{"id":20074027,"url":"https://github.com/ezforever/pedoll","last_synced_at":"2025-05-05T21:31:13.544Z","repository":{"id":114511342,"uuid":"233338985","full_name":"EZForever/PEDoll","owner":"EZForever","description":"Program behavior analyzer for Win32/Win64.","archived":false,"fork":false,"pushed_at":"2020-09-21T12:56:13.000Z","size":462,"stargazers_count":43,"open_issues_count":0,"forks_count":9,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-09T04:25:48.415Z","etag":null,"topics":["analyzer","api-hook","api-hooking","dynamic-analysis","inline-hook","x64"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/EZForever.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-12T04:40:36.000Z","updated_at":"2024-09-19T22:21:58.000Z","dependencies_parsed_at":"2023-05-17T14:15:08.601Z","dependency_job_id":null,"html_url":"https://github.com/EZForever/PEDoll","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EZForever%2FPEDoll","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EZForever%2FPEDoll/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EZForever%2FPEDoll/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EZForever%2FPEDoll/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/EZForever","download_url":"https://codeload.github.com/EZForever/PEDoll/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252580004,"owners_count":21771249,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analyzer","api-hook","api-hooking","dynamic-analysis","inline-hook","x64"],"created_at":"2024-11-13T14:49:07.200Z","updated_at":"2025-05-05T21:31:13.539Z","avatar_url":"https://github.com/EZForever.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PEDoll\n*Program behavior analyzer for Win32/Win64*\n\nEnglish | [简体中文](README.zh-CN.md)\n\n## Overview\n**PEDoll** is a parody of @matrixcascade's [PeDoll](https://github.com/matrixcascade/PeDoll) (the \"original PeDoll\"), aimed to support the x64 platform, multiple clients and multi-threaded applications.\n\nPEDoll consists of three parts:\n\n- The **Controller** accepts incoming client connections and provide a CLI/GUI for user to manage clients and hooks on them.\n- The **Monitor** clients runs on a target machine (either the same physical machine the Controller is running on, or a VM), with its main purpose to create Doll clients by either launching a new process, or attaching to existing ones.\n- The **Doll** clients are processes injected by the *libDoll* module (`libDoll.dll`). libDoll communicates with the Controller, installs inline hooks into the process and respond to the Controller's commands in case of a hook has activated.\n\nThese parts communicate by the *Puppet Protocol*, a simple, TCP-based scheme of packets.\n\nPEDoll works by installing hooks on Windows APIs or inner procedures into a Doll process, wait for hooks to activate, then examine the hooks' context (function arguments, memory buffers, etc.) and give out verdicts on whether the process can continue execution.\n\nYou can get a prebulit PEDoll package from [the \"Releases\" page](https://github.com/EZForever/PEDoll/releases), or compile it yourself with instructions below.\n\n## Features\n\nComparing to the original PeDoll:\n\n- **Full x64 support:** PEDoll is designed with x64 concepts in mind. You can set up hooks and examine results just like on a x86 client.\n- **Arbitrary number of API/pattern-based hooks:** Due to the change to hooking mechanisms, PEDoll no longer require the API being hooked to be supported by libDoll. Also applies to pattern-based hooks (\"binary hooks\" as in original PeDoll).\n- **Enhanced context expressions:** Examine contexts with C# expressions! Lambda expressions, LINQ extensions, all in one command.\n- **Multiple clients:** Because one Controller per Doll can be annoying.\n\n## System requirements\n\n- Controller: Windows 7 SP1 or above, with .NET Framework 4.5 installed (pre-installed on Windows 8 or above).\n- Monitor and libDoll: Windows Vista or above.\n\n## Usage\n\n[The project's wiki provides a simple example.][wiki/example]\n\nMore \u0026 detailed information on commands, expressions, etc. will be available on [the project's wiki][wiki].\n\n## Building\n\nThe IDE of choice is Visual Studio Community 2019 with workloads `Desktop development with C++` (for building the Monitor and libDoll) and `.NET desktop development` (for building the Controller).\n\nThis project utilizes [Detours](https://github.com/microsoft/Detours) and includes it as a git submodule. In order to build the Monitor and libDoll, you need to obtain it by either use `git clone --recursive https://github.com/EZForever/PEDoll.git` while cloning this repo, or run `git submodule update --init --recursive` afterwards.\n\nDo not expect all features in Controller to work when debugging; important files like Monitor executables and scripts will be missing. The file `GenerateRelease.cmd`, when run under a Visual Studio Developer Command Prompt, will build the whole solution, place all files accordingly and process all API scripts to support x64. *Always* use the build generated by `GenerateRelease.cmd` for normal usage.\n\nMore information on implementation details will be available on [the project's wiki][wiki].\n\n## FAQ\n\nSee [\"FAQ\" on project wiki][wiki/faq].\n\n## License\n\n[The MIT License.](LICENSE.txt)\n\n[wiki]: https://github.com/EZForever/PEDoll/wiki\n[wiki/faq]: https://github.com/EZForever/PEDoll/wiki/FAQ\n[wiki/example]: https://github.com/EZForever/PEDoll/wiki/Simple-Example\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fezforever%2Fpedoll","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fezforever%2Fpedoll","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fezforever%2Fpedoll/lists"}