This module hooks IAT and EAT to monitor all external functions calls, very useful for [malware] reverse and debugging.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for MauriceLambert from gravatar.com MauriceLambert
Meta

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU General Public License v3 or later (GPLv3+) (GPL-3.0 License)
  • Author: Maurice Lambert
  • Maintainer: Maurice Lambert
  • Tags reverse , win32 , winapi , hook , iat , eat , hooking , api-hooking , malware-reverse , hook-import , hook-export , debugging
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

Win32Hooking Logo

Win32Hooking

Description

This module hooks IAT and EAT to monitor all external functions calls, very useful for [malware] reverse and debugging.

This module should run in a virtual machine without any EDR because it hook all exported and imported functions. Hooks may be detected and EDR can kill the process and removes files. Another problem is some EDR injected API, hooking the EDR API can be a problem to run an executable and some API could not be resolved (for example SentinelOne ntd1l.dll and kern3l32.dll, used to detect very basic shellcode, cannot be resolved as standard library).

Requirements

This package require:

  • python3
  • python3 Standard Library

Installation

Pip

python3 -m pip install Win32Hooking

Git

git clone "https://github.com/mauricelambert/Win32Hooking.git"
cd "Win32Hooking"
python3 -m pip install .

Wget

wget https://github.com/mauricelambert/Win32Hooking/archive/refs/heads/main.zip
unzip main.zip
cd Win32Hooking-main
python3 -m pip install .

cURL

curl -O https://github.com/mauricelambert/Win32Hooking/archive/refs/heads/main.zip
unzip main.zip
cd Win32Hooking-main
python3 -m pip install .

Usages

Command line

Win32Hooking              # Using CLI package executable
python3 -m Win32Hooking   # Using python module
python3 Win32Hooking.pyz  # Using python executable
Win32Hooking.exe          # Using python Windows executable

Win32Hooking "C:\Windows\System32\calc.exe"

Python script

from Win32Hooking import load

load(r"C:\Windows\System32\calc.exe")

Links

License

Licensed under the GPL, version 3.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for MauriceLambert from gravatar.com MauriceLambert
Meta

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU General Public License v3 or later (GPLv3+) (GPL-3.0 License)
  • Author: Maurice Lambert
  • Maintainer: Maurice Lambert
  • Tags reverse , win32 , winapi , hook , iat , eat , hooking , api-hooking , malware-reverse , hook-import , hook-export , debugging
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

1.2.0

1.1.1

1.1.0

1.0.0

This version

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

win32hooking-0.0.1.tar.gz (20.2 kB view details)

Uploaded Source

File details

Details for the file win32hooking-0.0.1.tar.gz.

File metadata

  • Download URL: win32hooking-0.0.1.tar.gz
  • Upload date:
  • Size: 20.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.2

File hashes

Hashes for win32hooking-0.0.1.tar.gz
Algorithm Hash digest
SHA256 44b5b6790cd5c415ab0f0d6587e1d219178d30ef3611c69b6bfe28b22feb73ec
MD5 cd01647b4b41573c07472fd8ca4f2017
BLAKE2b-256 5c6bcceb3fec37d0644840905b7b306eb8009bdae9ff532986ae2fc753d03e5f

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page