{"id":16714022,"url":"https://github.com/therealdreg/phook","last_synced_at":"2025-03-21T20:33:36.361Z","repository":{"id":34869257,"uuid":"38873666","full_name":"therealdreg/phook","owner":"therealdreg","description":"Full DLL Hooking, phrack 65","archived":false,"fork":false,"pushed_at":"2023-08-11T06:24:13.000Z","size":2827,"stargazers_count":46,"open_issues_count":0,"forks_count":18,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-03-18T04:52:18.306Z","etag":null,"topics":["dll-generator","dll-hooking","hooking","peb-hooking","phrack","windows","x86"],"latest_commit_sha":null,"homepage":"https://rootkit.es/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/therealdreg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["therealdreg"],"patreon":"dreg","custom":["https://www.paypal.me/therealdreg","https://www.paypal.me/therealdreg"]}},"created_at":"2015-07-10T09:54:07.000Z","updated_at":"2024-11-25T06:03:14.000Z","dependencies_parsed_at":"2024-10-28T11:33:37.106Z","dependency_job_id":"3e954b99-dc05-4238-962c-291298b90a2e","html_url":"https://github.com/therealdreg/phook","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fphook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fphook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fphook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fphook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/therealdreg","download_url":"https://codeload.github.com/therealdreg/phook/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244866376,"owners_count":20523504,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dll-generator","dll-hooking","hooking","peb-hooking","phrack","windows","x86"],"created_at":"2024-10-12T20:48:52.224Z","updated_at":"2025-03-21T20:33:36.264Z","avatar_url":"https://github.com/therealdreg.png","language":"C","funding_links":["https://github.com/sponsors/therealdreg","https://patreon.com/dreg","https://www.paypal.me/therealdreg"],"categories":[],"sub_categories":[],"readme":"# phook\nFull DLL Hooking via Process Environment Block\n\nphook - The PEB Hooker, Phrack 65, Shearer \u0026 Dreg: http://phrack.org/issues/65/10.html#article\n\nPlease, consider make a donation: https://github.com/sponsors/therealdreg\n\n* [Paper in Spanish](https://github.com/David-Reguera-Garcia-Dreg/phook/tree/master/papers/Spanish)\n* [Paper in Russian](https://github.com/David-Reguera-Garcia-Dreg/phook/tree/master/papers/Russian)\n* [Paper in French](https://github.com/David-Reguera-Garcia-Dreg/phook/tree/master/papers/French)\n* [Paper in Enlgish](https://github.com/David-Reguera-Garcia-Dreg/phook/tree/master/papers/Enlgish)\n\n## Usage\nJust Imagine that we want to do PEB HOOKING at kernel32.dll with ph_ker32.dll, we have chosen this software poc.exe for the example (allocated in the phook bin\\ folder)\n\nSteps:\n\n1.- Execute InjectorDLL specifying a software to execute and the DLL console \n that will be injected in the process:\n - InjectorDLL.exe console.dll -u poc.exe \n\nThe process will become to a suspend state and there will be a bind socket at \nthe port specified at the C:\\ph_listen_ports.log file.\n \n C:\\phook\\bin\u003eInjectorDll.exe console.dll -u poc.exe \n ______________________________________________\n | InjectorDLL v1.0.1 |\n | |\n | Juan Carlos Montes eunimedes@hotmail.com |\n | David Reguera Garcia Dreg@fr33project.org |\n | -------------------------------------------- |\n | http://www.fr33project.org |\n |______________________________________________|\n\n Showing injection data .....\n Program to inject : C:\\phook\\bin\\poc.exe\n Library to inject: C:\\phook\\bin\\console.dll\n\n [OK] - CONSOLE.\n [OK] - Create process:\n [INFO] PID: 0x0254\n [INFO] P. HANDLE: 0x000007B0\n [INFO] TID: 0x0CF0\n [INFO] T. HANDLE: 0x000007A8\n [INFO] - Injecting DLL...\n [OK] - Allocate memory in the extern process.\n [INFO] - Address reserved on the other process: 0x00240000\n [INFO] - Space requested: 306\n [OK] - Creating structure for the dll load.\n [OK] - Writing structure for the dll load.\n [OK] - Creating remote thread.\n [INFO] - Thread created with TID: 0x0580\n [INFO] - Attempt: 1\n [INFO] - Thread has entered suspension mode.\n [OK] - Injection thread ended.\n [OK] - Memory in remote thread freed.\n [OK] - DLL injected.\n\n [OK] - Injection ended:\n Try to connect to port written in\n C:\\ph_listen_ports.log, syntax: PID-PORT\n Example: nc 127.0.0.1 1234 (1234 is the first default port)\n\n\n2.- To connect to the server it is necessary to use a client, similar \n to netcat, to an open port, in this case 1234.\n \n C:\\\u003enc 127.0.0.1 1234\n\n ________________________________________________________\n | Phook Prompt v1.0.1 |\n | Juan Carlos Montes eunimedes@hotmail.com |\n | David Reguera Garcia Dreg@fr33project.org |\n | ------------------------------------------------------ |\n | http://www.fr33project.org |\n |________________________________________________________|\n \n \n ph \u003e help\n _________________________________________________________________\n | Phook Prompt v1.0.1 |\n | |\n | Command list: |\n | --------------------------------------------------------------- |\n | help - Shows this screen |\n | exit - Closes and unloads the console |\n | suspend - Pauses the programs execution |\n | resume - Resumes the programs execution |\n | showmodules - Shows the modules list |\n | load [param1] - Loads in memory the library |\n | especified in [param1] |\n | unload [param1] - Unloads a librery in memory |\n | especified in [param1] |\n | pebhook [param1] [param2] - Performs PEB Hook over a dll |\n | [param1]: Name of the original dll |\n | [param2]: Path to the DLL hook |\n |_________________________________________________________________|\n\n\n3.- PEB HOOKING is performed to kernel32.dll with ph_ker32.dll:\n ph \u003e pebhook kernel32.dll C:\\phook\\bin\\windows_xp_sp3\\ph_ker32.dll\n\n4.- Resume command is sent to start the execution process:\n \n ph \u003e resume\n ph \u003e \n C:\\phook\\bin\u003e \n\n5.- poc.exe create the files in C:\\\n - file\n - file2\n - file3\n\n6.- ph_ker32.dll registers the successful calls to the APIs \n CreateFileA and CreateFileW [R.14] in file C:\\CreateFile.log\n\n7.-\n C:\\\u003emore CreateFile.log\n \n C:\\file1\n C:\\file2\n C:\\file3\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fphook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftherealdreg%2Fphook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fphook/lists"}