aljaz/shadow-rs
1
1
Fork 0
mirror of https://github.com/joaoviictorti/shadow-rs.git synced 2026-01-16 22:14:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
faca4c694c3e959377ea09cd72946f8c92d1b141
shadow-rs/doc/callback.md
joaoviictorti f132d0c0c6 new: add docs
2025-10-10 11:10:04 -03:00

1.6 KiB
Raw Blame History

Description: This command provides operations for managing various system callbacks.

shadow.exe callback [OPTIONS] --callback <CALLBACK>

Options:

  • -l, --list: Enumerate existing callbacks.
  • -e, --enumerate: Enumerate removed callbacks.
  • --remove: Remove a specific callback.
  • --restore: Restore a specific callback.
  • -c, --callback: Specify the type of callback for operations.

Callback Types:

  • process: Callback for process creation notifications (PsSetCreateProcessNotifyRoutine).
  • thread: Callback for thread creation notifications (PsSetCreateThreadNotifyRoutine).
  • load-image: Callback for image loading notifications (PsSetLoadImageNotifyRoutine).
  • registry: Callback for registry change notifications (CmRegisterCallbackEx).
  • ob-process: Callback for object processing related to processes (PsProcessType).
  • ob-thread: Callback for object processing related to threads (PsThreadType).

Example Usage:

  1. List Existing Callbacks:
shadow.exe callback -l

This command enumerates all currently active callbacks.

  1. Enumerate Removed Callbacks:
shadow.exe callback -e

This command lists callbacks that have been previously removed.

  1. Remove a Callback:
shadow.exe callback --remove 1234 --callback process

This command removes a process creation callback identified by 1234.

  1. Restore a Callback:
shadow.exe callback --restore 1234 --callback load-image

This command restores a previously removed image loading callback identified by 1234.