Comments (8)
kevoreilly
commented on August 18, 2024
A subset. The APIs are listed in hooks.h: https://github.com/kevoreilly/capemon/blob/capemon/hooks.h
from capemon.
3ntr0phy
commented on August 18, 2024
Out of curiosity : why this design choice? There is any rationale for not log all of them?
from capemon.
kevoreilly
commented on August 18, 2024
The number of exported functions in ntdll alone is > 2000, not far off 2000 in kernelbase, then there is kernel32. That's not even getting started on networking APIs. The total number in the Windows API? I am guessing many tens if not hundreds of thousands of functions. To hook them all would require work in writing hooks, which can also be technically challenging. The output from all these hooks would be massive so would slow down processing and mean interesting stuff in the logs would be drowned out by uninteresting info. Then there is the increased risk of bugs... All lead to the question of why one would want to hook everything?
from capemon.
3ntr0phy
commented on August 18, 2024
Thank you for the reply :)
I am mainly referring to the following syscalls : https://github.com/j00ru/windows-syscalls
Probably there was a misunderstanding, I used API and should have used syscalls !
from capemon.
kevoreilly
commented on August 18, 2024
I see what you mean - capemon's hooks are of course not true syscall hooks. But assuming each true syscall is wrapped by a function exported by ntdll, then it would be possible to hook those functions. I think the reason this hasn't been done is just that some syscalls aren't that useful from the perspective of malware analysis.
As an aside I have been experimenting with 'nirvana' hooks in win10 which is a true syscall hooking mechanism - maybe one day I'll publish this if it's reliable enough.
from capemon.
3ntr0phy
commented on August 18, 2024
What do you mean not true syscall hooks?
Do you mean this hooking mechanism https://infocondb.org/con/recon/recon-2015/hooking-nirvana-stealthy-instrumentation-techniques-for-windows-10 ?
from capemon.
3ntr0phy
commented on August 18, 2024
Not sure anyway, sempahore syscalls may be interesting as well for example...
from capemon.
kevoreilly
commented on August 18, 2024
In general, I just mean a technique that hooks the actual syscall mechanism, so each time the syscall instruction is executed it is hooked. In capemon it's a user-mode hook of a user-mode wrapper for a syscall. So, for example, direct syscalls to NtAllocateVirtualMemory will not be captured with capemon hook on the exported function from ntdll of the same name.
from capemon.
Related Issues (20)
- Broken sleep hooks resulting in nonstable (not working) TCP sessions HOT 9
- got 520 error after implement all the rest api HOT 1
- Capemon failed to build with "error C2039: 'Dr6': is not a member of '_CONTEXT' " with MSVC on Windows arm64 HOT 1
- Problem in detonation HOT 3
- Capemon failed to build with "fatal error LNK1104: cannot open file 'atls.lib' " with MSVC on Windows arm64ec HOT 1
- [MSVC][permissive-][std:c++latest] Capemon failed to build with msvc due to error C2362 error2440 on Windows HOT 1
- Crash in yara rule matching seemingly due to compiled rule word-size mismatch HOT 20
- Infinite recursion from GetThreadID in Debugger HOT 2
- Unable to place hook. Unable to hook. HOT 1
- Crash due to wrong prototype for NtAllocateVirtualMemoryEx HOT 2
- InjectDllViaIAT failed in Windows 10 HOT 1
- Crashed in get_full_keyvalue_pathUS HOT 2
- CoCreateInstance hook Win64 exclusion HOT 3
- Detonation failure due to VS2022
- x86 DLL detonation issues in Win10 HOT 10
- LdrLoadDll BaseAddress always NULL HOT 8
- [Compile] LINK : fatal error C1047: The object or library file 'libyara\lib\libyara64.lib' was created by a different version of the compiler HOT 2
- Capemon Testing Question HOT 2
- Capemon failed to build with fatal error C1047: The object or library file 'F:\gitP\kevoreilly\capemon\\libyara\lib\libyara64.lib' was created by a different version of the compiler than other objects like 'x64\Release\alloc.obj' HOT 2
- Improving IsPeImageRaw() HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from capemon.