This module hooks IAT and EAT to monitor all external functions calls, very useful for [malware] reverse and debugging.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for MauriceLambert from gravatar.com MauriceLambert
Meta

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU General Public License v3 or later (GPLv3+) (GPL-3.0 License)
  • Author: Maurice Lambert
  • Maintainer: Maurice Lambert
  • Tags reverse , win32 , winapi , hook , iat , eat , hooking , api-hooking , malware-reverse , hook-import , hook-export , debugging
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

Win32Hooking Logo

Win32Hooking

Description

This module hooks IAT and EAT to monitor all external functions calls, very useful for [malware] reverse and debugging.

This module should run in a virtual machine without any EDR because it hook all exported and imported functions. Hooks may be detected and EDR can kill the process and removes files. Another problem is some EDR injected API, hooking the EDR API can be a problem to run an executable and some API could not be resolved (for example SentinelOne ntd1l.dll and kern3l32.dll, used to detect very basic shellcode, cannot be resolved as standard library).

Requirements

This package require:

  • python3
  • python3 Standard Library
  • PyPeLoader >= 0.2.0
  • PythonToolsKit >= 1.2.4

Installation

Pip

python3 -m pip install Win32Hooking

Git

git clone "https://github.com/mauricelambert/Win32Hooking.git"
cd "Win32Hooking"
python3 -m pip install .

Wget

wget https://github.com/mauricelambert/Win32Hooking/archive/refs/heads/main.zip
unzip main.zip
cd Win32Hooking-main
python3 -m pip install .

cURL

curl -O https://github.com/mauricelambert/Win32Hooking/archive/refs/heads/main.zip
unzip main.zip
cd Win32Hooking-main
python3 -m pip install .

Usages

Command line

Win32Hooking              # Using CLI package executable
python3 -m Win32Hooking   # Using python module
python3 Win32Hooking.pyz  # Using python executable
Win32Hooking.exe          # Using python Windows executable

Win32Hooking "C:\Windows\System32\calc.exe"

Python script

from Win32Hooking import load

load(r"C:\Windows\System32\calc.exe")

Links

License

Licensed under the GPL, version 3.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for MauriceLambert from gravatar.com MauriceLambert
Meta

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU General Public License v3 or later (GPLv3+) (GPL-3.0 License)
  • Author: Maurice Lambert
  • Maintainer: Maurice Lambert
  • Tags reverse , win32 , winapi , hook , iat , eat , hooking , api-hooking , malware-reverse , hook-import , hook-export , debugging
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

1.2.0

This version

1.1.1

1.1.0

1.0.0

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

win32hooking-1.1.1.tar.gz (33.7 kB view details)

Uploaded Source

File details

Details for the file win32hooking-1.1.1.tar.gz.

File metadata

  • Download URL: win32hooking-1.1.1.tar.gz
  • Upload date:
  • Size: 33.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.2

File hashes

Hashes for win32hooking-1.1.1.tar.gz
Algorithm Hash digest
SHA256 9d52ab16e2b5452ed09eca22b34468fffa86e1d06c76a3106fab2083facd7679
MD5 e1dcad8560ea39da4ca44c2a5deb7efe
BLAKE2b-256 e2c3505b5fff7a89b1d027a421390df88863eedea31c4a9b8c71e43ec03f56e7

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page