{"id":27933187,"url":"https://github.com/dk0m/logsyscall","last_synced_at":"2025-08-03T01:04:53.620Z","repository":{"id":291454897,"uuid":"977671561","full_name":"dk0m/LogSyscall","owner":"dk0m","description":"Windows System Call Instrumention Engine Using ICs.","archived":false,"fork":false,"pushed_at":"2025-05-04T18:30:21.000Z","size":82,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-04T19:25:06.658Z","etag":null,"topics":["hooking","malware","malware-analysis","reverse-engineering","windows"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dk0m.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-04T18:15:39.000Z","updated_at":"2025-05-04T18:31:35.000Z","dependencies_parsed_at":"2025-05-04T19:25:08.260Z","dependency_job_id":"bb59dd34-951b-44a4-87fb-1bd9dcf0b975","html_url":"https://github.com/dk0m/LogSyscall","commit_stats":null,"previous_names":["dk0m/logsyscall"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dk0m%2FLogSyscall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dk0m%2FLogSyscall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dk0m%2FLogSyscall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dk0m%2FLogSyscall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dk0m","download_url":"https://codeload.github.com/dk0m/LogSyscall/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252812669,"owners_count":21808180,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hooking","malware","malware-analysis","reverse-engineering","windows"],"created_at":"2025-05-07T04:27:47.295Z","updated_at":"2025-08-03T01:04:53.601Z","avatar_url":"https://github.com/dk0m.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# LogSyscall\n\nWindows x64 System Call Instrumention Engine.\n\n## Explanation\n\nLogSyscall allows you to instrument/hook system calls before they are executed.\n\nIt detects transitions from KM to UM using [Instrumentation Callbacks](https://github.com/Deputation/instrumentation_callbacks), now that we have the return address we can place a software breakpoint on the ``syscall`` instruction.\n\nBefore the instrumention callback is even registered, we set up a [Vectored Exception Handler](https://learn.microsoft.com/en-us/windows/win32/debug/vectored-exception-handling/) that will allow us to catch our breakpoint exceptions.\n\nThe hook function supplied by the user early is run by the exception handler passing the CPU ``CONTEXT`` structure and an address that points to the syscall stub epilogue, which is what the function is gonna use to execute the system call after the instrumention.\n\nThis basically allows you to log/monitor any system call before it's executed.\n\n## Code Examples\n\n### SimpleHook | Hooking ZwOpenProcess \u0026 Modifying Access Mask\n```cpp\nengine::addHook(\"ZwOpenProcess\", [](PCONTEXT pCtx, PVOID syscallRet) {\n\n\tauto pHandle = engine::getParam1\u003cPHANDLE\u003e(pCtx);\n\tauto accessMask = engine::getParam2\u003cACCESS_MASK\u003e(pCtx);\n\tauto objAttrs = engine::getParam3\u003cPOBJECT_ATTRIBUTES\u003e(pCtx);\n\tauto clientId = engine::getParam4\u003cCLIENT_ID*\u003e(pCtx);\n\t\t\n\tprintf(\"[*] Detected ZwOpenProcess Call..\\n\");\n\n\tif (hasFlag(accessMask, PROCESS_TERMINATE)) {\n\t\tprintf(\"[*] Found PROCESS_TERMINATE Flag, Removing it..\\n\");\n\t\taccessMask \u0026= ~PROCESS_TERMINATE;\n\n\t\tengine::setParam2\u003cACCESS_MASK\u003e(pCtx, accessMask);\n\t}\n\n\tengine::proceed(pCtx, syscallRet);\n});\n```\n\n### SuspiciousCall | Detecting Direct NTAPI Invocation\n```cpp\nengine::addHook(\"ZwAllocateVirtualMemory\", [](PCONTEXT pCtx, PVOID syscallRet) {\n\n        if (engine::detection::isDirectlyCalled(pCtx)) {\n\n\t   auto procHandle = engine::getParam1\u003cHANDLE\u003e(pCtx);\n\t   auto baseAddress = engine::getParam2\u003cPVOID*\u003e(pCtx);\n\t   auto pSize = engine::getParam4\u003cPSIZE_T\u003e(pCtx);\n\t   auto allocType = engine::getParam5\u003cULONG\u003e(pCtx);\n\t   auto protection = engine::getParam6\u003cULONG\u003e(pCtx);\n\n\t   printf(\"[!] Detected Suspicious ZwAllocateVirtualMemory Call (NTAPI / Direct Syscall / Indirect Syscall)\\n\");\n        }\n        \n        engine::proceed(pCtx, syscallRet);\n\n});\n```\n\n### DirectSyscall | Detecting Direct Syscall Invocation\n```cpp\nengine::addHook(\"ZwCreateThreadEx\", [](PCONTEXT pCtx, PVOID syscallRet) { \n        \n        if (engine::detection::isDirectSyscall(pCtx)) {\n\n            auto pThread = engine::getParam1\u003cPHANDLE\u003e(pCtx);\n            auto accessMask = engine::getParam2\u003cACCESS_MASK\u003e(pCtx);\n            auto procHandle = engine::getParam4\u003cHANDLE\u003e(pCtx);\n            auto procAddress = engine::getParam5\u003cPVOID\u003e(pCtx);\n            auto argument = engine::getParam6\u003cPVOID\u003e(pCtx);\n\n            printf(\"[!] Detected ZwCreateThreadEx Direct Syscall..\\n\");\n\n            engine::setParam6\u003cconst char*\u003e(pCtx, \"Hooked Argument!\");\n\n        }\n\n        engine::proceed(pCtx, syscallRet);\n});\n```\n\n## Usage\n```\nLogSyscall.exe \u003cEXAMPLE_NAME\u003e\n```\n\n## Usage Example\nRunning the ``DirectSyscall`` example:\n```\n$ LogSyscall.exe DirectSyscall\n[*] Running [Direct System Call] Example..\n[DemoFunction] Message: Hello!\nPress any Key to Proceed.\n\n[VEH] Calling Hook for Function 'ZwCreateThreadEx'\n        Syscall Service Number: 199\n[!] Detected ZwCreateThreadEx Direct Syscall..\n        PThread: 0x000000F09758FB68\n        Access Mask: 2097151\n        Process Id: 61220\n        Procedure Address: 0x00007FF791171410\n        Argument: 0x00007FF7911745C8\n[DemoFunction] Message: Hooked Argument!\n```\n\n## Todo\n- Allow for detecting indirect system calls\n- Allow for hooking ``ZwProtectVirtualMemory``\n- Implement thread safety\n- Implement post-syscall hooks\n\n## Limitations \u0026 Issues\n- ``ZwClose`` hooks throw an error with status code ``STATUS_STACK_BUFFER_OVERRUN`` \n- Can't hook ``ZwProtectVirtualMemory``\n\n## Credits\n[Instrumention Callbacks](https://github.com/Deputation/instrumentation_callbacks) by [Deputation](https://github.com/Deputation/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdk0m%2Flogsyscall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdk0m%2Flogsyscall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdk0m%2Flogsyscall/lists"}