{"id":18282558,"url":"https://github.com/rafael-santiago/kook","last_synced_at":"2025-07-18T16:33:20.821Z","repository":{"id":45775629,"uuid":"113468813","full_name":"rafael-santiago/kook","owner":"rafael-santiago","description":"A syscall hooking system for FreeBSD, NetBSD and also Linux.","archived":false,"fork":false,"pushed_at":"2021-11-14T16:55:56.000Z","size":41,"stargazers_count":17,"open_issues_count":0,"forks_count":4,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-20T23:41:34.219Z","etag":null,"topics":["capture-the-flag","freebsd-kld","hackathon","hacking","hacking-tool","hooking","kernel","linux-kernel-module","netbsd-kernel-module","rootkit"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rafael-santiago.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-12-07T15:40:51.000Z","updated_at":"2025-03-04T12:49:44.000Z","dependencies_parsed_at":"2022-09-24T08:51:45.958Z","dependency_job_id":null,"html_url":"https://github.com/rafael-santiago/kook","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rafael-santiago%2Fkook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rafael-santiago%2Fkook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rafael-santiago%2Fkook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rafael-santiago%2Fkook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rafael-santiago","download_url":"https://codeload.github.com/rafael-santiago/kook/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247299766,"owners_count":20916183,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["capture-the-flag","freebsd-kld","hackathon","hacking","hacking-tool","hooking","kernel","linux-kernel-module","netbsd-kernel-module","rootkit"],"created_at":"2024-11-05T13:05:34.375Z","updated_at":"2025-04-05T06:30:46.917Z","avatar_url":"https://github.com/rafael-santiago.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"Kook\n----\n\nWhat is this?\n-------------\n\nKook is just a simple code for system call hooking. It works on FreeBSD, NetBSD and also Linux.\n\nHow can I clone it?\n-------------------\n\nPretty simple:\n\n    you@somewhere_over_the_rainbow:~/src# git clone https://github.com/rafael-santiago/kook\n    you@somewhere_over_the_rainbow:~/src# cd kook\n    you@somewhere_over_the_rainbow:~/src/kook# git submodule update --init\n\nor by doing all at once:\n\n    you@somewhere_over_the_rainbow:~/src# git clone https://github.com/rafael-santiago/kook --recursive\n\nHow can I build it?\n-------------------\n\nYou should not \"build\" anything, however if you want to run the kook's tests you need my build system\n(https://github.com/rafael-santiago/hefesto).\n\nOnce this build system well installed, all you should do is to clone another repo of mine called helios\n(https://github.com/rafael-santiago/helios):\n\n    you@somewhere_over_the_rainbow:~/src# git clone https://github.com/rafael-santiago/helios\n\nAfter cloning it...\n\n#if defined(__FreeBSD__)\n\n    you@somewhere_over_the_rainbow:~/src# cd helios\n    you@somewhere_over_the_rainbow:~/src/helios# hefesto --install=freebsd-module-toolset\n\n#elif defined(__linux__)\n\n    you@somewhere_over_the_rainbow:~/src# cd helios\n    you@somewhere_over_the_rainbow:~/src/helios# hefesto --install=lnx-module-toolset\n\n#elif defined(__NetBSD__)\n\n    you@somewhere_over_the_rainbow:~/src# cd helios\n    you@somewhere_over_the_rainbow:~/src/helios# hefesto --install=netbsd-module-toolset\n\n#endif\n\n    you@somewhere_over_the_rainbow:~/src/helios# cd ..\n    you@somewhere_over_the_rainbow:~/src# rm -rf helios\n\nNow you enter into kook's src sub-directory and call hefesto from there:\n\n    you@somewhere_over_the_rainbow:~/src# cd kook/src\n    you@somewhere_over_the_rainbow:~/src/kook/src# hefesto\n\nSome tests will run and you will get an output like the following (when all is ok...):\n\n    *** kook_test_monkey loaded...\n    -- running get_syscall_table_addr_test...\n    -- passed.\n    -- running hook_test...\n    -- passed.\n    -- running unhook_test...\n    -- passed.\n    *** all tests passed. [3 test(s) ran]\n    *** kook_test_monkey unloaded.\n    BUILD INFO: All done.\n\n\nHow can I use this hooking stuff with my own kernel mode stuff?\n---------------------------------------------------------------\n\nI have done this repo taking in consideration the FreeBSD, NetBSD and Linux kernel programmers, so the best way of\nusing this code with your own stuff is by including the kook's src sub-directory and the kook's platform dependent\ncode directory (by the way, named with your current platform name).\n\nHooking with kook is a thing that can be done even by an earthworm, look:\n\n    // Your precious code stuff...\n    #include \u003ckook.h\u003e // Include the main kook's header file.\n\n    void *original_syscall = NULL;\n\n    (...)\n    // Hooking.\n    if (kook(sys_call_constant, your_hook_function, \u0026original_syscall) != 0) {\n        // Some error has occurred during the syscall hook.\n    }\n\n    (...)\n    // Unhooking.\n    if (kook(sys_call_constant, original_syscall, NULL) != 0) {\n        // Some error has occurred during the syscall unhooking and I think (just think...)\n        // you should not unload this module.\n    }\n\n\nIf you have no intentions of unhooking, when hooking you can pass the original function pointer as NULL:\n\n    if (kook(sys_call_constant, your_hook_function, NULL) != 0) {\n        // Some error has occurred during the syscall hook.\n    }\n\nOn Linux I have tested and designed it for 4.4.x kernels or (maybe) higher versions. Until now it is currently\nsupporting kernels higher than 5.7.0, too. However is easy to make it usable in older versions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frafael-santiago%2Fkook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frafael-santiago%2Fkook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frafael-santiago%2Fkook/lists"}