{"id":29631861,"url":"https://github.com/e-gleba/win-kernel-hooks","last_synced_at":"2025-07-21T12:03:57.560Z","repository":{"id":272761950,"uuid":"917672694","full_name":"e-gleba/win-kernel-hooks","owner":"e-gleba","description":"The repository contains a sophisticated Windows API hooking library written in modern C++23","archived":false,"fork":false,"pushed_at":"2025-07-05T21:22:43.000Z","size":142,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-05T22:18:40.398Z","etag":null,"topics":["hacking","hooks","kernel-methods","windows"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/e-gleba.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"license","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-01-16T12:41:49.000Z","updated_at":"2025-07-05T21:19:22.000Z","dependencies_parsed_at":"2025-01-16T14:18:17.844Z","dependency_job_id":"fdb2dc86-d0cd-4203-84ce-999293114b40","html_url":"https://github.com/e-gleba/win-kernel-hooks","commit_stats":null,"previous_names":["geugenm/win-kernel-hooks","e-gleba/win-kernel-hooks"],"tags_count":0,"template":false,"template_full_name":"e-gleba/template-cpp-project","purl":"pkg:github/e-gleba/win-kernel-hooks","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/e-gleba%2Fwin-kernel-hooks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/e-gleba%2Fwin-kernel-hooks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/e-gleba%2Fwin-kernel-hooks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/e-gleba%2Fwin-kernel-hooks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/e-gleba","download_url":"https://codeload.github.com/e-gleba/win-kernel-hooks/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/e-gleba%2Fwin-kernel-hooks/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266296807,"owners_count":23907013,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-21T11:47:31.412Z","response_time":64,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacking","hooks","kernel-methods","windows"],"created_at":"2025-07-21T12:03:56.922Z","updated_at":"2025-07-21T12:03:57.552Z","avatar_url":"https://github.com/e-gleba.png","language":"C++","readme":"# Windows Kernel Hooks - Memory Protection \u0026 API Interception Library\n\nA modern C++23 Windows memory protection library implementing API hooking techniques to intercept and monitor critical system calls. This project provides runtime protection against memory manipulation and process enumeration through strategic API hooking.\n\n## Overview\n\n**win-kernel-hooks** is a sophisticated DLL-based hooking framework designed to protect Windows applications from external memory manipulation and unauthorized process access. The library intercepts critical Win32 API calls using inline hooking techniques, providing real-time monitoring and blocking capabilities for security-sensitive operations.\n\n### Core Functionality\n\nThe library implements a **trampoline-based hooking mechanism** that redirects API calls to custom handlers, enabling:\n\n- **Memory Protection**: Blocks unauthorized `ReadProcessMemory` and `WriteProcessMemory` operations\n- **Process Enumeration Defense**: Prevents `CreateToolhelp32Snapshot` from revealing process information\n- **Library Loading Monitoring**: Tracks `LoadLibraryA/W` and `FreeLibrary` calls with detailed logging\n- **Real-time Debugging**: Provides comprehensive stack trace analysis and timestamped logging\n\n## Architecture\n\n### Hook Implementation Details\n\nThe core hooking mechanism operates through **5-byte JMP instruction patching**:\n\n```cpp\n// Hook Structure (from hooks.hxx)\nstruct sys_hook final {\n    std::array original_bytes{};  // Backup of original code\n    void* target_func{};                      // Function to hook\n    void* hook_func{};                        // Our replacement function\n    std::string name;                         // Hook identifier\n};\n```\n\n**Memory Layout Transformation:**\n\n```\nBefore Hook:                    After Hook:\n┌─────────────────┐            ┌─────────────────┐\n│ Target Func     │            │ Target Func     │\n│ Original bytes  │    ───→    │ JMP hook_addr   │ ←─ 5-byte jump injection\n│ (5 bytes)       │            │ (E9 xx xx..)    │\n└─────────────────┘            └─────────────────┘\n```\n\n### Protected API Functions\n\n| API Function               | Protection Type | Behavior                                                     |\n| -------------------------- | --------------- | ------------------------------------------------------------ |\n| `ReadProcessMemory`        | **BLOCK**       | Returns `ERROR_ACCESS_DENIED`, logs attempt with stack trace |\n| `WriteProcessMemory`       | **BLOCK**       | Returns `ERROR_ACCESS_DENIED`, logs attempt with hex preview |\n| `CreateToolhelp32Snapshot` | **BLOCK**       | Returns `INVALID_HANDLE_VALUE`, prevents process enumeration |\n| `LoadLibraryA/W`           | **MONITOR**     | Allows operation, logs library path and stack trace          |\n| `FreeLibrary`              | **MONITOR**     | Allows operation, logs module handle                         |\n\n## Technical Implementation\n\n### Hook Installation Process\n\nThe library employs a sophisticated memory patching technique:\n\n```cpp\n// Simplified hook installation logic\nbool install_hook(void* target, void* hook, const std::string\u0026 name) {\n    // 1. Change memory protection to allow writing\n    VirtualProtect(target, 5, PAGE_EXECUTE_READWRITE, \u0026old_protect);\n\n    // 2. Backup original 5 bytes\n    std::memcpy(original_bytes, target, 5);\n\n    // 3. Calculate relative offset for JMP instruction\n    auto relative_offset = reinterpret_cast(hook) -\n                          (reinterpret_cast(target) + 5);\n\n    // 4. Write JMP instruction (E9 + 4-byte offset)\n    uint8_t jump[5] = {0xE9, /* offset bytes */};\n    std::memcpy(target, jump, 5);\n\n    // 5. Restore original memory protection\n    VirtualProtect(target, 5, old_protect, \u0026old_protect);\n}\n```\n\n### Logging \u0026 Debugging Features\n\nThe library provides extensive debugging capabilities:\n\n- **Timestamped Logging**: All operations logged with high-precision timestamps\n- **Stack Trace Analysis**: Automatic stack unwinding using C++23 `std::stacktrace`\n- **Hex Data Preview**: Memory write attempts show hex dump of target data\n- **Process Context**: Logs include process handles, PIDs, and memory addresses\n\n## Build \u0026 Usage\n\n### Prerequisites\n\n- **Compiler**: C++23-compatible compiler [MSVC 2022, Clang 15+, GCC 12+](1)\n- **Build System**: CMake 3.26+\n- **Platform**: Windows (x86/x64)\n- **Runtime**: Visual C++ Redistributable\n\n### Build Instructions\n\n```bash\n# Clone repository\ngit clone https://github.com/e-gleba/win-kernel-hooks.git\ncd win-kernel-hooks\n\n# Configure build\ncmake --preset=release .\n\n# Build project\ncd build/release\ncmake --build . --config release\n```\n\n### Build Targets\n\nThe CMake configuration produces:\n\n- **`hooks`** - Static library containing core hooking functionality\n- **`dll_main`** - Shared library (DLL) for injection into target processes\n\n### Integration Example\n\n```cpp\n// DLL injection into target process\nHMODULE hook_dll = LoadLibrary(L\"dll_main.dll\");\nif (hook_dll) {\n    // Hooks are automatically installed via DLL_PROCESS_ATTACH\n    // Memory protection is now active\n}\n\n// Manual cleanup (optional - automatic on process exit)\nFreeLibrary(hook_dll);  // Triggers DLL_PROCESS_DETACH cleanup\n```\n\n## Security Considerations\n\n### Protection Scope\n\nThis library provides **user-mode protection** against:\n\n- ✅ External process memory manipulation\n- ✅ Unauthorized process enumeration\n- ✅ Suspicious library injection attempts\n- ✅ Memory scanning tools and debuggers\n\n### Limitations\n\n- ❌ **Kernel-mode bypass**: Advanced rootkits can circumvent user-mode hooks\n- ❌ **Direct syscalls**: Applications using `ntdll` syscalls directly\n- ❌ **Hardware debugging**: JTAG, hardware breakpoints remain effective\n- ❌ **Hypervisor attacks**: VM-level manipulation can bypass all protections\n\n## References\n\nThe implementation draws from established Windows internals knowledge and hooking techniques documented in security research. The C++23 stack trace functionality leverages modern compiler features for enhanced debugging capabilities.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fe-gleba%2Fwin-kernel-hooks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fe-gleba%2Fwin-kernel-hooks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fe-gleba%2Fwin-kernel-hooks/lists"}