This module hooks IAT and EAT to monitor all external functions calls, very useful for [malware] reverse and debugging.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for MauriceLambert from gravatar.com MauriceLambert
Meta

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU General Public License v3 or later (GPLv3+) (GPL-3.0 License)
  • Author: Maurice Lambert
  • Maintainer: Maurice Lambert
  • Tags reverse , win32 , winapi , hook , iat , eat , hooking , api-hooking , malware-reverse , hook-import , hook-export , debugging
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

Win32Hooking Logo

Win32Hooking

Description

This module hooks IAT and EAT to monitor all external functions calls, very useful for [malware] reverse and debugging.

This module should run in a virtual machine without any EDR because it hook all exported and imported functions. Hooks may be detected and EDR can kill the process and removes files.

Some EDR inject DLL in the process and modify some elements to resolve functions by EAT, i wrote a little bypass to run it on a machine with a specific EDR. You can probably use it with an EDR but it's not recommended.

Requirements

This package require:

  • python3
  • python3 Standard Library
  • PyPeLoader >= 0.2.0
  • PythonToolsKit >= 1.2.4

Installation

Pip

python3 -m pip install Win32Hooking

Git

git clone "https://github.com/mauricelambert/Win32Hooking.git"
cd "Win32Hooking"
python3 -m pip install .

Wget

wget https://github.com/mauricelambert/Win32Hooking/archive/refs/heads/main.zip
unzip main.zip
cd Win32Hooking-main
python3 -m pip install .

cURL

curl -O https://github.com/mauricelambert/Win32Hooking/archive/refs/heads/main.zip
unzip main.zip
cd Win32Hooking-main
python3 -m pip install .

Usages

Command line

Win32Hooking              # Using CLI package executable
python3 -m Win32Hooking   # Using python module
python3 Win32Hooking.pyz  # Using python executable
Win32Hooking.exe          # Using python Windows executable

Win32Hooking "C:\Windows\System32\calc.exe"

Python script

from Win32Hooking import load

load(r"C:\Windows\System32\calc.exe")

Links

License

Licensed under the GPL, version 3.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for MauriceLambert from gravatar.com MauriceLambert
Meta

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU General Public License v3 or later (GPLv3+) (GPL-3.0 License)
  • Author: Maurice Lambert
  • Maintainer: Maurice Lambert
  • Tags reverse , win32 , winapi , hook , iat , eat , hooking , api-hooking , malware-reverse , hook-import , hook-export , debugging
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

This version

1.2.0

1.1.1

1.1.0

1.0.0

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

win32hooking-1.2.0.tar.gz (35.4 kB view details)

Uploaded Source

File details

Details for the file win32hooking-1.2.0.tar.gz.

File metadata

  • Download URL: win32hooking-1.2.0.tar.gz
  • Upload date:
  • Size: 35.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.2

File hashes

Hashes for win32hooking-1.2.0.tar.gz
Algorithm Hash digest
SHA256 c3cb6bc3275127219720dfd2e54ea61d05e1534b3502b47cef4c77c80066e59e
MD5 ab107f050761fc721ab6718891de9e3d
BLAKE2b-256 dd8a3cac5a55c11ea737addb15868263b57fdbef47e3163cea7e0e28ef1f5a47

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page