This module hooks IAT and EAT to monitor all external functions calls, very useful for [malware] reverse and debugging.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for MauriceLambert from gravatar.com MauriceLambert
Meta

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU General Public License v3 or later (GPLv3+) (GPL-3.0 License)
  • Author: Maurice Lambert
  • Maintainer: Maurice Lambert
  • Tags reverse , win32 , winapi , hook , iat , eat , hooking , api-hooking , malware-reverse , hook-import , hook-export , debugging
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

Win32Hooking Logo

Win32Hooking

Description

This module hooks IAT and EAT to monitor all external functions calls, very useful for [malware] reverse and debugging.

This module should run in a virtual machine without any EDR because it hook all exported and imported functions. Hooks may be detected and EDR can kill the process and removes files. Another problem is some EDR injected API, hooking the EDR API can be a problem to run an executable and some API could not be resolved (for example SentinelOne ntd1l.dll and kern3l32.dll, used to detect very basic shellcode, cannot be resolved as standard library).

Requirements

This package require:

  • python3
  • python3 Standard Library
  • PyPeLoader >= 0.2.0
  • PythonToolsKit >= 1.2.4

Installation

Pip

python3 -m pip install Win32Hooking

Git

git clone "https://github.com/mauricelambert/Win32Hooking.git"
cd "Win32Hooking"
python3 -m pip install .

Wget

wget https://github.com/mauricelambert/Win32Hooking/archive/refs/heads/main.zip
unzip main.zip
cd Win32Hooking-main
python3 -m pip install .

cURL

curl -O https://github.com/mauricelambert/Win32Hooking/archive/refs/heads/main.zip
unzip main.zip
cd Win32Hooking-main
python3 -m pip install .

Usages

Command line

Win32Hooking              # Using CLI package executable
python3 -m Win32Hooking   # Using python module
python3 Win32Hooking.pyz  # Using python executable
Win32Hooking.exe          # Using python Windows executable

Win32Hooking "C:\Windows\System32\calc.exe"

Python script

from Win32Hooking import load

load(r"C:\Windows\System32\calc.exe")

Links

License

Licensed under the GPL, version 3.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for MauriceLambert from gravatar.com MauriceLambert
Meta

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU General Public License v3 or later (GPLv3+) (GPL-3.0 License)
  • Author: Maurice Lambert
  • Maintainer: Maurice Lambert
  • Tags reverse , win32 , winapi , hook , iat , eat , hooking , api-hooking , malware-reverse , hook-import , hook-export , debugging
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

1.2.0

1.1.1

This version

1.1.0

1.0.0

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

win32hooking-1.1.0.tar.gz (33.6 kB view details)

Uploaded Source

File details

Details for the file win32hooking-1.1.0.tar.gz.

File metadata

  • Download URL: win32hooking-1.1.0.tar.gz
  • Upload date:
  • Size: 33.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.2

File hashes

Hashes for win32hooking-1.1.0.tar.gz
Algorithm Hash digest
SHA256 39d7fe73eb6784391e4711f97bb09fcd521f83c3c6c341a5790854c10596c009
MD5 ddc23a9093d449102fbfe5297a204d42
BLAKE2b-256 22ec75b433e00f2197fb6bc6215defd0d5671a23c81113591aa9933a5cdebde0

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page