{"id":20637713,"url":"https://github.com/x86byte/Hooking-Detours","last_synced_at":"2025-05-10T07:30:41.247Z","repository":{"id":218535863,"uuid":"746658362","full_name":"x86byte/Hooking-Detours","owner":"x86byte","description":"Hooking Malware API with Detours Library","archived":false,"fork":false,"pushed_at":"2024-01-22T19:33:59.000Z","size":71,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-21T19:11:14.279Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/x86byte.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-22T13:04:01.000Z","updated_at":"2024-08-07T05:20:24.000Z","dependencies_parsed_at":"2024-09-08T02:51:14.701Z","dependency_job_id":"57fc21e8-1dc2-4212-8fbd-c39c595820f5","html_url":"https://github.com/x86byte/Hooking-Detours","commit_stats":null,"previous_names":["0xp17j8/hooking-detours-","onomatopwn/hooking-detours","ring0-c0d3-br34k3r/hooking-detours","x86byte/hooking-detours"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x86byte%2FHooking-Detours","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x86byte%2FHooking-Detours/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x86byte%2FHooking-Detours/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x86byte%2FHooking-Detours/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/x86byte","download_url":"https://codeload.github.com/x86byte/Hooking-Detours/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253379428,"owners_count":21899253,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-16T15:15:39.867Z","updated_at":"2025-05-10T07:30:40.982Z","avatar_url":"https://github.com/x86byte.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# API-Hooking-Detours\n\n\n![0xp17j8](https://github.com/0xp17j8/Hooking-Detours/assets/111459558/83948489-9dd9-43e7-bb65-474863d36011)\n\n\nAPI Hooking in Malware? \n\nMalware authors may use API Hooking techniques to intercept API function \ncalls in order to gain control over a target system and perform unauthorized \nactivities. By hooking key API functions, malware can manipulate data, monitor \nuser actions, bypass security mechanisms, and perform other malicious actions \nwithout the user’s knowledge or consent.\n\n\nHooking with Detours is a bit like giving your malicious creation a sneaky makeover. Essentially, it allows you to manipulate the normal flow of a program, redirecting it to execute your own nefarious code.\n\nIn the realm of malware, this can be used for all sorts of mischiefâ€”stealing sensitive information, bypassing security measures, or even turning innocent software into unwitting accomplices. It's like dressing up your code in a disguise and making it perform actions that the user didn't sign up for.\n\n\nDetours API Hooking : \n\n\"Detours is a library to intercept arbitrary Win32 binary functions on x86 machines. \nThe interception code is applied dynamically at runtime. Convolutive methods replace \nthe first few instructions of the target function with an unconditional jump to the \nuser-provided wrap function. The instruction from the target function is placed in \nthe trampoline. The trampoline address is placed in the target indicator. The wrap \nfunction can either replace the target function, or expand its semantics by calling \nthe target function as a subroutine through the target cursor to the trampoline\"\n\nNote : \n      this is sort of the way that was demonstrated above, albeit in a more \n\t    sophisticated and elegant way. The function that drives all of this is \n\t    the function.DetourAttach(…)\n___________________________________________________________________________________\n\n\n# Hooking using Detours Library :\n\n                    Detours Library GitHub Link : https://github.com/microsoft/Detours\n1 - DetourTransactionBegin              https://github.com/microsoft/Detours/wiki/DetourTransactionBegin  \n  - Begin a new transaction for attaching or detaching detours. This function should be called first \n    when hooking and unhooking.\n\n2 - DetourUpdateThread                  https://github.com/microsoft/Detours/wiki/DetourUpdateThread\n  - Update the current transaction. This is used by Detours library to Enlist a thread in the current \n    transaction || The current thread is updated with DetourUpdateThread(GetCurrentThread()).\n\n3 - DetourAttach                        https://github.com/microsoft/Detours/wiki/DetourAttach\n  - Install the hook on the target function in a current transaction. This won't be committed until  \n     is called.DetourTransactionCommit || The hook function is attached to the original function \n     using DetourAttach() with the function pointer and the hook function as parameters\n\n4 - DetourDetach                        https://github.com/microsoft/Detours/wiki/DetourDetach\n  - Remove the hook from the targetted function in a current transaction. This won't be committed \n     until  is called.DetourTransactionCommit || The hook function is detached from the original \n     function using DetourDetach()\n\n5 - DetourTransactionCommit             https://github.com/microsoft/Detours/wiki/DetourTransactionCommit\n  - Commit the current transaction for attaching or detaching detours.\n\n\n\n\n\n___________________________________________________________________________________\n\n\n\n\n\n\nif for example :     MessageBox(NULL, \"OrcaRootki$ is Dead\", \"Original MsgBox\", MB_OK | MB_ICONWARNING);\n\nif its going to print for us \"OrcaRootki$ is Dead\" We Will intercept it halfway like \"MITM Attack\"\nThen Were going to change that message And We make a Hook for him from \"OrcaRootki$ is Dead\" to \n\"OrcaRootki$ is Great\"  // thats the hook \n\n\n\n\n- for exmple : \n\n    MessageBoxA(NULL, \"OrcaRootki$ is Dead\", \"Original MsgBox\", MB_OK | MB_ICONWARNING);\n\n- we will put MessageBoxA in gpMessageBoxA for hooking \n\n- A function pointer type, FnMessageBoxA, is defined to match the signature of the original MessageBoxA function :\n  \n  typedef BOOL(WINAPI* FnMessageBoxA)(HWND, LPCSTR, LPCSTR, UINT);\n\n- The original function pointer, gpMessageBoxA, is declared and initialized with the MessageBoxA function :\n  \n  FnMessageBoxA gpMessageBoxA = MessageBoxA;\n\n\n\n- The function that will run instead MessageBoxA when hooked || will take the place of the MessageBoxA\n- The hook function, MyHookedMessageBoxA, is defined. This function will intercept calls to MessageBoxA and provide custom behavior :\n  \n  MyHookedMessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)         \n\n\n\n- Now We're going to grab our fake or The Hooked Function \"MyHookedMessageBoxA\" And we're going to make it the real Function Then\n  we'll have hooking for MessageBoxA and our function will take its place \"MyHookedMessageBoxA\"\n\n- Running MyHookedMessageBoxA instead of gpMessageBoxA that is MessageBoxA :\n  \n\tDetourAttach((PVOID)\u0026gpMessageBoxA, MyHookedMessageBoxA));\n\t\n___________________________________________________________________________________\n\n\n\n  Intercept and modify the MessageBoxA function is DONE\n\n  The API Hooking can be leveraged to intercept MessageBoxA calls, \n  print message details, and even modify parameters before calling \n  the original function. This level of control opens up possibilities \n  for advanced debugging, behavior analysis, and security research\n\t\n  It is a powerful technique, if misused \"For Malware Dev\"\n\t\n\t\n\t\n\n\n\n- Happy Hacking\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx86byte%2FHooking-Detours","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fx86byte%2FHooking-Detours","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx86byte%2FHooking-Detours/lists"}