{"id":29730522,"url":"https://github.com/sonx4444/hook-nt","last_synced_at":"2026-05-17T01:37:20.946Z","repository":{"id":280898802,"uuid":"936647600","full_name":"sonx4444/hook-nt","owner":"sonx4444","description":"A Windows NT API hooking tool for intercepting and monitoring system calls","archived":false,"fork":false,"pushed_at":"2025-06-12T08:55:26.000Z","size":2254,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-25T08:57:02.295Z","etag":null,"topics":["api-hooking","ntdll","reverse-engineering","windows","windows-internals"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sonx4444.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-02-21T12:51:57.000Z","updated_at":"2025-06-13T03:23:41.000Z","dependencies_parsed_at":null,"dependency_job_id":"33e769f6-ae0c-4b42-b79f-4d499548d1e9","html_url":"https://github.com/sonx4444/hook-nt","commit_stats":null,"previous_names":["scrymastic/hooknt","sonx4444/hook-nt"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/sonx4444/hook-nt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sonx4444%2Fhook-nt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sonx4444%2Fhook-nt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sonx4444%2Fhook-nt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sonx4444%2Fhook-nt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sonx4444","download_url":"https://codeload.github.com/sonx4444/hook-nt/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sonx4444%2Fhook-nt/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32076902,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-21T02:38:07.213Z","status":"ssl_error","status_checked_at":"2026-04-21T02:38:06.559Z","response_time":128,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api-hooking","ntdll","reverse-engineering","windows","windows-internals"],"created_at":"2025-07-25T05:40:28.814Z","updated_at":"2026-05-17T01:37:20.940Z","avatar_url":"https://github.com/sonx4444.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# HookNt\n\nA Windows NT API hooking framework that allows monitoring and intercepting NT system calls in target processes. Built with C++ and CMake.\n\n## Overview\n\nHookNt enables you to intercept and monitor NT system calls by hooking functions in the Windows NT API. The framework uses a function-based architecture with separation of concerns.\n\n## Features\n\n- Process creation and DLL injection\n- NT function hooking with trampoline support\n- Parameter logging for hooked functions\n- CMake-based build system\n- Support for multiple NT functions\n\n## Project Structure\n\n```\nsrcn/\n├── CMakeLists.txt                 # Main CMake configuration\n├── build.bat                      # Windows build script\n├── src/\n│   ├── include/                   # Public headers\n│   │   ├── common.h               # Shared definitions and types\n│   │   ├── hook_manager.h         # Hook management interface\n│   │   ├── process_manager.h      # Process management interface\n│   │   ├── memory_utils.h         # Memory utility functions\n│   │   ├── ntdlln.h               # DLL exports and NT function declarations\n│   │   ├── module_resolver.h      # Module resolution interface\n│   │   ├── function_resolver.h    # Function resolution interface\n│   │   └── logger.h               # Logging interface\n│   ├── hooknt/                    # Main executable\n│   │   ├── main.cpp               # Application entry point\n│   │   ├── process_manager.cpp\n│   │   ├── hook_manager.cpp\n│   │   └── memory_utils.cpp\n│   └── ntdlln/                    # Hook DLL\n│       ├── dllmain.cpp            # DLL entry point\n│       ├── ntdlln.cpp             # NT function hooks\n│       ├── module_resolver.cpp\n│       ├── function_resolver.cpp\n│       └── logger.cpp\n└── libs/distorm/                  # DiStorm integration\n```\n\n## Building\n\n```cmd\ncd srcn\n.\\build.bat\n```\n\nThis will generate:\n- `hooknt.exe` - Main executable\n- `ntdlln.dll` - Hook DLL\n\n## Usage\n\n```cmd\n  hookNt.exe \u003ctarget_program\u003e \u003cnt_function1\u003e \u003cnt_function2\u003e ...\n```\n\nExample:\n\n```cmd\n   # Hook file operations in the test.exe process\n   hookNt.exe test.exe NtWriteFile NtCreateFile NtReadFile\n```\n\n![Example](./imgs/image-1.png)\n![Example](./imgs/image-2.png)\n\nOutput will show:\n- Process creation and injection status\n- Function hooking details\n- Parameters and return values of hooked functions\n\n## How It Works\n\n1. **Process Creation**: Creates target process suspended\n2. **DLL Injection**: Uses reflective DLL injection\n3. **Function Resolution**: Locates NT functions in both DLLs\n4. **Trampoline Creation**: Preserves original functionality\n5. **Function Patching**: Redirects calls to hooks\n6. **Process Resumption**: Resumes with hooks active\n\n### Sequence Diagram\n\n```mermaid\nsequenceDiagram\n   participant User\n   participant HookNt as hooknt.exe\n   participant Target as Target Process\n   participant NTDLL as ntdll.dll\n   participant NTDLLN as ntdlln.dll\n\n   User-\u003e\u003eHookNt: Launch with target process \u0026 functions\n   HookNt-\u003e\u003eTarget: Create suspended process\n   HookNt-\u003e\u003eTarget: Inject ntdlln.dll\n    \n   loop For each function to hook\n      HookNt-\u003e\u003eNTDLL: Locate original NT function\n      HookNt-\u003e\u003eNTDLLN: Locate -N hook function\n      HookNt-\u003e\u003eNTDLLN: Locate trampoline variable\n      \n      HookNt-\u003e\u003eTarget: Allocate trampoline memory\n      HookNt-\u003e\u003eNTDLLN: Save trampoline address\n      HookNt-\u003e\u003eNTDLL: Patch to jump to -N function\n   end\n    \n   HookNt-\u003e\u003eTarget: Resume process\n   \n   Note over Target,NTDLLN: When NT function called:\n   Target-\u003e\u003eNTDLL: Call NT function\n   NTDLL-\u003e\u003eNTDLLN: Jump to -N function\n   NTDLLN-\u003e\u003eNTDLLN: Log parameters\n   NTDLLN-\u003e\u003eNTDLL: Call via trampoline\n   NTDLL-\u003e\u003eNTDLLN: Return result\n   NTDLLN-\u003e\u003eNTDLLN: Log result\n   NTDLLN-\u003e\u003eTarget: Return to caller\n```\n\n## Architecture\n\n### Core Components\n\n- **Process Manager**: Handles process creation, DLL injection, and memory management\n- **Hook Manager**: Manages function hooking, patching, and trampoline creation\n- **Memory Utils**: Provides custom memory functions\n- **Module Resolver**: Implements PEB-based module resolution\n- **Function Resolver**: Handles export table parsing\n- **Logger**: Provides logging functionality\n\n## Technical Details\n\n- **Architecture**: x64 Windows\n- **Jump Technique**: push+ret for 64-bit absolute jumps\n- **String Operations**: Custom implementations\n- **Calling Convention**: NTAPI for all NT functions\n- **Memory Safety**: Proper allocation/cleanup\n- **Build System**: CMake\n\n## Adding New Functions\n\nCurrently, only the following functions are supported:\n- `NtCreateFile`\n- `NtReadFile`\n- `NtWriteFile`\n\nBut you can easily add new functions by following these steps:\n\n1. **Add trampoline variable:**\n   ```cpp\n   extern \"C\" NTDLLN_API PVOID NtNewFunctionTrampoline = nullptr;\n   ```\n\n2. **Implement hook:**\n   ```cpp\n   extern \"C\" NTDLLN_API NTSTATUS NTAPI NtNewFunctionN(...) {\n       printfN(\"\\n[*] NtNewFunction\\n\");\n       // Log parameters\n       \n       typedef NTSTATUS(NTAPI* NtNewFunction_proc)(...);\n       NtNewFunction_proc trampoline = (NtNewFunction_proc)NtNewFunctionTrampoline;\n       return trampoline(...);\n   }\n   ```\n\n3. **Add declaration to ntdlln.h**\n4. **Rebuild**\n\n## Prerequisites\n\n- Visual Studio 2019+ (with C++)\n- CMake 3.20+\n- Windows SDK\n\n## License\n\nEducational and research purposes. Use responsibly and in accordance with applicable laws. ","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsonx4444%2Fhook-nt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsonx4444%2Fhook-nt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsonx4444%2Fhook-nt/lists"}