This is a collection of hooks that can be used with the PowerShell module PSDetour. They are sorted by dll and are designed for auditing the calls at runtime.
The functions are designed to work with the Trace-PSDetourProcess cmdlet.
# The keys correspond to the filenames in this repository which in turn are the
# dlls that contain the functions defined in them. The value is a list of
# methods hook in those names. It supports matching through simple pattern
# matching using the -like operator.
$desiredHooks = @{
Kernel32 = 'OpenProcess', 'GetProcessId'
Secur32 = '*Message'
BCrypt = 'BCrypt*'
}
. ./Trace-Process $desiredHooks -OutputFormat Yaml -Id 1234Make sure the following modules have been installed.
Install-Module -Name PSDetour, Yayaml -Force -Scope AllUsersnote: using AllUsers is needed for the hooked processes to see the modules.
See Windows API Sets to find out if an API should be loaded through the DLL name or the API set name.