
(Python) Hook Injection by Unprotect
Created the Tuesday 06 December 2022. Updated 5 months, 4 weeks ago.
Description:
The HookFunction is injected as a hook using the SetWindowsHookEx function, and it still calls the CallNextHookEx function to continue the normal flow of execution. The main function installs the hook, runs the message loop to receive events, and then uninstalls the hook when finished.
Code
import ctypes
from ctypes.wintypes import HHOOK, LPARAM, LRESULT, WPARAM
# The function to be injected as a hook
def HookFunction(code: int, wParam: WPARAM, lParam: LPARAM) -> LRESULT:
# Perform malicious actions here
# Return the result of the next hook in the chain
return ctypes.windll.user32.CallNextHookEx(None, code, wParam, lParam)
def main():
# Install the hook
hHook = ctypes.windll.user32.SetWindowsHookEx(
ctypes.c_int(14), HookFunction, None, 0
)
# Run the message loop to receive events
msg = ctypes.wintypes.MSG()
while ctypes.windll.user32.GetMessageW(ctypes.byref(msg), None, 0, 0):
ctypes.windll.user32.TranslateMessageW(msg)
ctypes.windll.user32.DispatchMessageW(msg)
# Uninstall the hook
ctypes.windll.user32.UnhookWindowsHookEx(hHook)
if __name__ == "__main__":
main()