Windows user-land hooks manipulation tool.



Windows user-land hooks manipulation tool.


  • Supports any x64/x86 Windows DLL (actually, any x64/x86 Windows PE for that matter)
  • 4 main features
    • Enumerates loaded modules in the target process (-l flag)
    • Finds user-land hooks in loaded modules (-s flag)
    • Unhooks specified modules (-u flag)
    • Re-hooks specified modules (-r flag)
  • Shows which function RVAs have been modified with byte-to-byte comparison (-v flag)
  • Cross-architecture support for the x64 variant.
  • Cautious mode: can unhook itself first before manipulating remote processes (-c flag)
  • Can target either all loaded modules within the target process or only those containing a specified string in their path (-m flag)
  • Lightweight: x64 and x86 binaries are only 18KB and 17KB respectively.
  • No Visual C++ Redistributable Packages (vcruntime140.dll) dependency. MineSweeper dynamically links to the following Windows core libraries present on every modern distribution: msvcrt.dll and kernel32.dll.

Command Line Reference

MineSweeper by @ars3n11
Usage:  MineSweeper.exe  [-c] [-l | -s | -u  | -r] [-t targetPID] [-v]
                        [-m moduleNameStringMatch] [-d hookDonorPID]
Modes available:
        -l      List Mode - List loaded modules by the target process (-t).
                Module name filter (-m) is available.
        -s      Sweep Mode - Sweep target PID (-t) for any user-land hooks.
                Module name filter (-m) is available.
        -u      Unhook Mode - Sweep and unhook target PID (-t) from any user-land hooks.
                Module name filter (-m) is available.
        -r      Re-hook Mode - Sweep hook donor PID (-d) for user-land hooks.
                If any hooks found - copy them over to our target PID (-t).
                Module name filter (-m) is available.
Safety modes:
        -c      Cautious Mode - Unhook the local process before proceeding with
                one of the chosen main modes.
        -t      Target PID. Will target the local process if not provided.
        -d      Hook donor PID (i.e.: the process that will be used to copy hooks FROM).
                Will set the local process as the hooks donor if not provided.
        -m      Filter string to be applied to the loaded module canonical path
                (e.g: \Device\HarddiskVolume3\Windows\System32\ntdll.dll).
                Will target all modules (same as "-m .dll") if not provided.
        -v      Verbose flag. Prints modified RVAs and their byte-to-byte comparison for each hooked function.
MineSweeper.exe: -l             List loaded modules in MineSweeper's own process.
MineSweeper.exe: -l -t 5476     List loaded modules in PID 5476.
MineSweeper.exe: -s             Sweep MineSweeper's local process for user-land hooks.
MineSweeper.exe: -s -v          Same as above but also print modified RVAs for each hooked function.
MineSweeper.exe: -s -t 5476     Sweep PID 5476 for user-land hooks.
MineSweeper.exe: -u -t 5476     Unhook PID 5476 from all user-land hooks.
MineSweeper.exe: -c -u -t 5476  Unhook PID 5476 from all user-land hooks. Run in Cautious mode (unhook
                                MineSweeper's own process before trying to unhook PID 5476).
MineSweeper.exe: -u -t 5476 -m ntdll.dll        Unhook PID 5476 from any hooks found in the ntdll.dll module.
MineSweeper.exe: -r -t 5476 -d 8156     Sweep PID 8156 for user-land hooks and copy over any discovered
                                        hooks into the matching modules in the PID 5476.
MineSweeper.exe: -c -r -t 5476 -d 8156  Same as above but run in Cautious mode (unhook MineSweeper's
                                        own process before doing anything else).


x64 version of MineSweeper can enumerate and manipulate both x64 and x86 processes. This only applies to the x64 version since a call to EnumProcessModulesEx function from an x86 process will return x86 module handles only.

Cross-architecture support:

x86 x64
x86 Yes No
x64 Yes Yes


TLDR: nothing to worry about, you can clone the repo and go straight to compiling.

  • Imports a total of 28 functions from msvcrt.dll and kernel32.dll.
  • Links to msvcrt.dll to avoid Visual C++ Redistributable Packages (vcruntime140.dll) dependency.

Linking to msvcrt.dll

I wanted to link MineSweeper to msvcrt.dll in order to avoid C++ Redistributable Packages dependency for C runtime. I first looked at Benjamin Delpi's approach used in Mimikatz. That looked too complex for the task at hand and after a few more nights of research I came across Mahmoud Al-Qudsi's elegant msvcrt.lib project which is what we are using here.

For convenience, I included the msvcrt.lib files in this project already so you don't need to pull them twice. They are located under libs/msvcrt/.


Download compiled binaries here.

Since opening 3rd party Visual Studio project files is mauvais ton these days, I'm providing command line compilation instructions below. The VS project files are also included in the repo, so that's always an option too.

Compiling in CLI

Step 1: Compile (make sure to use the right cl.exe for your target architecture!).

cl.exe /GS- /GL /W4 /O1 /nologo /Zl /Os /Oi /c /D "_UNICODE" /D "UNICODE" MineSweeper.c MineSweeperCore.c

Step 2: Link - x64:

link.exe /LTCG /ENTRY:"wmain_custom" /OPT:REF /SAFESEH:NO /SUBSYSTEM:CONSOLE /NODEFAULTLIB /MACHINE:X64 /OUT:"MineSweeper_cmd_compiled.exe" MineSweeper.obj MineSweeperCore.obj  libs\msvcrt\x64\msvcrt.lib kernel32.lib


Step 2: Link - x86:

link.exe /LTCG /ENTRY:"wmain_custom" /OPT:REF /SAFESEH:NO /SUBSYSTEM:CONSOLE /NODEFAULTLIB /MACHINE:x86 /OUT:"MineSweeper_cmd_compiled.exe" MineSweeper.obj MineSweeperCore.obj libs\msvcrt\x86\msvcrt.lib kernel32.lib


There are several use cases where MineSweeper will not be able to sweep a specified process module. Whenever it encounters the below listed conditions, MineSweeper will notify the user in stdout and skip the module.

  • A DLL without a .text section (e.g.: FileSync.Resources.dll and FileSync.LocalizedResources.dll loaded by OneDrive.exe).
  • Non-consecutively committed PE sections. The only example I have observed during my testing was kernel32.dll in a x86 process running on a x64 system where. The committed memory regions had reserved memory regions in between them preventing ReadProcessMemory function from reading the target module all at once.
  • Modules with large chunks of .text section being overwritten. In my testing I have come across several instances where random parts of a module's .text section were overwritten resulting in a false positive. I was not able to explain this behavior since it was sporadic and affected different modules each time. Normally, a hooked module would have less than 1% of its .text section modified so that is what MineSweeper is checking for to avoid this condition.

How it Works

Below is a high-level overview of the unhooking (-u flag) workflow which also invokes module enumeration (-l flag) and sweeping for hooks (-s flag) functions.

  1. Enumerate target process modules via EnumProcessModulesEx function.
  2. Identify modules of interest by their file name / path.
  3. [If targeting a remote process] Copy over the remote process module to our local process using ReadProcessMemory.
  4. Map view of file of the module of interest on disk using CreateFileMapping (PAGE_READONLY | SEC_IMAGE_NO_EXECUTE) and MapViewOfFile
  5. Byte-to-byte comparison of the .text section of the dll saved on disk against the dll module loaded by the target process in memory. During this process, MineSweeper takes a note of the original values currently present in the dll on disk as well as the modified values identified in memory.
  6. [For the -l flag only] Cross-reference .text section differences to specific function ordinals in the PE EAT (portable executable export address table).
  7. Modify remote process target module memory permissions to PAGE_EXECUTE_READWRITE using VirtualProtectEx in order to overwrite the hooks.
  8. Overwrite the hooks in the target module using WriteProcessMemory for a remote process or simply dereferencing the memory pointer for a local process (in order to avoid WriteProcessMemory call).
  9. Modify the memory permissions back to the original ones using VirtualProtectEx.

OpSec Considerations

MineSweeper currently possesses very limited set of evasion techniques. The primary goal of the project was to do required heavy-lifting for hook detection across as many DLLs as possible on a modern Windows system.

Nonetheless, in my testing it was working fine (enumerating hooks and unhooking remote process modules) on systems with cutting-edge enterprise EDRs. This was true so long the MineSweeper's Cautious mode (-c flag) was on.

Below is a short list of MineSweeper's opsec features:

  • The Cautious mode (-c flag) will unhook MineSweeper's own process first before attempting to manipulate a remote process.
  • Creating on-disk file mapping is done with PAGE_READONLY | SEC_IMAGE_NO_EXECUTE permissions in order "to avoid triggering multiple image load events". Shout out to @slaeryan for the tip.
  • Overwriting local process hooks is done by memory address pointer dereference to avoid calling WriteProcessMemory function.

Use Cases

While this project was initially conceived as a learning opportunity for Windows API, C and PE format, there are a couple opportunities for a practical application of the project:

  • For Blue Team to test their tooling and telemetry against various user-land unhooking techniques.
  • For Red Team for situational awareness on a target system.


  • If a target process crashes after unhooking or re-hooking, try enabling Cautious mode (-c flag).


MineSweeper Demo

  • potential infinite loop

    potential infinite loop

    Hey, you have a potential infinite loop in here

    if memcmpCustom return 0 (e.g. when the first bytes of array s1 and array s2 are not equal, you will end up looping endlessly. In order to fix that, you could add a check that if memcmpResult == 0, increment it by one.

    opened by babama-dev 2
Arsenii Pustovit
All things red team. 🇨🇦
Arsenii Pustovit
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

hasherezade 1.4k Aug 8, 2022
A compile-time enabled Modern C++ library that provides compile-time dimensional analysis and unit/quantity manipulation.

mp-units - A Units Library for C++ The mp-units library is the subject of ISO standardization for C++23/26. More on this can be found in ISO C++ paper

Mateusz Pusz 616 Aug 3, 2022
Orbit, the Open Runtime Binary Instrumentation Tool, is a standalone C/C++ profiler for Windows and Linux

Orbit, the Open Runtime Binary Instrumentation Tool, is a standalone C/C++ profiler for Windows and Linux. Its main purpose is to help developers visualize the execution flow of a complex application.

Google 2.7k Jul 31, 2022
WinMerge is an Open Source differencing and merging tool for Windows.

WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.

null 3.2k Aug 6, 2022
KeyScan is a C++ open source explanation tool targeting windows operating system.

KeyScan is a C++ open source explanation tool targeting windows operating system. it allows you to send keyboard events, mouse events and capture keystrokes (keylogger).!

null 12 Jul 24, 2022
A windows tool for changing the start button logo

WinLogo About This project is used to modify the start button logo of windows 10 computers. The logos are precompiled into the binary, but the UI supp

null 15 Jul 26, 2022
Library for writing text-based user interfaces

IMPORTANT This library is no longer maintained. It's pretty small if you have a big project that relies on it, just maintain it yourself. Or look for

null 1.9k Jul 27, 2022
Immediate Human User Interface

ImHui Immediate Human User Interface Inspired by Dear ImGui. The purpose of this project is to learn more about how Immedate Mode GUIs actually work.

Tsoding 35 Jun 23, 2022
A header only C++ library that provides type safety and user defined literals for physical units

SI - Type safety for physical units A header only c++ library that provides type safety and user defined literals for handling pyhsical values defined

Dominik Berner 379 Jul 21, 2022
A tool for use with clang to analyze #includes in C and C++ source files

Include What You Use For more in-depth documentation, see docs. Instructions for Users "Include what you use" means this: for every symbol (type, func

null 2.9k Aug 1, 2022
the checkra1n set of tools targeting bare metal, Linux and Windows

Universal toolchain Low-effort cross-compiling for the masses. What's Universal toolchain? It's a collection of sysroots and shell scripts in such a w

null 62 May 27, 2022
C-shellcode to hex converter, handy tool for paste & execute shellcodes in gdb, windbg, radare2, ollydbg, x64dbg, immunity debugger & 010 editor

shellex WARNING: the ugliest code in the world C-shellcode to hex converter. Handy tool for paste & execute shellcodes in gdb, windbg, radare2, ollydb

David Reguera Garcia aka Dreg 82 Jul 27, 2022
Play Doh Windows ACL Tools

PDAcl 是一个支持Windows活动目录扩展权限设置、Windows活动目录常规权限设置、Windows服务权限设置的命令工具。

倾旋 58 Jun 25, 2022
This project aims to facilitate debugging a kernel driver in windows by adding support for a code change on the fly without reboot/unload, and more!

BSOD Survivor Tired of always telling yourself when you got a BSOD that what if I could just return to the caller function which caused the BSOD, and

Ido Westler 147 Aug 3, 2022
Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)

Perfusion On Windows 7, Windows Server 2008R2, Windows 8, and Windows Server 2012, the registry key of the RpcEptMapper and DnsCache (7/2008R2 only) s

Clément Labro 388 Jul 29, 2022
A tool to edit Cyberpunk 2077 sav.dat files

This is a holidays project and will probably not reach the user-friendly GUI state that a save editor is expected to have.

null 258 Jul 21, 2022
CVE-­2021­-1732 Microsoft Windows 10 本地提权漏 研究及Poc/Exploit开发

CVE-2021-1732 CVE-2021-1732 Microsoft Windows 10 本地提权漏 研究及Poc/Exploit开发 受影响系统及应用版本 Windows Server, version 20H2 (Server Core Installation) Windows 10

null 74 Jun 13, 2022
GSmartControl - Hard disk drive and SSD health inspection tool

GSmartControl Hard disk drive and SSD health inspection tool GSmartControl is a graphical user interface for smartctl (from smartmontools package), wh

Alexander Shaduri 183 Jul 26, 2022
Windows x64 rootkit

P4tch3r Windows x64 rootkit (tested on Windows 7) It's PoC of patching NtTerminateProcess function by just overwriting instructions catching arguments

null 7 Jul 22, 2022