antihook 0.1.0

A native Cython memory integrity and unhooking library for Windows

AntiHook Engine

A lightweight, high-performance user-mode memory integrity and unhooking engine for Windows, written in Cython.

It scans the Export Address Table (EAT) of loaded PE modules (e.g., ntdll.dll) to detect instruction redirects (relative, absolute, or indirect jumps) and restores their original .text sections from clean system files on disk.

Features

• Native PE Parsing: Traverses module exports with zero Python overhead using direct memory pointers.
• Hook Detection: Identifies standard user-mode hooks (relative, absolute, and indirect jumps).
• Origin Tracking: Resolves the exact path of the third-party DLL or security product placing the hook.
• Local Restoration: Replaces modified memory bytes with pristine bytes mapped directly from system files.
• No-CRT Evasion: Zero dependency on C Runtime (CRT) memory and string imports.

Quick Start

1. Requirements & Compilation

• Windows (x86/x64) with Python 3.8+
• Visual Studio C++ Build Tools (MSVC Compiler)

Open the appropriate Visual Studio Native Tools Command Prompt and run:

pip install build setuptools cython
python -m build

2. Usage

import antihook
import ctypes
import json

# Ensure target system DLL is loaded
ctypes.windll.ntdll

# Scan ntdll.dll
scan = antihook.unhook("ntdll.dll", scan_only=True)
print("Scan Results:", json.dumps(scan, indent=4))

# Restore ntdll.dll .text section
restored = antihook.unhook("ntdll.dll", scan_only=False)
print("Unhook Results:", json.dumps(restored, indent=4))

API Reference

unhook(module_name: str, scan_only: bool = False) -> dict

• module_name: Target DLL name (e.g., "ntdll.dll").
• scan_only: If True, only reports hooks. If False, performs the full unhooking routine.

Returns:

{
    "status": "success",
    "unhooked": true,
    "detected_hooks": [
        {
            "function": "NtCreateFile",
            "type": "Relative",
            "hook_address": "0x7FFE12345678",
            "hook_module": "C:\\Windows\\System32\\monitor.dll"
        }
    ]
}

Disclaimer

This project is intended strictly for authorized security research, application self-defense, and educational purposes. Modifying execution sections of system libraries in memory can cause instability if handled incorrectly. Use with caution.

License

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.