This module hooks IAT and EAT to monitor all external functions calls, very useful for [malware] reverse and debugging.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for MauriceLambert from gravatar.com MauriceLambert
Meta

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU General Public License v3 or later (GPLv3+) (GPL-3.0 License)
  • Author: Maurice Lambert
  • Maintainer: Maurice Lambert
  • Tags reverse , win32 , winapi , hook , iat , eat , hooking , api-hooking , malware-reverse , hook-import , hook-export , debugging
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

Win32Hooking Logo

Win32Hooking

Description

This module hooks IAT and EAT to monitor all external functions calls, very useful for [malware] reverse and debugging.

This module should run in a virtual machine without any EDR because it hook all exported and imported functions. Hooks may be detected and EDR can kill the process and removes files. Another problem is some EDR injected API, hooking the EDR API can be a problem to run an executable and some API could not be resolved (for example SentinelOne ntd1l.dll and kern3l32.dll, used to detect very basic shellcode, cannot be resolved as standard library).

Requirements

This package require:

  • python3
  • python3 Standard Library
  • PyPeLoader >= 0.2.0
  • PythonToolsKit >= 1.2.4

Installation

Pip

python3 -m pip install Win32Hooking

Git

git clone "https://github.com/mauricelambert/Win32Hooking.git"
cd "Win32Hooking"
python3 -m pip install .

Wget

wget https://github.com/mauricelambert/Win32Hooking/archive/refs/heads/main.zip
unzip main.zip
cd Win32Hooking-main
python3 -m pip install .

cURL

curl -O https://github.com/mauricelambert/Win32Hooking/archive/refs/heads/main.zip
unzip main.zip
cd Win32Hooking-main
python3 -m pip install .

Usages

Command line

Win32Hooking              # Using CLI package executable
python3 -m Win32Hooking   # Using python module
python3 Win32Hooking.pyz  # Using python executable
Win32Hooking.exe          # Using python Windows executable

Win32Hooking "C:\Windows\System32\calc.exe"

Python script

from Win32Hooking import load

load(r"C:\Windows\System32\calc.exe")

Links

License

Licensed under the GPL, version 3.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for MauriceLambert from gravatar.com MauriceLambert
Meta

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU General Public License v3 or later (GPLv3+) (GPL-3.0 License)
  • Author: Maurice Lambert
  • Maintainer: Maurice Lambert
  • Tags reverse , win32 , winapi , hook , iat , eat , hooking , api-hooking , malware-reverse , hook-import , hook-export , debugging
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

1.2.0

1.1.1

1.1.0

This version

1.0.0

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

win32hooking-1.0.0.tar.gz (28.7 kB view details)

Uploaded Source

File details

Details for the file win32hooking-1.0.0.tar.gz.

File metadata

  • Download URL: win32hooking-1.0.0.tar.gz
  • Upload date:
  • Size: 28.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.2

File hashes

Hashes for win32hooking-1.0.0.tar.gz
Algorithm Hash digest
SHA256 9536779080031ea5dcceaf698e429cfa4f0d3ea610e0f7435d4f33cce44c96e9
MD5 178407d375d18cc51acf5531679bf04b
BLAKE2b-256 d70a25b5ab6096262362e2962f87bfe948a0b892941d201218c4d938920e5136

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page