Win32kHooker
.data ptr swapper for newer win32k versions. (Supports Windows 11)
Install / Use
/learn @GetRektBoy724/Win32kHookerREADME
Win32kHooker
Win32kHooker is a Windows Kernel Driver that demonstrates how to locate and hook functions within win32k.sys.
Because win32k.sys is a session-space driver, it is not mapped into the system address space of every process. This driver overcomes this limitation by locating a GUI-capable process (e.g., winlogon.exe) and attaching to its address space to safely modify win32k memory.
Mechanism
- Process Identification: Scans active processes to find
winlogon.exe, which guaranteeswin32k.sysmapping. - Context Attachment: Uses
KeStackAttachProcessto switch the thread context to the target process. - Address Resolution:
- Resolves the
W32GetSessionStateexport. - Locates
NtGdiBitBltby verifying syscall numbers inwin32u.dlland the shadow SSDT.
- Resolves the
- Hook Implementation: Utilizes the Hde64 disassembler to locate internal dispatch pointers within the target function and performs a pointer swap.
Technical Distinction
This project addresses architectural changes in modern Windows versions compared to older win32k implementations.
- Legacy vs. Modern Storage: Older versions of
win32k.systypically stored function pointers in global variables within the.datasection. Newer versions, however, have moved these pointers into opaque session state structures. - Dynamic Resolution: Consequently, simple global pattern scans are no longer sufficient. This driver resolves the hook target relative to
W32GetSessionState. It uses runtime disassembly to parse theNtGdiBitBltinstruction stream, dynamically extracting the exact offsets needed to traverse these opaque structures and locate the function pointer.
Build Requirements
- Visual Studio 2019 or later
- Windows Driver Kit (WDK)
Usage
- Enable test signing on the target machine:
bcdedit /set testsigning on - Build the solution in Release/x64 configuration.
- Install and start the driver using the Service Control Manager:
sc create Win32kHooker type= kernel binPath= "C:\path\to\Win32kHooker.sys" sc start Win32kHooker - View hook output using a kernel debugger or DebugView.
Related Skills
openhue
341.0kControl Philips Hue lights and scenes via the OpenHue CLI.
sag
341.0kElevenLabs text-to-speech with mac-style say UX.
weather
341.0kGet current weather and forecasts via wttr.in or Open-Meteo
tweakcc
1.5kCustomize Claude Code's system prompts, create custom toolsets, input pattern highlighters, themes/thinking verbs/spinners, customize input box & user message styling, support AGENTS.md, unlock private/unreleased features, and much more. Supports both native/npm installs on all platforms.
