[GH-ISSUE #3163] [Feature Request]: Expose IPC interface for external hooking programs

kerem commented

2026-02-27 21:09:17 +03:00

Owner

Originally created by @kalaposfos13 on GitHub (Jun 27, 2025).
Original GitHub issue: https://github.com/shadps4-emu/shadPS4/issues/3163

Checklist

I have searched for a similar issue in this repository and did not find one.

Description

There should be some way to hook into eboot functions at specified addresses in a standardized and easy-to-use way. One possible way to implement that is the following suggestion by Nenkai:

have shad setup rpc, sends message about game starting, stopping, new module loaded
message contains module info (so base address for all modules, etc)

any modder that wants to hook code can use that info and hook using their own code outside shad

Reason

It will help debugging, modding, and reverse engineering games immensely.

Examples

Hooking into stubbed print functions to restore their functionality, or hooking into a function in which a game is silently crashing in to get more info about it.

Originally created by @kalaposfos13 on GitHub (Jun 27, 2025). Original GitHub issue: https://github.com/shadps4-emu/shadPS4/issues/3163 ### Checklist - [x] I have searched for a similar issue in this repository and did not find one. ### Description There should be some way to hook into eboot functions at specified addresses in a standardized and easy-to-use way. One possible way to implement that is the following suggestion by Nenkai: > have shad setup rpc, sends message about game starting, stopping, new module loaded message contains module info (so base address for all modules, etc) > > any modder that wants to hook code can use that info and hook using their own code outside shad ### Reason It will help debugging, modding, and reverse engineering games immensely. ### Examples Hooking into stubbed print functions to restore their functionality, or hooking into a function in which a game is silently crashing in to get more info about it.

kerem commented

2026-02-27 21:09:18 +03:00

Author

Owner

@Nenkai commented on GitHub (Jun 28, 2025):

To be clearer: it would be nice if shadPS4 had a way to communicate module information to any external listener. The workflow would be more or less like this:

On game start, module loaded, communicate this information externally (could be over raw sockets or any other way)
External user listens to that information externally
Hooks a module directly by address, or searches said module, using any x86-64 hooking library
Possibly alert on game exit aswell

Currently the only way to hook game code is by:

AOB Sigscanning shadPS4's mem range, which may not be ideal for anything other than the main module - the image base for all modules is hardcoded, but could change
Editing shadPS4 itself

Since x86-64 is rather mature when it comes to hooking (Detours, MinHook, LightHook, Reloaded.Hooks (C#) & more), I figured it'd be a nice addition to have on top of the cheats/patches system for enabling further game code modding.

Perhaps there's a better way to expose or use module information, but at least this gives some base to work from

@Nenkai commented on GitHub (Jun 28, 2025): To be clearer: it would be nice if shadPS4 had a way to communicate module information to any external listener. The workflow would be more or less like this: * On game start, module loaded, communicate this information externally (could be over raw sockets or any other way) * External user listens to that information externally * Hooks a module directly by address, or searches said module, using *any* x86-64 hooking library * Possibly alert on game exit aswell Currently the only way to hook game code is by: * AOB Sigscanning shadPS4's mem range, which may not be ideal for anything other than the main module - the image base for all modules is hardcoded, but could change * Editing shadPS4 itself Since x86-64 is rather mature when it comes to hooking (Detours, MinHook, LightHook, Reloaded.Hooks (C#) & more), I figured it'd be a nice addition to have on top of the cheats/patches system for enabling further game code modding. --- Perhaps there's a better way to expose or use module information, but at least this gives some base to work from

kerem commented

2026-02-27 21:09:18 +03:00

Author

Owner

@mailwl commented on GitHub (Jul 11, 2025):

it's easy to replace empty log function by editing source code of shadPS4 itself (and even set breakpoint by setting int3 to wanted address), but best will be implement gdbstub (like Citra does)

@mailwl commented on GitHub (Jul 11, 2025): it's easy to replace empty log function by editing source code of shadPS4 itself (and even set breakpoint by setting int3 to wanted address), but best will be implement gdbstub (like Citra does)

kerem commented

2026-02-27 21:09:18 +03:00

Author

Owner

@kalaposfos13 commented on GitHub (Jul 11, 2025):

For the record, here's an entirely self-contained way of making a game hook that is completely cross-platform (meaning it should work on all emulators on all OSes (currently shadPS4 only supports this on UNIX platforms though)): https://github.com/kalaposfos13/eboot-hooks-prx

@kalaposfos13 commented on GitHub (Jul 11, 2025): For the record, here's an entirely self-contained way of making a game hook that is completely cross-platform (meaning it should work on all emulators on all OSes (currently shadPS4 only supports this on UNIX platforms though)): https://github.com/kalaposfos13/eboot-hooks-prx

kerem commented

2026-02-27 21:09:18 +03:00

Author

Owner

@mailwl commented on GitHub (Jul 11, 2025):

shadPS4 can be compiled on WSL2, but perfomance is terrible. emulator on virtual machine with virtual GPU

@mailwl commented on GitHub (Jul 11, 2025): shadPS4 can be compiled on WSL2, but perfomance is terrible. emulator on virtual machine with virtual GPU

kerem commented

2026-02-27 21:09:18 +03:00

Author

Owner

@FrankvdStam commented on GitHub (Jul 22, 2025):

I second this. The memory location for the eboot has changed from v8 -> v10, 0x8ffffc000 -> 0x800000000, which broke things for me and led me to find this issue.

Currently I'm hardcoding this address, then calling VirtualQueryEx on it to retrieve the size of the region, which matches the size of the eboot. This region can be read into a buffer to do any kind of scans. This will only work consistently across different version of the emulator if the base address for the eboot does not change.

I think most modders will have their own toolkit/lib already. I agree that having something webbased or highlevel like that would be ideal, but also a lot of work, and might not exactly fit existing toolkits -> these will all rely on win32 APIs. Perhaps just exporting some global that exposes the eboot location (via __declspec(dllexport)) will be the cheapest first step. Modders will be used to these kinds of win32 shenanigans anyway.

@FrankvdStam commented on GitHub (Jul 22, 2025): I second this. The memory location for the eboot has changed from v8 -> v10, 0x8ffffc000 -> 0x800000000, which broke things for me and led me to find this issue. Currently I'm hardcoding this address, then calling VirtualQueryEx on it to retrieve the size of the region, which matches the size of the eboot. This region can be read into a buffer to do any kind of scans. This will only work consistently across different version of the emulator if the base address for the eboot does not change. I think most modders will have their own toolkit/lib already. I agree that having something webbased or highlevel like that would be ideal, but also a lot of work, and might not exactly fit existing toolkits -> these will all rely on win32 APIs. Perhaps just exporting some global that exposes the eboot location (via __declspec(dllexport)) will be the cheapest first step. Modders will be used to these kinds of win32 shenanigans anyway.

kerem commented

2026-02-27 21:09:18 +03:00

Author

Owner

@kalaposfos13 commented on GitHub (Jul 22, 2025):

@FrankvdStam if you check out my repo I linked, it shows an example of how to retrieve the eboot base address which should in theory work on all emulators and on the console as well

@kalaposfos13 commented on GitHub (Jul 22, 2025): @FrankvdStam if you check out my repo I linked, it shows an example of how to retrieve the eboot base address which should in theory work on all emulators and on the console as well

kerem commented

2026-02-27 21:09:18 +03:00

Author

Owner

@FrankvdStam commented on GitHub (Jul 22, 2025):

@FrankvdStam if you check out my repo I linked, it shows an example of how to retrieve the eboot base address which should in theory work on all emulators and on the console as well

Yes I had a quick glance but don't have the time for a deep dive now. I will read and try to understand it later, I unfortunately can't use it directly since I need this address from C# and from Rust, but I'm sure if I understand how you retrieve it I could make it work in C#. Thanks for sharing your solution!

@FrankvdStam commented on GitHub (Jul 22, 2025): > [@FrankvdStam](https://github.com/FrankvdStam) if you check out my repo I linked, it shows an example of how to retrieve the eboot base address which should in theory work on all emulators and on the console as well Yes I had a quick glance but don't have the time for a deep dive now. I will read and try to understand it later, I unfortunately can't use it directly since I need this address from C# and from Rust, but I'm sure if I understand how you retrieve it I could make it work in C#. Thanks for sharing your solution!

kerem commented

2026-02-27 21:09:18 +03:00

Author

Owner

@kalaposfos13 commented on GitHub (Jul 22, 2025):

For reference, this is the relevant part:
https://github.com/kalaposfos13/eboot-hooks-prx/blob/main/src/hooking.cpp#L33-L36

@kalaposfos13 commented on GitHub (Jul 22, 2025): For reference, this is the relevant part: https://github.com/kalaposfos13/eboot-hooks-prx/blob/main/src/hooking.cpp#L33-L36

kerem commented

2026-02-27 21:09:18 +03:00

Author

Owner

@mikusp commented on GitHub (Jul 22, 2025):

The eboot address is exported github.com/shadps4-emu/shadPS4@637e503685/src/common/memory_patcher.h (L17)

@mikusp commented on GitHub (Jul 22, 2025): The eboot address is exported https://github.com/shadps4-emu/shadPS4/blob/637e503685821171c3886871bbfccddc0a4ef218/src/common/memory_patcher.h#L17

kerem commented

2026-02-27 21:09:18 +03:00

Author

Owner

@FrankvdStam commented on GitHub (Jul 22, 2025):

Ah yes, starting from v10 I can see an export "?g_eboot_address@MemoryPatcher@@3_KA", thats exactly what I would need. Cheers!

@FrankvdStam commented on GitHub (Jul 22, 2025): Ah yes, starting from v10 I can see an export "?g_eboot_address@MemoryPatcher@@3_KA", thats exactly what I would need. Cheers!

kerem commented

2026-02-27 21:09:18 +03:00

Author

Owner

@kalaposfos13 commented on GitHub (Oct 3, 2025):

In the latest nightly, executable mappings now work correctly, allowing my prx library setup to work everywhere that shadPS4 supports. This is enough for my use cases, even though other people did ask for exposing this to external applications too. If anyone still wants that realized, leave a comment about it and I'll reopen the issue, but for now I think it can be considered as completed.

@kalaposfos13 commented on GitHub (Oct 3, 2025): In the latest nightly, executable mappings now work correctly, allowing my prx library setup to work everywhere that shadPS4 supports. This is enough for my use cases, even though other people did ask for exposing this to external applications too. If anyone still wants that realized, leave a comment about it and I'll reopen the issue, but for now I think it can be considered as completed.

kerem commented

2026-02-27 21:09:18 +03:00

Author

Owner

@mailwl commented on GitHub (Oct 4, 2025):

пожалуйста не закрывайте тему пока не будет рабочий gdbstub
как же сказать по английски? please, leave issue open, until gdbstub will work

@mailwl commented on GitHub (Oct 4, 2025): пожалуйста не закрывайте тему пока не будет рабочий gdbstub как же сказать по английски? please, leave issue open, until gdbstub will work

kerem commented

2026-02-27 21:09:18 +03:00

Author

Owner

@mailwl commented on GitHub (Oct 4, 2025):

ah! not my case, sorry kalaposfos13

@mailwl commented on GitHub (Oct 4, 2025): ah! not my case, sorry **kalaposfos13**

Rows
Columns

[GH-ISSUE #3163] [Feature Request]: Expose IPC interface for external hooking programs #980

Checklist

Description

Reason

Examples