A simple Windows x64 DLL hook demo that intercepts calls to
MessageBoxAusing inline patching (manual trampoline).
Perfect for understanding DLL injection, function hooking, and runtime behavior modification.
- Hooks
MessageBoxAviamov rax / jmp rax(12-byte patch, x64-compliant) - Displays a custom message (
💥 p0wn3d!) when the app callsMessageBoxA - Can be injected into any x64 Win32 app calling
MessageBoxA - Includes a test app with a button that triggers a MessageBox
Compile the DLL from hook64_msgboxa.c:
cl /LD hook64_msgboxa.c /Fehook64_msgboxa.dll user32.lib
⚠️ Requires Visual Studio + Developer Command Prompt for x64
Compile simple_app.c:
cl simple_app.c /Fesimple_app.exe user32.lib gdi32.libThe app shows a window with a button. Clicking it triggers MessageBoxA.
- Start simple_app.exe
- Use a DLL injector (Python or C) to inject hook64_msgboxa.dll
- Click the button in the window
✅ You’ll see:
Intercepted
💥 p0wn3d!
- Finds MessageBoxA in user32.dll
- Saves its first 12 bytes
- Overwrites it with:
mov rax, HookedFunction
jmp rax
- Redirects execution to HookedMessageBoxA, which modifies the message
- Optionally, the hook can be removed before calling the original
- This only works on x64 processes
- Hooking x86 requires a different approach (jmp rel32, 5 bytes)
- Modern apps often use MessageBoxW (Unicode); hook that if needed