Skip to content

A tool for hooking Windows applications and jumping to your Python code with the injected Python interpreter

License

Notifications You must be signed in to change notification settings

cosine0/dllhook

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

dllhook

PyPI version
dllhook is a tool for hooking Windows x86 applications. This tools injects embedded Python interpreter (Python DLL) to the application and executes your script. And also this provides a convenient hooking library to use in your script.
This tool uses mayhem python_injector as injector.
See https://github.com/zeroSteiner/mayhem/blob/master/tools/python_injector.py
When you clone this repository, you must also clone submodule mayhem.
This tool is tested on Python 3.6-3.11.

Installation

Make sure you use 32-bit version of Python.

To install dllhook:

pip install dllhook

Usage

  • Write your python script to inject.
import ctypes
import dllhook

# @dllhook.hook_dll('Kernel32.dll', 0x00014510) also works
@dllhook.hook_dll('Kernel32.dll', b'CreateProcessW')
def see_process(arg1):
    if arg1 != 0:
        print("<hooked> ", ctypes.wstring_at(arg1))
  • Save it as a file. (e.g. C:\Users\example\Desktop\see_process.py)

  • Execute the module dllhook with the target program and your script as the arguments.

python -mdllhook "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" C:\Users\example\Desktop\see_process.py

Console output:

[+] Opened a handle to pid: 24308
[*] Found Python library at: C:\Users\example\AppData\Local\Programs\Python\Python36-32\python36.dll
[*] Injecting Python into the process...
[+] Loaded C:\Users\example\AppData\Local\Programs\Python\Python36-32\python36.dll with handle 0x69ee0000
[*] Resolved addresses:
  - Py_InitializeEx:    0x6a061cc0
  - PyRun_SimpleString: 0x6a07b1c0
[*] Initialized Python in the host process
[*] Waiting for client to connect on \\.\pipe\mayhem
[*] Client connected on named pipe
target: 0x75ae4510
invoke: 0x6c401df0
callbacker: 0x6620fdc
<hooked> C:/Program Files (x86)/Adobe/Acrobat Reader DC/Reader/ARH.exe
<hooked> C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

Author

cosine0 @github

About

A tool for hooking Windows applications and jumping to your Python code with the injected Python interpreter

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages