{"id":43732655,"url":"https://github.com/capesandbox/capemon-hook-generator","last_synced_at":"2026-02-05T10:31:03.554Z","repository":{"id":80507017,"uuid":"584831233","full_name":"CAPESandbox/capemon-hook-generator","owner":"CAPESandbox","description":"CAPEv2 (capemon) hook skeleton generator (hookdefs) for your malware analysis needs.","archived":false,"fork":false,"pushed_at":"2024-12-16T12:25:13.000Z","size":4017,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-09-04T20:50:29.530Z","etag":null,"topics":["api","apihook","apihooking","cape","capesandbox","capev2","hook","hooking","hooks","malware","malware-analysis","malware-detection","malware-research","malware-samples","sandbox","windows","windowsapi"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CAPESandbox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-01-03T16:17:42.000Z","updated_at":"2024-12-22T07:29:06.000Z","dependencies_parsed_at":null,"dependency_job_id":"bcb34c4f-dcd5-45cf-8c81-4c4836dc3b4b","html_url":"https://github.com/CAPESandbox/capemon-hook-generator","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/CAPESandbox/capemon-hook-generator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CAPESandbox%2Fcapemon-hook-generator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CAPESandbox%2Fcapemon-hook-generator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CAPESandbox%2Fcapemon-hook-generator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CAPESandbox%2Fcapemon-hook-generator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CAPESandbox","download_url":"https://codeload.github.com/CAPESandbox/capemon-hook-generator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CAPESandbox%2Fcapemon-hook-generator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29119232,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-05T09:40:36.738Z","status":"ssl_error","status_checked_at":"2026-02-05T09:36:49.977Z","response_time":65,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api","apihook","apihooking","cape","capesandbox","capev2","hook","hooking","hooks","malware","malware-analysis","malware-detection","malware-research","malware-samples","sandbox","windows","windowsapi"],"created_at":"2026-02-05T10:31:02.874Z","updated_at":"2026-02-05T10:31:03.548Z","avatar_url":"https://github.com/CAPESandbox.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CAPEv2 (capemon) hook(s) generator\n\nThis script automatically generates new hooks (hookdefs) for capemon, the CAPEv2 monitor. The hooks are generated according to the info specified in [this repo](https://github.com/reverseame/capemon?tab=readme-ov-file#how-to-add-hooks-to-capemon) (now included in the official [CAPE](https://github.com/kevoreilly/capemon?tab=readme-ov-file#how-to-add-hooks-to-capemon) repo). Please bear in mind the generated files are just skeletons to help you define new hooks, you must adapt them according to your needs.\n\n## Usage\n\nThe script requires close to zero configuration. If you want it to Google for the APIs not present in the downloaded `winapi_categories.json` file, just specify your Google API and Google CSE keys in the `config.ini` file. \n\nRun `python3 generate_hooks.py -h` to print more information.\n\n## How does it work?\nThe script performs the following steps:\n\n1. Check if API kes have been specified in `config.ini` to determine whether Google search is enabled.\n2. Checks whether [`winapi_categories.json`](https://github.com/reverseame/winapi-categories) file is present in the current directory. If it isn't, the script downloads it. \n3. Checks whether the original [`hooks.c`](https://github.com/kevoreilly/capemon) file is present in the current directory. If it isn't, the script downloads it. \n4. Parses `hooks.c` to get the APIs already hooked by CAPEv2.\n5. Creates the skeleton files extended_hooks.c, extended_hooks.h and extended_hook_misc.c.\n6. If `--dll` is specified, parse each path, extract its EAT and jump to step 8.\n7. If `--api` is specified, parse each API call.\n8. For every API call, check if it is already present in `hooks.c`. If it isn't try to generate its hook skeleton.\n9. Look if the API call is present in `winapi_categories.json`. If it is, read its data, write the files and go back to 8 with the next API call.\n10. If the Google search is enabled, Google for it in `site:learn.microsoft.com`. Scrape the first result (we assume it is the correct one), parse the data and go back to 8 with the next API call. If there are no Google results, go back to 8 with the next API call.\n\n## Example\nLet's say you already configured your keys in the `config.ini` file (so the script uses Google to scrape learn.microsoft.com for the entries not present in the JSON file) and you want to generate capemon hooks skeleton for the following APIs: CloseHandle, Process32First, Process32Next, ExitProcess, GetProcAddress, GetModuleHandleA, GetModuleHandleW, Sleep, CreateMutexA, CreateMutexW, GetVolumeInformationA and GetVolumeInformationW. You would run the script like so:\n\n```\npython3 generate_hooks.py --api CloseHandle,Process32First,Process32Next,ExitProcess,GetProcAddress,GetModuleHandleA,GetModuleHandleW,Sleep,CreateMutexA,CreateMutexW,GetVolumeInformationA,GetVolumeInformationW\n```\n\nThe script produces three files. Namely, extended_hooks.c, extended_hooks.h and extended_hook_misc.c with the following contents\n\n### extended_hooks.c example\n```c\n/*\n\tFile autogenerated by capemon hook generator (https://github.com/RazviOverflow/cape-hook-generator)\n\tThe contents of this file can be appended to any array present in your local hooks.c.\n\tFor example, hook_t full_hooks[].\n*/\n\nHOOK(kernel32, CloseHandle),\nHOOK(kernel32, Process32First),\nHOOK(kernel32, Process32Next),\nHOOK(kernel32, ExitProcess),\nHOOK(kernel32, GetProcAddress),\nHOOK(kernel32, GetModuleHandleA),\nHOOK(kernel32, GetModuleHandleW),\nHOOK(kernel32, Sleep),\nHOOK(kernel32, CreateMutexA),\nHOOK(kernel32, CreateMutexW),\nHOOK(kernel32, GetVolumeInformationA),\nHOOK(kernel32, GetVolumeInformationW),\n```\n\n### extended_hooks.h example\n```c\n/*\n\tFile autogenerated by capemon hook generator (https://github.com/RazviOverflow/cape-hook-generator)\n\tThe contents of this file can be appended to your local hooks.h\n\tWINAPI calling convention is assumed, but it might be incorrect!\n*/\n\nHOOKDEF(BOOL, WINAPI, CloseHandle,\n\t_In_ HANDLE hObject\n);\n\nHOOKDEF(BOOL, WINAPI, Process32First,\n\t_In_ HANDLE hSnapshot,\n\t_Inout_ LPPROCESSENTRY32 lppe\n);\n\nHOOKDEF(BOOL, WINAPI, Process32Next,\n\t_In_ HANDLE hSnapshot,\n\t_Out_ LPPROCESSENTRY32 lppe\n);\n\nHOOKDEF(VOID, WINAPI, ExitProcess,\n\t_In_ UINT uExitCode\n);\n\nHOOKDEF(FARPROC, WINAPI, GetProcAddress,\n\t_In_ HMODULE hModule,\n\t_In_ LPCSTR lpProcName\n);\n\nHOOKDEF(HMODULE, WINAPI, GetModuleHandleA,\n\t_In_opt_ LPCSTR lpModuleName\n);\n\nHOOKDEF(HMODULE, WINAPI, GetModuleHandleW,\n\t_In_opt_ LPCWSTR lpModuleName\n);\n\nHOOKDEF(VOID, WINAPI, Sleep,\n\t_In_ DWORD dwMilliseconds\n);\n\nHOOKDEF(HANDLE, WINAPI, CreateMutexA,\n\t_In_opt_ LPSECURITY_ATTRIBUTES lpMutexAttributes,\n  _In_           BOOL                  bInitialOwner,\n  _In_opt_ LPCSTR                lpName\n);\n\nHOOKDEF(HANDLE, WINAPI, CreateMutexW,\n\t_In_opt_ LPSECURITY_ATTRIBUTES lpMutexAttributes,\n  _In_           BOOL                  bInitialOwner,\n  _In_opt_ LPCWSTR               lpName\n);\n\nHOOKDEF(BOOL, WINAPI, GetVolumeInformationA,\n\t_In_opt_  LPCSTR  lpRootPathName,\n  _Out_opt_ LPSTR   lpVolumeNameBuffer,\n  _In_            DWORD   nVolumeNameSize,\n  _Out_opt_ LPDWORD lpVolumeSerialNumber,\n  _Out_opt_ LPDWORD lpMaximumComponentLength,\n  _Out_opt_ LPDWORD lpFileSystemFlags,\n  _Out_opt_ LPSTR   lpFileSystemNameBuffer,\n  _In_            DWORD   nFileSystemNameSize\n);\n\nHOOKDEF(BOOL, WINAPI, GetVolumeInformationW,\n\t_In_opt_  LPCWSTR lpRootPathName,\n  _Out_opt_ LPWSTR  lpVolumeNameBuffer,\n  _In_            DWORD   nVolumeNameSize,\n  _Out_opt_ LPDWORD lpVolumeSerialNumber,\n  _Out_opt_ LPDWORD lpMaximumComponentLength,\n  _Out_opt_ LPDWORD lpFileSystemFlags,\n  _Out_opt_ LPWSTR  lpFileSystemNameBuffer,\n  _In_            DWORD   nFileSystemNameSize\n);\n```\n\n### extended_hook_misc.c example\n```c\n/*\n\tFile autogenerated by capemon hook generator (https://github.com/RazviOverflow/cape-hook-generator)\n\tThe contents of this file can be appended to your local hook_{{category}}.c they belong.\n\tWINAPI calling convention is assumed, but it might be incorrect!\n*/\n\nHOOKDEF(BOOL, WINAPI, CloseHandle,\n\t_In_ HANDLE hObject\n){\n\tDebuggerOutput(\"[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked CloseHandle\\n\");\n\tBOOL ret = Old_CloseHandle(hObject);\n\tLOQ_bool(\"misc\", \"\"); // Modify category, LOQ_ function and log message according to your needs\n\treturn ret;\n}\n\nHOOKDEF(BOOL, WINAPI, Process32First,\n\t_In_ HANDLE hSnapshot,\n\t_Inout_ LPPROCESSENTRY32 lppe\n){\n\tDebuggerOutput(\"[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked Process32First\\n\");\n\tBOOL ret = Old_Process32First(hSnapshot,lppe);\n\tLOQ_bool(\"misc\", \"\"); // Modify category, LOQ_ function and log message according to your needs\n\treturn ret;\n}\n\nHOOKDEF(BOOL, WINAPI, Process32Next,\n\t_In_ HANDLE hSnapshot,\n\t_Out_ LPPROCESSENTRY32 lppe\n){\n\tDebuggerOutput(\"[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked Process32Next\\n\");\n\tBOOL ret = Old_Process32Next(hSnapshot,lppe);\n\tLOQ_bool(\"misc\", \"\"); // Modify category, LOQ_ function and log message according to your needs\n\treturn ret;\n}\n\nHOOKDEF(VOID, WINAPI, ExitProcess,\n\t_In_ UINT uExitCode\n){\n\tDebuggerOutput(\"[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked ExitProcess\\n\");\n\tOld_ExitProcess(uExitCode);\n\tLOQ_bool(\"misc\", \"\"); // Modify category, LOQ_ function and log message according to your needs\n}\n\nHOOKDEF(FARPROC, WINAPI, GetProcAddress,\n\t_In_ HMODULE hModule,\n\t_In_ LPCSTR lpProcName\n){\n\tDebuggerOutput(\"[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked GetProcAddress\\n\");\n\tFARPROC ret = Old_GetProcAddress(hModule,lpProcName);\n\tLOQ_bool(\"misc\", \"\"); // Modify category, LOQ_ function and log message according to your needs\n\treturn ret;\n}\n\nHOOKDEF(HMODULE, WINAPI, GetModuleHandleA,\n\t_In_opt_ LPCSTR lpModuleName\n){\n\tDebuggerOutput(\"[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked GetModuleHandleA\\n\");\n\tHMODULE ret = Old_GetModuleHandleA(lpModuleName);\n\tLOQ_bool(\"misc\", \"\"); // Modify category, LOQ_ function and log message according to your needs\n\treturn ret;\n}\n\nHOOKDEF(HMODULE, WINAPI, GetModuleHandleW,\n\t_In_opt_ LPCWSTR lpModuleName\n){\n\tDebuggerOutput(\"[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked GetModuleHandleW\\n\");\n\tHMODULE ret = Old_GetModuleHandleW(lpModuleName);\n\tLOQ_bool(\"misc\", \"\"); // Modify category, LOQ_ function and log message according to your needs\n\treturn ret;\n}\n\nHOOKDEF(VOID, WINAPI, Sleep,\n\t_In_ DWORD dwMilliseconds\n){\n\tDebuggerOutput(\"[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked Sleep\\n\");\n\tOld_Sleep(dwMilliseconds);\n\tLOQ_bool(\"misc\", \"\"); // Modify category, LOQ_ function and log message according to your needs\n}\n\nHOOKDEF(HANDLE, WINAPI, CreateMutexA,\n\t_In_opt_ LPSECURITY_ATTRIBUTES lpMutexAttributes,\n  _In_           BOOL                  bInitialOwner,\n  _In_opt_ LPCSTR                lpName\n){\n\tDebuggerOutput(\"[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked CreateMutexA\\n\");\n\tHANDLE ret = Old_CreateMutexA(lpMutexAttributes,bInitialOwner,lpName);\n\tLOQ_bool(\"misc\", \"\"); // Modify category, LOQ_ function and log message according to your needs\n\treturn ret;\n}\n\nHOOKDEF(HANDLE, WINAPI, CreateMutexW,\n\t_In_opt_ LPSECURITY_ATTRIBUTES lpMutexAttributes,\n  _In_           BOOL                  bInitialOwner,\n  _In_opt_ LPCWSTR               lpName\n){\n\tDebuggerOutput(\"[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked CreateMutexW\\n\");\n\tHANDLE ret = Old_CreateMutexW(lpMutexAttributes,bInitialOwner,lpName);\n\tLOQ_bool(\"misc\", \"\"); // Modify category, LOQ_ function and log message according to your needs\n\treturn ret;\n}\n\nHOOKDEF(BOOL, WINAPI, GetVolumeInformationA,\n\t_In_opt_  LPCSTR  lpRootPathName,\n  _Out_opt_ LPSTR   lpVolumeNameBuffer,\n  _In_            DWORD   nVolumeNameSize,\n  _Out_opt_ LPDWORD lpVolumeSerialNumber,\n  _Out_opt_ LPDWORD lpMaximumComponentLength,\n  _Out_opt_ LPDWORD lpFileSystemFlags,\n  _Out_opt_ LPSTR   lpFileSystemNameBuffer,\n  _In_            DWORD   nFileSystemNameSize\n){\n\tDebuggerOutput(\"[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked GetVolumeInformationA\\n\");\n\tBOOL ret = Old_GetVolumeInformationA(lpRootPathName,lpVolumeNameBuffer,nVolumeNameSize,lpVolumeSerialNumber,lpMaximumComponentLength,lpFileSystemFlags,lpFileSystemNameBuffer,nFileSystemNameSize);\n\tLOQ_bool(\"misc\", \"\"); // Modify category, LOQ_ function and log message according to your needs\n\treturn ret;\n}\n\nHOOKDEF(BOOL, WINAPI, GetVolumeInformationW,\n\t_In_opt_  LPCWSTR lpRootPathName,\n  _Out_opt_ LPWSTR  lpVolumeNameBuffer,\n  _In_            DWORD   nVolumeNameSize,\n  _Out_opt_ LPDWORD lpVolumeSerialNumber,\n  _Out_opt_ LPDWORD lpMaximumComponentLength,\n  _Out_opt_ LPDWORD lpFileSystemFlags,\n  _Out_opt_ LPWSTR  lpFileSystemNameBuffer,\n  _In_            DWORD   nFileSystemNameSize\n){\n\tDebuggerOutput(\"[***** DEBUG MESSAGE - EXTENDED HOOKS *****] Hooked GetVolumeInformationW\\n\");\n\tBOOL ret = Old_GetVolumeInformationW(lpRootPathName,lpVolumeNameBuffer,nVolumeNameSize,lpVolumeSerialNumber,lpMaximumComponentLength,lpFileSystemFlags,lpFileSystemNameBuffer,nFileSystemNameSize);\n\tLOQ_bool(\"misc\", \"\"); // Modify category, LOQ_ function and log message according to your needs\n\treturn ret;\n}\n```\n## Limitations\nThe script requires internet connection to be able to download both `winapi_categories.json` and `hooks.c` files, and also to use Google (in case it is configured).\n\nAnother limiation is the quota / search rate imposed by Google. As of right now, Google CSE (Custom Search Engine) API limits the automation to 100 searches per day.\n\n**WINAPI** calling convention is assumed. Modify autogenerated files as needed.\n\n## Acknowledgments\nThanks to [Kevin O'Reilly](https://github.com/kevoreilly) and [Andriy Brukhovetskyy (a.k.a doomedraven)](https://github.com/doomedraven).\n\n## Comments\n- Changes to `config.ini` are ommited with `git update-index --skip-worktree config.ini`.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcapesandbox%2Fcapemon-hook-generator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcapesandbox%2Fcapemon-hook-generator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcapesandbox%2Fcapemon-hook-generator/lists"}