1. Compilation
2.API
3. Memory
4. Process
5. Window
You must be familiar with assembly instructions:
PUSH stack
MOV assignment
JMP (JNZ JE) Jump
CALL call the function
RET return
Cmp Compare
Test comparison
Must know what register and use
EAX register accumulation (in general, calculation results, the results of call)
EBX register base address (base address stored)
ECX register count (count cycles)
EDX data register (data)
Local variables or parameters EBP
ESP Stack
EDI index register object (object exchange)
ESI source index register (source exchange)
EIP current function operating position
Program can not be decompiled, so we can understand the function of the form compiled by region.
Assignment may be a function or variable assembler code.
API: API calls and read API
Program on the windows system will call the API function, we only find the key API functions performed Hook can reach an unexpected effect
Memory: Learn program are stored in the memory
All data is in memory, there will be a memory address of this address we call memory address
Process: Hook is in the process of operation
Each process is independent, except share, including a lot injected DLL, Hook just exe, more of a DLL
Window: the message mechanism
windows system is based on a message