select a suspicious DLL
3. Right-click → Find References to find all imports
4. Check each API of interest:
   - Ctrl+G → type API name → Enter
   - Examine first 5-10 bytes
   - Normal: MOV EAX, syscall_number / PUSH EBP / MOV EBP,ESP
   - Hooked: JMP 0x???????? (points outside the DLL's address range)

A JMP as the very first instruction of any API function is strong evidence of an inline hook.

ScyllaHide and Anti-Anti-Debug Hooks

ScyllaHide (covered in Unit 6) itself installs hooks to neutralise anti-debugging checks. This means hook detection tools may flag ScyllaHide's own hooks during analysis. When using ScyllaHide, expect to see additional JMP instructions at the start of NtQueryInformationProcess, IsDebuggerPresent, and related functions.