This module hooks IAT and EAT to monitor all external functions calls,
very useful for [malware] reverse and debugging.

Classes
		_ctypes.Structure(_ctypes._CData) IMAGE_EXPORT_DIRECTORY MEMORY_BASIC_INFORMATION MODULEENTRY32 UNICODE_STRING builtins.object CallbackManager Callbacks Function Hooks   class CallbackManager(builtins.object)       Data descriptors defined here: __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) Data and other attributes defined here: __annotations__ = {'config': <class 'dict'>, 'indent': <class 'int'>, 'lock': <built-in function allocate_lock>, 'run': <class 'bool'>, 'thread_id': <class 'int'>} config = {} indent = 0 lock = <unlocked _thread.lock object> run = -1 thread_id = 0   class Callbacks(builtins.object)     This class contains all callbacks define in configuration.     Methods defined here: exit(type_: str, function: Union[Win32Hooking.Function, PyPeLoader.ImportFunction], arguments: Tuple, return_value: ctypes.c_void_p) -> ctypes.c_void_p This function terminates/exits the program. interactive(type_: str, function: Union[Win32Hooking.Function, PyPeLoader.ImportFunction], arguments: Tuple, return_value: ctypes.c_void_p) -> ctypes.c_void_p This function defines interactive actions on callback. kernel32_GetProcAddress(type_: str, function: Union[Win32Hooking.Function, PyPeLoader.ImportFunction], arguments: Tuple, return_value: ctypes.c_void_p) -> ctypes.c_void_p This function defines the GetProcAddress hooking behaviour. ntdll_LdrLoadDll(type_: str, function: Union[Win32Hooking.Function, PyPeLoader.ImportFunction], arguments: Tuple, return_value: ctypes.c_void_p) -> ctypes.c_void_p This function defines the LdrLoadDll hooking behaviour. print(type_: str, function: Union[Win32Hooking.Function, PyPeLoader.ImportFunction], arguments: Tuple, return_value: ctypes.c_void_p) -> ctypes.c_void_p This function prints function, return value and arguments, it's a simple demo. Data descriptors defined here: __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined)   class Function(builtins.object)     Function(module: Win32Hooking.MODULEENTRY32, module_name: str, name: str, address: int, rva: int, export_address: int, index: int, pointer: type = None, hook: Callable = None, arguments: List[str] = None, hide: bool = False, count_call: int = 0, calls: List[Dict[str, Union[int, Callable]]] = &lt;factory&gt;) -&gt; None   Function(module: Win32Hooking.MODULEENTRY32, module_name: str, name: str, address: int, rva: int, export_address: int, index: int, pointer: type = None, hook: Callable = None, arguments: List[str] = None, hide: bool = False, count_call: int = 0, calls: List[Dict[str, Union[int, Callable]]] = <factory>)     Methods defined here: __eq__(self, other) Return self==value. __init__(self, module: Win32Hooking.MODULEENTRY32, module_name: str, name: str, address: int, rva: int, export_address: int, index: int, pointer: type = None, hook: Callable = None, arguments: List[str] = None, hide: bool = False, count_call: int = 0, calls: List[Dict[str, Union[int, Callable]]] = <factory>) -> None Initialize self.  See help(type(self)) for accurate signature. __repr__(self) Return repr(self). Data descriptors defined here: __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) Data and other attributes defined here: __annotations__ = {'address': <class 'int'>, 'arguments': typing.List[str], 'calls': typing.List[typing.Dict[str, typing.Union[int, typing.Callable]]], 'count_call': <class 'int'>, 'export_address': <class 'int'>, 'hide': <class 'bool'>, 'hook': typing.Callable, 'index': <class 'int'>, 'module': <class 'Win32Hooking.MODULEENTRY32'>, 'module_name': <class 'str'>, ...} __dataclass_fields__ = {'address': Field(name='address',type=<class 'int'>,default=...appingproxy({}),kw_only=False,_field_type=_FIELD), 'arguments': Field(name='arguments',type=typing.List[str],def...appingproxy({}),kw_only=False,_field_type=_FIELD), 'calls': Field(name='calls',type=typing.List[typing.Dict[...appingproxy({}),kw_only=False,_field_type=_FIELD), 'count_call': Field(name='count_call',type=<class 'int'>,defau...appingproxy({}),kw_only=False,_field_type=_FIELD), 'export_address': Field(name='export_address',type=<class 'int'>,d...appingproxy({}),kw_only=False,_field_type=_FIELD), 'hide': Field(name='hide',type=<class 'bool'>,default=Fa...appingproxy({}),kw_only=False,_field_type=_FIELD), 'hook': Field(name='hook',type=typing.Callable,default=N...appingproxy({}),kw_only=False,_field_type=_FIELD), 'index': Field(name='index',type=<class 'int'>,default=<d...appingproxy({}),kw_only=False,_field_type=_FIELD), 'module': Field(name='module',type=<class 'Win32Hooking.MO...appingproxy({}),kw_only=False,_field_type=_FIELD), 'module_name': Field(name='module_name',type=<class 'str'>,defa...appingproxy({}),kw_only=False,_field_type=_FIELD), ...} __dataclass_params__ = _DataclassParams(init=True,repr=True,eq=True,order=False,unsafe_hash=False,frozen=False) __hash__ = None __match_args__ = ('module', 'module_name', 'name', 'address', 'rva', 'export_address', 'index', 'pointer', 'hook', 'arguments', 'hide', 'count_call', 'calls') arguments = None count_call = 0 hide = False hook = None pointer = None   class Hooks(builtins.object)     This class contains all data about hooks.     Data descriptors defined here: __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) Data and other attributes defined here: __annotations__ = {'export_hooks': typing.Dict[str, Win32Hooking.Function], 'get_proc_address_hooks': typing.Dict[str, Win32Hooking.Function], 'import_hooks': typing.Dict[str, PyPeLoader.ImportFunction], 'name_hooks': typing.Dict[str, Win32Hooking.Function], 'reserved_hooks_space': typing.Dict[str, int], 'types': typing.Dict[str, CFUNCTYPE]} export_hooks = {} get_proc_address_hooks = {} import_hooks = {} name_hooks = {} reserved_hooks_space = {} types = {}   class IMAGE_EXPORT_DIRECTORY(_ctypes.Structure)     This class implements the image export directory to access export functions.     Method resolution order: IMAGE_EXPORT_DIRECTORY _ctypes.Structure _ctypes._CData builtins.object Data descriptors defined here: AddressOfFunctions AddressOfNameOrdinals AddressOfNames Base Characteristics MajorVersion MinorVersion Name NumberOfFunctions NumberOfNames TimeDateStamp __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)   class MEMORY_BASIC_INFORMATION(_ctypes.Structure)     This class implements the structure to get memory information.     Method resolution order: MEMORY_BASIC_INFORMATION _ctypes.Structure _ctypes._CData builtins.object Data descriptors defined here: AllocationBase AllocationProtect BaseAddress Protect RegionSize State Type __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)   class MODULEENTRY32(_ctypes.Structure)     This class implements the Module Entry for CreateToolhelp32Snapshot return value.     Method resolution order: MODULEENTRY32 _ctypes.Structure _ctypes._CData builtins.object Data descriptors defined here: GlblcntUsage ProccntUsage __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) dwSize hModule modBaseAddr modBaseSize szExePath szModule th32ModuleID th32ProcessID Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)   class UNICODE_STRING(_ctypes.Structure)     This class implements the Unicode String for LdrLoadDll argument value.     Method resolution order: UNICODE_STRING _ctypes.Structure _ctypes._CData builtins.object Data descriptors defined here: Buffer Length MaximumLength __dict__ dictionary for instance variables (if defined) __weakref__ list of weak references to the object (if defined) Methods inherited from _ctypes.Structure: __init__(self, /, *args, **kwargs) Initialize self.  See help(type(self)) for accurate signature. Static methods inherited from _ctypes.Structure: __new__(*args, **kwargs) from _ctypes.PyCStructType Create and return a new object.  See help(type) for accurate signature. Methods inherited from _ctypes._CData: __ctypes_from_outparam__(...) __hash__(self, /) Return hash(self). __reduce__(...) Helper for pickle. __setstate__(...)

Functions
		Lock = allocate_lock(...) allocate_lock() -> lock object (allocate() is an obsolete synonym)   Create a new lock object. See help(type(threading.Lock())) for information about locks. POINTER(...) addressof(...) addressof(C instance) -> integer Return the address of the C instance internal buffer build_generic_callback(type_: str, function: Win32Hooking.Function) -> None This function builds the generic callback using configurations. byref(...) byref(C instance[, offset=0]) -> byref-object Return a pointer lookalike to a C instance, only usable as function argument callback_call(function: PyPeLoader.ImportFunction, specific_call: Callable, return_value: ctypes.c_void_p, type_: str, arguments: Tuple) -> ctypes.c_void_p This function detects wich function should be call and call it. callback_call_printer(function: PyPeLoader.ImportFunction, callback_type: Callable, arguments: Tuple, start: str) -> None This function prints call for not hidden callback. callback_print(*args, **kwargs) -> None This function manages callbacks prints. callback_return_printer(function: PyPeLoader.ImportFunction, return_value: ctypes.c_void_p, start: str) -> None This function prints return for not hidden callback. config() exit(status=None, /) Exit the interpreter by raising SystemExit(status).   If the status is omitted or None, it defaults to zero (i.e., success). If the status is an integer, it will be used as the system exit status. If it is another kind of object, it will be printed and the system exit status will be one (i.e., failure). find_free_executable_region(start_address: int, function_number: int, max_scan=268435456) -> int This function implements checks on memory to get a good address to allocate hooks jumps. generate_absolute_jump(address: int) -> bytes This function generates absolute JUMP. generic_callback_generator(type_: str, function: Union[Win32Hooking.Function, PyPeLoader.ImportFunction], specific_call: Callable = None, callback_type: <function CFUNCTYPE at 0x0000028AB3C57010> = <class 'ctypes.CFUNCTYPE.<locals>.CFunctionType'>) -> Callable This function makes the specific callback for each function using the generic callback. get_PeHeaders(module_base: int, dos: PyPeLoader.IMAGE_DOS_HEADER, nt_headers: PyPeLoader.IMAGE_NT_HEADERS, optional_header: Union[PyPeLoader.IMAGE_OPTIONAL_HEADER64, PyPeLoader.IMAGE_OPTIONAL_HEADER32]) -> PyPeLoader.PeHeaders This function returns the PeHeaders to call PyPeLoader.get_imports get_callback_type(arguments: Optional[List[Dict[str, str]]], return_value: Optional[str]) -> <function CFUNCTYPE at 0x0000028AB3C57010> This function builds and returns the callback CFUNCTYPE. get_last_error(...) get_logger(name: str) -> logging.Logger get_native_id(...) get_native_id() -> integer   Return a non-negative integer identifying the thread as reported by the OS (kernel). This may be used to uniquely identify a particular thread within a system. getpid() Return the current process id. hook_function(function: Win32Hooking.Function) -> None This function hooks the function send as argument. hooks_DLLs() -> Dict[str, Win32Hooking.Function] This function hooks the module (imported DLLs):     - EAT (Export Address Table) functions addresses,     - IAT (Import Address Table) functions addresses. hooks_IAT(imports: List[PyPeLoader.ImportFunction], is_target: bool = True) -> Dict[str, PyPeLoader.ImportFunction] This function hooks the IAT (Import Address Table) functions. init_lock() -> bool This function manages concurrency for callbacks. list_exports(module: Win32Hooking.MODULEENTRY32, module_base: int, dos: PyPeLoader.IMAGE_DOS_HEADER, nt_headers: PyPeLoader.IMAGE_NT_HEADERS, optional_header: Union[PyPeLoader.IMAGE_OPTIONAL_HEADER64, PyPeLoader.IMAGE_OPTIONAL_HEADER32]) -> Iterator[Win32Hooking.Function] This function returns exported functions. list_modules() -> Iterator[Win32Hooking.MODULEENTRY32] This generator yields the base address for each module. load(file: _io._BufferedIOBase) -> None This function is based on: https://github.com/mauricelambert/PyPeLoader/blob/af116589d379220b7c886fffc146cc7dd7b91732/PyPeLoader.py#L628   This function does all steps to load, hooks functions (EAT and IAT) and execute the PE program in memory. load_headers_from_memory(module: Win32Hooking.MODULEENTRY32) -> Tuple[int, PyPeLoader.IMAGE_DOS_HEADER, PyPeLoader.IMAGE_NT_HEADERS, Union[PyPeLoader.IMAGE_OPTIONAL_HEADER64, PyPeLoader.IMAGE_OPTIONAL_HEADER32]] This function returns all headers and inforamtions about the module (DLL) loaded in memory. main() -> int This function is based on: https://github.com/mauricelambert/PyPeLoader/blob/af116589d379220b7c886fffc146cc7dd7b91732/PyPeLoader.py#L647   This function is the main function to start the script from the command line. reset_lock(acquire: bool) -> None This function releases locker and resets elements for concurrency. rva_to_addr(base: int, rva: int) -> <built-in function POINTER> This function returns a pointer from a RVA. rva_to_struct(base: int, rva: int, struct_type: _ctypes.Structure) -> _ctypes.Structure This function returns the structure instance from RVA. sizeof(...) sizeof(C type) -> integer sizeof(C instance) -> integer Return the size in bytes of a C instance write_in_memory(address: int, data: bytes) -> None This function writes data at specified memory with permissions management.

Data
		Callable = typing.Callable CloseHandle = <_FuncPtr object> CreateToolhelp32Snapshot = <_FuncPtr object> DEBUG = 10 Dict = typing.Dict IMAGE_DIRECTORY_ENTRY_EXPORT = 0 Iterator = typing.Iterator List = typing.List MAX_PATH = 260 MEM_COMMIT = 4096 MEM_FREE = 65536 MEM_RESERVE = 8192 Module32First = <_FuncPtr object> Module32Next = <_FuncPtr object> PAGE_EXECUTE_READ = 32 PAGE_EXECUTE_READWRITE = 64 PAGE_READONLY = 2 PAGE_READWRITE = 4 TH32CS_SNAPMODULE = 8 Tuple = typing.Tuple Union = typing.Union VirtualProtect = <_FuncPtr object> __author_email__ = 'mauricelambert434@gmail.com' __copyright__ = '\nWin32Hooking Copyright (C) 2025 Maurice Lambe...ome to redistribute it\nunder certain conditions.\n' __description__ = '\nThis module hooks IAT and EAT to monitor all ex...very useful for [malware] reverse and debugging.\n' __license__ = 'GPL-3.0 License' __maintainer__ = 'Maurice Lambert' __maintainer_email__ = 'mauricelambert434@gmail.com' __url__ = 'https://github.com/mauricelambert/Win32Hooking' argv = [r'C:\Program Files\Python310\lib\pydoc.py', '-w', r'Win32Hooking.py'] callback_logger = <Logger callback (DEBUG)> copyright = '\nWin32Hooking Copyright (C) 2025 Maurice Lambe...ome to redistribute it\nunder certain conditions.\n' executable = r'C:\Program Files\Python310\python.exe' kernel32 = <WinDLL 'kernel32', handle 7ffbb6580000> license = 'GPL-3.0 License' logger = <Logger Win32Hooking (DEBUG)> memmove = <CFunctionType object> stderr = <_io.TextIOWrapper name='<stderr>' mode='w' encoding='utf-8'> windll = <ctypes.LibraryLoader object>

Author
		Maurice Lambert