Function Hooking: IAT vs Inline

"Hooking" means making a function do your work instead of (or in addition to) its normal work. Game cheats, DLLs that log API calls, anti-cheat systems, and malware all use the same handful of techniques. The two foundational ones, IAT hooking and inline hooking, work in very different ways. This walks through both side by side.

1. What is "hooking" and why do people do it?

A short orientation before we dig into the two techniques.

2. IAT Hooking

Every Windows program has an Import Address Table (IAT): a list of pointers to functions it imports from DLLs like kernel32 or user32. Every call to an imported function goes through this table. Rewrite an IAT entry, and you've hooked every future call to that function from this program.

3. Inline Hooking (Detours-style)

Instead of changing where a pointer points, an inline hook changes the function's code directly. Overwrite the first few bytes with a jmp to your hook, save the original bytes somewhere safe (the "trampoline") so you can still call the real function later.

4. Which One When?

Both techniques have tradeoffs. A short comparison to decide which fits the job.