A Windows API hooking library

Overview

Mhook - a Windows API hooking library Build status

Introduction

This library was created as a free alternative to Microsoft Detours. It is originally developed by Marton Anka and currently is supported and developed by Apriorit.

How to use

// Include a header
#include <mhook-lib/mhook.h>

// Save the original function
typedef ULONG (WINAPI* _NtClose)(IN HANDLE Handle);
_NtClose TrueNtClose = (_NtClose)GetProcAddress(GetModuleHandle(L"ntdll"), "NtClose");

// Declare your function that will be handle a hook:
ULONG WINAPI HookNtClose(HANDLE hHandle) 
{
    printf("***** Call to NtClose(0x%p)\n", hHandle);
    return TrueNtClose(hHandle);
}

//...

// Set the hook 
BOOL isHookSet = Mhook_SetHook((PVOID*)&TrueNtClose, HookNtClose);

//...

// After finishing using the hook – remove it
Mhook_Unhook((PVOID*)&TrueNtClose);

You can also set a bunch of hooks in one call:

HOOK_INFO hooks[] =
{
    { (PVOID*)&TrueNtOpenProcess, HookNtOpenProcess },
    { (PVOID*)&TrueSelectObject, HookSelectobject },
    { (PVOID*)&Truegetaddrinfo, Hookgetaddrinfo },
    { (PVOID*)&TrueHeapAlloc, HookHeapAlloc },
    { (PVOID*)&TrueNtClose, HookNtClose }
};

int numberOfSetHooks = Mhook_SetHookEx(hooks, 5);
    
//...

// Removing hooks
int numberOfRemovedHooks = Mhook_UnhookEx(hooks, 5);

That way of setting multiple hooks is also much better in performance.

License

Mhook is freely distributed under an MIT license.

Version history

Version 2.5.1 (30 March 2018)

  • Fix #1: VirtualAlloc hooking reports anomaly
  • New #2: Add integration to vcpkg package
  • New #3: Add AppVeyor CI
  • Fix #4: Add ability to hook functions with call in first 5 bytes

Version 2.5 (20 Oct 2017)

  • 10x performance boost
  • CMake build system
  • Change tabs to spaces
  • Ability to hook functions with je/jne in the first 5 bytes
  • Fix hook recursion
  • Other fixes

Version 2.4 (05 Mar 2014, the last from the original author)

  • A number of improvements: hot patch location (mov edi, edi) handling, support for REX-prefixed EIP-relative jumps on x64, removal of compile-time limit on the number of hooks

Version 2.3 (15 Jan 2012)

  • A bugfix that allows hooking more API functions

Version 2.2 (27 Jun 2008)

  • Support for instructions using IP-relative addressing

Version 2.1 (15 Oct 2007)

  • Fixes

Version 2.0 (08 Jul 2007)

  • Built-in disassembler

Version 1.0 (24 Jun 2007)

  • Original release

Acknowledgements

Mhook contains a disassembler that is a stripped-down version of the excellent tDisasm package by Matt Conover. Thank you Matt! tDisasm comes with a BSD-style license and re-releasig a derivative of it under the MIT license has been confirmed to be OK by its author.

Alexandr Filenkov submitted bugfixes in Sept-2007. Michael Syrovatsky submitted fixes for IP-relative addressing in Jun-2008. Andrey Kubyshev submitted a bugfix in Jul-2011 and Jan-2013. John McDonald enabled unlimited hooks. Kasper Brandt provided a fix for hot patch function prologues.

Issues
  • Potential access NULL pointer in mhook.c

    Potential access NULL pointer in mhook.c

    Below function in mhook.c

    static BOOL GetCurrentProcessSnapshot(PVOID* snapshot, PSYSTEM_PROCESS_INFORMATION* procInfo)
    {
        // get a view of the threads in the system
    
        if (!CreateProcessSnapshot(snapshot))
        {
            ODPRINTF((L"mhooks: can't get process snapshot!"));
            return FALSE;
        }
    
        DWORD pid = GetCurrentProcessId();
    
        *procInfo = FindProcess(*snapshot, pid);
        return TRUE;
    }
    

    In case of FindProcess return NULL but this function is still return TRUE.

    Solution:

    ...
    return NULL != *procInfo
    
    opened by pvthuyet 8
  • How to work with it?

    How to work with it?

    Hiya, I used mhook(2.4) today, and it worked fine but the dll I created kept getting unloaded.

    Now I found your project and I'm trying to figure out how to get started with it, the getting started is pretty small and I cant understand, if I use it with AppInit hooking method and I dont get how is it suppose to load the dll hooks if there is no dll entrypoint in your example test.

    Can I have an explanation? do you guys have an irc/discord channel by any chance?

    question wontfix 
    opened by RapidEU 8
  • VirtualAlloc hooking reports anomaly

    VirtualAlloc hooking reports anomaly

    On Win10 hooking VirtualAlloc gives the following error message/ warning: [0x7FFEF0CADFE0] ANOMALY: meaningless REX prefix used

    The function after the skiped jumps: https://pastebin.com/RRaQ8JG0

    This doesn't happen on Win7 (I'd have to get back to you with the dissasemble on that if you need it). The hook works but I am not sure if I can simply ignore that or I have to "fix" that in some way in the library. Can you tell me why this is bad? http://wiki.osdev.org/X86-64_Instruction_Encoding#REX_prefix This site lists it as a legacy opcode. Can you clarify this please?

    bug 
    opened by simonides 6
  • Hooking CopyFileA/W

    Hooking CopyFileA/W

    Hi, I build a sample (AppInitHook) and added global hooks for CopyFileA/W. Also I created simple application that call CopyFileA/W. Dll installs those hooks but the hooks aren't called when I run the application which call CopyFileA/W.

    I didn't found special limitations for Kernel32.dll. Are there some limitations?

    #include "mhook/mhook-lib/mhook.h"
    #include <fstream>
    
    typedef BOOL(WINAPI* _CopyFileA)(LPCSTR lpExistingFileName, LPCSTR lpNewFileName, BOOL bFailIfExists);
    typedef BOOL(WINAPI* _CopyFileW)(LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName, BOOL bFailIfExists);
    typedef BOOL(WINAPI* _CopyFileExA)(LPCSTR lpExistingFileName, LPCSTR lpNewFileName, LPPROGRESS_ROUTINE lpProgressRoutine, LPVOID lpData, LPBOOL pbCancel, DWORD dwCopyFlags);
    //////////////////////////////////////////////////////////////////////////
    // Defines and typedefs
    
    #define STATUS_SUCCESS  ((NTSTATUS)0x00000000L)
    
    typedef struct _MY_SYSTEM_PROCESS_INFORMATION 
    {
        ULONG                   NextEntryOffset;
        ULONG                   NumberOfThreads;
        LARGE_INTEGER           Reserved[3];
        LARGE_INTEGER           CreateTime;
        LARGE_INTEGER           UserTime;
        LARGE_INTEGER           KernelTime;
        UNICODE_STRING          ImageName;
        ULONG                   BasePriority;
        HANDLE                  ProcessId;
        HANDLE                  InheritedFromProcessId;
    } MY_SYSTEM_PROCESS_INFORMATION, *PMY_SYSTEM_PROCESS_INFORMATION;
    
    typedef NTSTATUS (WINAPI *PNT_QUERY_SYSTEM_INFORMATION)(
        __in       SYSTEM_INFORMATION_CLASS SystemInformationClass,
        __inout    PVOID SystemInformation,
        __in       ULONG SystemInformationLength,
        __out_opt  PULONG ReturnLength
        );
    
    //////////////////////////////////////////////////////////////////////////
    // Original function
    
    PNT_QUERY_SYSTEM_INFORMATION OriginalNtQuerySystemInformation = 
        (PNT_QUERY_SYSTEM_INFORMATION)::GetProcAddress(::GetModuleHandle(L"ntdll"), "NtQuerySystemInformation");
    
    _CopyFileA origCPAHandlerPtr = (_CopyFileA)::GetProcAddress(::GetModuleHandle(L"Kernel32"), "CopyFileA");
    _CopyFileW origCPWHandlerPtr = (_CopyFileW)::GetProcAddress(::GetModuleHandle(L"Kernel32"), "CopyFileW");
    _CopyFileExA origCopyFileExAPtr = (_CopyFileExA)::GetProcAddress(::GetModuleHandle(L"Kernel32"), "CopyFileExA");
    //////////////////////////////////////////////////////////////////////////
    // Hooked function
    
    BOOL WINAPI HookCopyFileExA(
    	LPCSTR             lpExistingFileName,
    	LPCSTR             lpNewFileName,
    	LPPROGRESS_ROUTINE lpProgressRoutine,
    	LPVOID             lpData,
    	LPBOOL             pbCancel,
    	DWORD              dwCopyFlags
    )
    {
    	std::ofstream("c:/tmp/test.txt", std::ios::app) << "CopyFileA" << std::endl;
    
    	if (origCopyFileExAPtr == nullptr)
    		return FALSE;
    
    	return origCopyFileExAPtr(lpExistingFileName, lpNewFileName, lpProgressRoutine, lpData, pbCancel, dwCopyFlags);
    }
    
    BOOL WINAPI HookCopyFileA(LPCSTR lpExistingFileName, LPCSTR lpNewFileName, BOOL bFailIfExists)
    {
    
    	//	CallHandler::logCall("CopyFileA", lpExistingFileName, lpNewFileName);
    	std::ofstream("c:/tmp/test.txt", std::ios::app) << "CopyFileA" << std::endl;
    
    	if (origCPAHandlerPtr == nullptr)
    		return FALSE;
    
    	return origCPAHandlerPtr(lpExistingFileName, lpNewFileName, bFailIfExists);
    }
    
    BOOL WINAPI HookCopyFileW(LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName, BOOL bFailIfExists)
    {
    	//getHandlers().getOriginFunctionPtr(L"Kernel32.dll", "CopyFileW");
    
    //	CallHandler::logCall("CopyFileW", lpExistingFileName, lpNewFileName);
    
    	std::ofstream("c:/tmp/test.txt", std::ios::app) << "CopyFileW" << std::endl;
    
    	if (origCPWHandlerPtr == nullptr)
    		return FALSE;
    
    	return origCPWHandlerPtr(lpExistingFileName, lpNewFileName, bFailIfExists);
    }
    
    NTSTATUS WINAPI HookedNtQuerySystemInformation(
        __in       SYSTEM_INFORMATION_CLASS SystemInformationClass,
        __inout    PVOID                    SystemInformation,
        __in       ULONG                    SystemInformationLength,
        __out_opt  PULONG                   ReturnLength
        )
    {
    	std::ofstream("c:/tmp/test.txt", std::ios::app) << "NtQuerySystemInformation" << std::endl;
    
        NTSTATUS status = OriginalNtQuerySystemInformation(SystemInformationClass,
            SystemInformation,
            SystemInformationLength,
            ReturnLength);
    
        if (SystemProcessInformation == SystemInformationClass && STATUS_SUCCESS == status)
        {
            //
            // Loop through the list of processes
            //
    
            PMY_SYSTEM_PROCESS_INFORMATION pCurrent = NULL;
            PMY_SYSTEM_PROCESS_INFORMATION pNext    = (PMY_SYSTEM_PROCESS_INFORMATION)SystemInformation;
            
            do
            {
                pCurrent = pNext;
                pNext    = (PMY_SYSTEM_PROCESS_INFORMATION)((PUCHAR)pCurrent + pCurrent->NextEntryOffset);
    
                if (!wcsncmp(pNext->ImageName.Buffer, L"Calculator.exe", pNext->ImageName.Length))
                {
                    if (0 == pNext->NextEntryOffset)
                    {
                        pCurrent->NextEntryOffset = 0;
                    }
                    else
                    {
                        pCurrent->NextEntryOffset += pNext->NextEntryOffset;
                    }
    
                    pNext = pCurrent;
                }            
            } 
            while(pCurrent->NextEntryOffset != 0);
        }
    
        return status;
    }
    
    //////////////////////////////////////////////////////////////////////////
    // Entry point
    
    BOOL WINAPI DllMain(
        __in HINSTANCE  hInstance,
        __in DWORD      Reason,
        __in LPVOID     Reserved
        )
    {        
    	std::ofstream("c:/tmp/test.txt", std::ios::app) << "DllMain" << std::endl;
    
        switch (Reason)
        {
        case DLL_PROCESS_ATTACH:
    		std::ofstream("c:/tmp/test.txt", std::ios::app) << "DLL_PROCESS_ATTACH " << Mhook_SetHook((PVOID*)&origCPAHandlerPtr, HookCopyFileA) << std::endl;
    		std::ofstream("c:/tmp/test.txt", std::ios::app) << "DLL_PROCESS_ATTACH " << Mhook_SetHook((PVOID*)&origCPWHandlerPtr, HookCopyFileW) << std::endl;
    //        Mhook_SetHook((PVOID*)&OriginalNtQuerySystemInformation, HookedNtQuerySystemInformation);
    		std::ofstream("c:/tmp/test.txt", std::ios::app) << "DLL_PROCESS_ATTACH " <<  Mhook_SetHook((PVOID*)&origCopyFileExAPtr, HookCopyFileExA) << std::endl;
            break;
    
        case DLL_PROCESS_DETACH:
    		std::ofstream("c:/tmp/test.txt", std::ios::app) << "DLL_PROCESS_DETACH" << std::endl;
    //        Mhook_Unhook((PVOID*)&OriginalNtQuerySystemInformation);
    		Mhook_Unhook((PVOID*)&origCPAHandlerPtr);
    		Mhook_Unhook((PVOID*)&origCPWHandlerPtr);
    		Mhook_Unhook((PVOID*)&origCopyFileExAPtr);
            break;
    
    	default:
    		std::ofstream("c:/tmp/test.txt", std::ios::app) << "def: " << Reason << std::endl;
        }
    
        return TRUE;
    }
    

    And simple app:

    #include <iostream>
    #include <Windows.h>
    
    int main()
    {
    	CopyFileA("c:/tmp/1.txt", "c:/tmp/2.txt", FALSE);
    	CopyFileW(L"c:/tmp/1.txt", L"c:/tmp/2.txt", FALSE);
        std::cout << "Hello World!\n"; 
    }
    
    wontfix 
    opened by RomanLuchyshyn 5
  • Unable to hook DestroyCaret function from user32 module

    Unable to hook DestroyCaret function from user32 module

    I want to hook CreateCaret and DestroyCaret functions from user32.dll. Hooking CreateCaret works ok, but DestroyCaret - no.

    #include <Windows.h>
    
    typedef BOOL(WINAPI *CreateCaretFuncPtr)(
    	_In_ HWND hWnd,
    	_In_opt_ HBITMAP hBitmap,
    	_In_ int nWidth,
    	_In_ int nHeight);
    
    typedef BOOL(WINAPI *DestroyCaretFuncPtr)(VOID);
    
    static CreateCaretFuncPtr CreateCaretOrigFuncPtr = NULL;
    static DestroyCaretFuncPtr DestroyCaretOrigFuncPtr = NULL;
    
    static BOOL WINAPI MyCreateCaret(
    	_In_ HWND hWnd,
    	_In_opt_ HBITMAP hBitmap,
    	_In_ int nWidth,
    	_In_ int nHeight)
    {
    	return CreateCaretOrigFuncPtr(hWnd, hBitmap, nWidth, nHeight);
    }
    
    static BOOL WINAPI MyDestroyCaret(VOID)
    {
    	return DestroyCaretOrigFuncPtr();
    }
    

    In main function I have:

    HMODULE user32ModuleHandle = GetModuleHandle(L"User32");
    CreateCaretOrigFuncPtr = (CreateCaretFuncPtr)GetProcAddress(user32ModuleHandle, "CreateCaret");
    DestroyCaretOrigFuncPtr = (DestroyCaretFuncPtr)GetProcAddress(user32ModuleHandle, "DestroyCaret");
    // will be true
    bool createHookSetOk = Mhook_SetHook((PVOID*)&CreateCaretOrigFuncPtr, MyCreateCaret);
    // will be false
    bool destroyHookSetOk = Mhook_SetHook((PVOID*)&DestroyCaretOrigFuncPtr, MyDestroyCaret);
    

    I studied a bit how mhook works under the hood and I see that the first call to DisassembleAndSkip in Mhook_SetHookEx returns instruction length of 5 bytes for CreateCaret, but 2 bytes for DestroyCaret. ollydbg shows that CreateCaret starts with MOV EAX,1032 (5 bytes long) while DestroyCaret is

    759B38C7   6A 06            PUSH 6
    759B38C9   E8 1F28FFFF      CALL USER32.759A60ED
    759B38CE   C3               RETN
    

    First instruction for DestroyCaret is PUSH which takes 2 bytes. So DisassembleAndSkip returns 2 bytes and we go to else block where a check for IsJumpPresentInFirstFiveBytes takes place. IsJumpPresentInFirstFiveBytes returns false because it checks only for conditional jumps (ITYPE_BRANCHCC). So trampoline is not created.

    Could please anyone comment on this situation? Is this a known behavior?

    In IsJumpPresentInFirstFiveBytes I tried to add a check for ITYPE_CALL and return true for that and after that I see that my hook is working (gets called). Is there any drawback of such modification?

    OS is Windows 7. Application type is x86.

    enhancement 
    opened by rommar 4
  • 2 compiler errors when compiling with MingW on Windows and suggested fixes

    2 compiler errors when compiling with MingW on Windows and suggested fixes

    Hello Team,

    Just an FYI in order to get this to compile in mingw on Windows I had to make the following changes to mhook.c:

    Line 262:

    NTSTATUS(NTAPI PZwQuerySystemInformation)( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength );

    #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) //remove this.... static PZwQuerySystemInformation fnZwQuerySystemInformation = NULL;

    //put this instead static decltype(PZwQuerySystemInformation) *fnZwQuerySystemInformation=NULL;

    Line 762: fnZwQuerySystemInformation = (decltype(PZwQuerySystemInformation))((void)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation"));

    The error I was getting:

    c:\mhook-master>g++ mhook-lib\mhook.c disasm-lib\disasm.c disasm-lib\disasm_x86.c disasm-lib\cpu.c T:/hookdll/main.cpp -o t:/hookdll/mhooktest.dll -D_WIN32_WINNT=0x0502 -w -Wfatal-errors -fpermissive -shared mhook-lib\mhook.c:261:25: error: typedef 'PZwQuerySystemInformation' is initialized (use 'decltype' instead) 261 | typedef NTSTATUS(NTAPI* PZwQuerySystemInformation)(

    c:\mhook-master>g++ mhook-lib\mhook.c disasm-lib\disasm.c disasm-lib\disasm_x86.c disasm-lib\cpu.c T:/hookdll/main.cpp -o t:/hookdll/mhooktest.dll -w -Wfatal-errors -fpermissive -shared mhook-lib\mhook.c: In function 'BOOL CreateProcessSnapshot(void**)': mhook-lib\mhook.c:762:115: error: cannot convert 'const wchar_t*' to 'LPCSTR' {aka 'const char*'} 762 | fnZwQuerySystemInformation = (decltype(PZwQuerySystemInformation))((void)GetProcAddress(GetModuleHandle(L"ntdll.dll")....

    Compiler info:

    c:\mhook-master>g++ --version g++ (Rev10, Built by MSYS2 project) 11.2.0 Copyright (C) 2021 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

    Hope this helps

    Best Regards,

    -Avery T

    enhancement 
    opened by chr0meice2 3
  • Hooking at one specific address and calling the original function causes a crash.

    Hooking at one specific address and calling the original function causes a crash.

    The original function before hook at one address is like this

    image

    I am hooking at one specific memory address as shown in the image below

    image

    The hooked function successfully hooking function gets called, but while trying call back hooking function (System/Original function) it crashes. I tried to hook at different location address it works. The different address location where I successfully hooked and successfully called hooking function (System/Original function), as shown in the below images.

    Before hook.

    image

    After hook.

    image

    The code for hooked function and calling the hook function is as follows.

    image

    Your help is much appreciated. Please help me if I am making any mistake.

    opened by kmramn 2
  • Supporting arm64 architecture

    Supporting arm64 architecture

    Hello, I just found this article on the web. https://www.linux.com/training-tutorials/splice-hooking-unix-systems/ Seems that splice hooking supports the ARM architecture. Would me mind sharing how to support ARM in the Mhook library? I have a Kylin OS running on ARM64 CPU, which has ftrace disabled, so I cannot use the ftrace hooking method described on Apriorit website. Thanks!

    wontfix 
    opened by leochou0729 2
  • fixed from PVS-Studio

    fixed from PVS-Studio

    V728 An excessive check can be simplified. The '(A && !B) || (!A && B)' expression is equivalent to the 'bool(A) != bool(B)' expression. disasm_x86.c 2160, 2202, 2297

    opened by SergiusTheBest 2
  • Convert mhook-lib source to plain C code

    Convert mhook-lib source to plain C code

    While using this library, I noticed that the source code to mhook-lib did not really require any C++ features. With this PR, it should be a lot easier to link to mhook in a C library (perhaps to create bindings for external languages). In my case, I wanted to limit the inclusion of C++ code to keep the footprint of my code small.

    enhancement 
    opened by elizagamedev 1
  • Compilation-fix for VS 2019

    Compilation-fix for VS 2019

    Windows assumes default alignment in their SDKs, so pacing needs to be done after #include <windows.h> or defining WINDOWS_IGNORE_PACKING_MISMATCH.

    opened by Convery 1
  • BlockAlloc: Try to allocate a block rather than returning null.

    BlockAlloc: Try to allocate a block rather than returning null.

    Like the title implies, noticed that the library would fail in some contexts so copy/pasted the allocation as a fallback. May want to refactor it properly in the future.

    pinned 
    opened by Convery 9
  • Breaking on unsupported RIP-addressing?

    Breaking on unsupported RIP-addressing?

    https://github.com/apriorit/mhook/blob/2238938ec54e88de16fe7282c8a0342278d4333a/mhook-lib/mhook.cpp#L1004-L1013

    In this, and the following two cases, the break can (and does in my tests) cause the hook installation to fail. I have personally removed them on my end and it works well. But what's the reasoning for breaking here?

    pinned 
    opened by Convery 9
Releases(2.5.1)
  • 2.5.1(Apr 3, 2018)

    • Fix #1: VirtualAlloc hooking reports anomaly
    • New #2: Add integration to vcpkg package
    • New #3: Add AppVeyor CI
    • Fix #4: Add ability to hook functions with call in first 5 bytes
    Source code(tar.gz)
    Source code(zip)
  • 2.5(Mar 30, 2018)

    • 10x performance boost
    • CMake build system
    • Change tabs to spaces
    • Ability to hook functions with je/jne in the first 5 bytes
    • Fix hook recursion
    • Other fixes
    Source code(tar.gz)
    Source code(zip)
  • v2.4(Mar 30, 2018)

    • A number of improvements: hot patch location (mov edi, edi) handling, support for REX-prefixed EIP-relative jumps on x64, removal of compile-time limit on the number of hooks
    Source code(tar.gz)
    Source code(zip)
Owner
Apriorit Inc.
Consulting and development services in advanced software engineering
Apriorit Inc.
very basic and minimalistic hooking "library" for windows (x64 support soon)

IceHook very basic and minimalistic hooking "library" for windows (x64 support soon) Example how to use: typedef void(__stdcall* twglSwapBuffers)(HDC

null 6 Oct 17, 2021
SafetyHook - simple procedure hooking library for Windows x86 and x86_64 systems

SafetyHook SafetyHook is simple procedure hooking library for Windows x86 and x86_64 systems. It aims to make runtime procedure hooking as safe as pos

null 14 Jun 11, 2022
PS4 kernel hooking library / payload.

PS4 KHook PS4 KHook is a minimalist kernel hooking payload. It targets 5.05 but it can be used with any firmware (or even non-PS4 systems) with modifi

Specter 43 May 10, 2022
First open source android modding library for Geometry Dash Based on Hooking-and-Patching-android-template

Android-ML First open source android modding library for Geometry Dash Based on Hooking-and-Patching-android-template Installation Download this githu

BlackTea ML 22 Jun 19, 2022
It's a static library that's provide a way to do hooking (intercepting software components) in native shared object from some Android Packages

ARM_hook It's a static library that's provide a way to do hooking (intercepting software components) in native shared object from some Android Package

Gabriel Correia 1 Feb 17, 2022
Project to check which Nt/Zw functions your local EDR is hooking

Probatorum EDR Userland Hook Checker Probatorum will check which Nt/Zw functions your local EDR is hooking. Most credit for this code goes to SolomonS

null 142 Jun 24, 2022
POC Hooking PG3D v16.6.1

PG3D-Hook POC Hooking PG3D v16.6.1 Info This code was written by me for PG3D v16.6.1 back in 2019. My main code is in jbro.cpp You can compare the off

Jonah 17 Jun 26, 2022
hooking the execve syscall, to randomly sabotage typed bash commands.

Syscall hooks A small project of hooking the execve() syscall, to randomly sabotage typed bash commands. This project was tested on 5.11.0-38-generic.

ilevi 4 Jun 19, 2022
Octowolve/Hooking-Template-With-Mod-Menu

Hooking-Template-With-Mod-Menu This is a simple template for the usage of Cydia Substrate and And64InlineHook with a Mod Menu written in Java. Impleme

null 1 Nov 3, 2021
Implements a Windows service (in a DLL) that removes the rounded corners for windows in Windows 11

ep_dwm Implements a Windows service that removes the rounded corners for windows in Windows 11. Tested on Windows 11 build 22000.434. Pre-compiled bin

Valentin-Gabriel Radu 16 Jun 18, 2022
Celeborn is a Userland API Unhooker that I developed for learning Windows APIs and Syscall implementations

Celeborn is a Userland API Unhooker that I developed for learning Windows APIs and Syscall implementations. It mainly detects and patches hooking instructions in NTDLL.dll file. All PRs are welcome!

Furkan Göksel 101 May 28, 2022
Bobby Cooke 266 Jun 20, 2022
Basic Windows Service managment API

SvcManager Basic Windows Service managment API A simple C++ Windows Service management API built my me. To be honest, I havent committed anything in a

Josh S. 3 Feb 13, 2022
Tiny blocker of Windows tracking and telemetry written in plain C++/Win32 API.

Tiny blocker of Windows tracking and telemetry written in plain C++/Win32 API. Just run once as admin and forget. No questions asked. No harmful actions performed like other Windows spying blockers try.

null 5 Mar 30, 2022
Detours is a software package for monitoring and instrumenting API calls on Windows.

Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form.

Microsoft 3.5k Jun 23, 2022
Windows 2000 styled installer for Panther based distributions of Microsoft Windows (WIM files).

An advanced installer for Microsoft Windows that mimics the looks of the Windows XP and older installers. Takes any modern (Vista and newer) Windows ISO or WIM file and creates a old styled Windows Setup experience on the go.

null 2 Mar 17, 2022
Windows kernel information leakage POCs on Windows 10 RS1+

This repository covers various techniques and methods I write while conducting research into infoleaks, these are for leaking various Windows kernel a

null 2 Jun 15, 2022
Some extensions for windows explorer, tested on windows 10+

WindowsExplorerExtension Extensions for windows explorer, tested on windows 10 & windows 11. New Folder Extension What's This A Gnome nautilus inspire

anpho 4 Jan 13, 2022
Defender-control - An open-source windows defender manager. Now you can disable windows defender permanently.

Defender Control Open source windows defender disabler. Now you can disable windows defender permanently! Tested from Windows 10 20H2. Also working on

null 292 Jun 27, 2022