Skip to main content
Function hooking allows you to intercept function calls, modify their behavior, or prevent them from executing entirely. This is commonly used for game modding, debugging, and reverse engineering.

Basic Function Hooking

This example demonstrates hooking a take_damage function to prevent a player from taking damage - a classic “god mode” implementation.

Take Damage Hook Example

#include <libmem/libmem.h>

void hk_take_damage(int amount)
{
  printf("hooked take_damage! no damage will be taken\n");
  return;
}

int main()
{
	lm_module_t game_mod;
	lm_address_t fn_take_damage;

	LM_FindModule("game.dll", &game_mod);
	printf("[*] Base address of 'game.dll': %p\n", game_mod.base);

	fn_take_damage = LM_FindSymbolAddress(&game_mod, "take_damage");
	printf("[*] Found 'take_damage' function: %p\n", fn_take_damage);

	LM_HookCode(fn_take_damage, hk_take_damage, LM_NULLPTR);
	printf("[*] 'take_damage' hooked, player will no longer receive damage\n");

	return 0;
}

How It Works

1

Find the Target Module

Locate the module (DLL/SO) containing the function you want to hook using LM_FindModule.
2

Find the Function Address

Use LM_FindSymbolAddress to locate the function by its symbol name. If the function isn’t exported, you can use pattern scanning instead.
3

Create Hook Function

Write a function with the same signature as the original. This is what will execute when the original function is called.
4

Install the Hook

Call LM_HookCode to redirect the original function to your hook function. libmem automatically handles the low-level details.

Hook with Trampoline

If you want to call the original function from your hook, use a trampoline: 
#include <libmem/libmem.h>

typedef void (*take_damage_t)(int amount);
take_damage_t orig_take_damage = NULL;

void hk_take_damage(int amount)
{
    printf("[HOOK] Player taking %d damage\n", amount);
    
    // Reduce damage by half
    int reduced_damage = amount / 2;
    printf("[HOOK] Reducing damage to %d\n", reduced_damage);
    
    // Call original function with reduced damage
    orig_take_damage(reduced_damage);
}

int main()
{
    lm_module_t game_mod;
    lm_address_t fn_take_damage;
    lm_address_t trampoline;

    LM_FindModule("game.dll", &game_mod);
    fn_take_damage = LM_FindSymbolAddress(&game_mod, "take_damage");

    // Hook and save trampoline
    LM_HookCode(fn_take_damage, (lm_address_t)hk_take_damage, &trampoline);
    orig_take_damage = (take_damage_t)trampoline;

    printf("[*] Hook installed with trampoline at %p\n", (void*)trampoline);

    return 0;
}

Hooking External Processes

You can also hook functions in external processes using the Ex variants: 
#include <libmem/libmem.h>

int main()
{
    lm_process_t target_process;
    lm_module_t game_mod;
    lm_address_t fn_take_damage;
    lm_address_t hook_addr;
    lm_address_t trampoline;

    // Find target process
    LM_FindProcess("game.exe", &target_process);
    
    // Find module in target process
    LM_FindModuleEx(&target_process, "game.dll", &game_mod);
    
    // Find function in target process
    fn_take_damage = LM_FindSymbolAddress(&game_mod, "take_damage");
    
    // Allocate memory for hook in target process
    hook_addr = LM_AllocMemoryEx(&target_process, 1024, LM_PROT_XRW);
    
    // Write hook code to allocated memory
    // ... (write your shellcode)
    
    // Install hook in target process
    LM_HookCodeEx(&target_process, fn_take_damage, hook_addr, &trampoline);
    
    printf("[*] External hook installed\n");

    return 0;
}

Unhooking

To remove a hook and restore the original function: 
lm_address_t trampoline;
lm_size_t hook_size;

// When installing the hook, save the trampoline and size
hook_size = LM_HookCode(fn_take_damage, (lm_address_t)hk_take_damage, &trampoline);

// Later, to unhook:
LM_UnhookCode(fn_take_damage, trampoline, hook_size);
printf("[*] Hook removed\n");

Best Practices

Ensure your hook function has the exact same calling convention and parameters as the original. Mismatches can cause crashes.
If the hooked function is called from multiple threads, ensure your hook is thread-safe.
Always save the trampoline address and hook size if you plan to unhook later.
Hooks can crash the target process if implemented incorrectly. Test in a safe environment first.
If the function is exported, use LM_FindSymbolAddress. Otherwise, use pattern scanning to locate it.

Common Use Cases

  • God Mode: Prevent damage by hooking health reduction functions
  • Unlimited Resources: Hook resource consumption functions and prevent deduction
  • Function Logging: Hook functions to log when they’re called and with what parameters
  • Behavior Modification: Change function behavior by modifying parameters or return values
  • Anti-Cheat Bypass: Hook detection functions (educational purposes only)

Next Steps

Pattern Scanning

Find functions without symbol information

Hook API

Explore all hooking functions including VMT hooks

Build docs developers (and LLMs) love

Get started for freeTalk to us