XFire writes a jump at a few API, so far I've found it hooks EndScene from IDirect3DDevice9 and wglSwapBuffers. Just look up EndScene from the virtual methods table and you will see the hook. Since the current game I'm working on is OpenGL I will show you how XFire hooks wglSwapBuffers.
5ED266A4 > 8BFF MOV EDI,EDI
5ED266A6 55 PUSH EBP
5ED266A7 8BEC MOV EBP,ESP
Standard WinAPI padding with MOV EDI, EDI and a basic stack frame, nothing special.
wglSwapBuffers with XFire loaded.
5ED266A4 >-E9 0B212FB1 JMP xfire_to.100187B4
As you can see XFire writes a standard relative jump for its hooks, 0xE9 -> Address. Which is the most common "detouring" method.
Taking a look at the hook, it is very clean and even goes as far as to preserve the flag registers.
100187B4 55 PUSH EBP
100187B5 8BEC MOV EBP,ESP
100187B7 83EC 08 SUB ESP,8
100187BA 53 PUSH EBX
100187BB 52 PUSH EDX
100187BC 51 PUSH ECX
100187BD 56 PUSH ESI
100187BE 57 PUSH EDI
100187BF 9C PUSHFD
Once these hooks are in place, XFire makes various API calls to monitor resolution and graphical settings changes and to draw its in game chat windows.
XFire also hooks the keyboard with SetWindowsHookEx( WH_KEYBOARD, ... ) and does various other Windows hooks and DDRAW code.
XFire is written in C++ and has various hooking classes, including ogl_hooks.cpp, d3d8_hooks.cpp and etc.
Now I suppose you are asking why is this relevant? Well, EndScene and wglSwapBuffers are both API which can be used to draw radar and esp hacks, and even do the blunt of some basic aimbotting. Because Xfire is both VAC2 and PunkBuster safe, one can exploit this to have undetected hooks. You can also go as far as to write your hook in the XFire module in one of its hooks to completely throw any anti-cheat off.
In conclusion fuck XFire.