Add Windows smoke example and CI coverage

Author: YinMo19

.github/workflows/ci.yml

@@ -371,3 +371,54 @@ jobs:
             -lc
           output="$(LD_PRELOAD="$PWD/hook.so" ./target)"
           test "$output" = "result=77"
+
+  zig-windows-x86_64:
+    runs-on: windows-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Setup Zig
+        shell: pwsh
+        run: |
+          $archive = "zig-x86_64-windows-$env:ZIG_VERSION.zip"
+          $tmpdir = Join-Path $env:RUNNER_TEMP ("zig-" + [System.Guid]::NewGuid().ToString())
+          New-Item -ItemType Directory -Path $tmpdir | Out-Null
+          $url = "https://ziglang.org/download/$env:ZIG_VERSION/$archive"
+          Invoke-WebRequest -Uri $url -OutFile (Join-Path $tmpdir $archive)
+          Expand-Archive -Path (Join-Path $tmpdir $archive) -DestinationPath $tmpdir
+          $zigDir = Join-Path $tmpdir ("zig-x86_64-windows-" + $env:ZIG_VERSION)
+          $zigDir | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+          & (Join-Path $zigDir "zig.exe") version
+
+      - name: Zig fmt
+        shell: bash
+        run: zig fmt --check $(git ls-files '*.zig')
+
+      - name: Zig build
+        shell: bash
+        run: zig build
+
+      - name: Cross compile Windows AArch64 core
+        shell: bash
+        run: zig build -Dtarget=aarch64-windows-gnu
+
+      - name: Resolve Zydis bridge path
+        shell: bash
+        run: echo "ZYDIS_BRIDGE_C=$(./scripts/zydis-package-path.sh bridge-c)" >> "$GITHUB_ENV"
+
+      - name: Example windows_inline_hook_smoke
+        shell: bash
+        working-directory: examples/windows_inline_hook_smoke
+        run: |
+          set -euo pipefail
+          zig cc -O3 -DNDEBUG -o target.exe target.c
+          zig build-lib -dynamic -OReleaseFast -femit-bin=hook.dll \
+            "$ZYDIS_BRIDGE_C" \
+            --dep zighook \
+            -Mroot=hook.zig \
+            -Mzighook=../../src/root.zig \
+            -lc
+          output="$(./target.exe | tr -d '\r')"
+          test "$output" = "result=42"

README.md

@@ -8,8 +8,9 @@ Current scope:
 - iOS
 - Linux
 - Android
+- Windows
 - AArch64 / ARM64
-- x86_64 (macOS / Linux)
+- x86_64 (macOS / Linux / Windows)
 
 Implemented APIs:
 
@@ -29,7 +30,7 @@ Implemented APIs:
 The current backends support:
 
 - trap-based instrumentation via `brk` (AArch64) or `int3` (x86_64)
-- signal-based entry hooks on AArch64 and x86_64
+- signal/exception-based entry hooks on AArch64 and x86_64
 - strict execute-original replay for common AArch64 PC-relative instructions
 - Zydis-backed x86_64 instruction decoding plus trampoline replay
 - public callback access to AArch64 FP/SIMD state (`fpregs.v[i]`, `fpregs.named.v0..v31`, `fpsr`, `fpcr`)
@@ -44,11 +45,13 @@ Implemented AArch64 platform backends:
 - `aarch64-ios`
 - `aarch64-linux`
 - `aarch64-linux-android` at the code/backend level via the Linux-family signal path
+- `aarch64-windows` at the code/backend level via the Windows exception path
 
 Implemented x86_64 platform backends:
 
 - `x86_64-macos`
 - `x86_64-linux`
+- `x86_64-windows`
 
 Verification status:
 
@@ -58,6 +61,11 @@ Verification status:
 - Android AArch64: compiled core/payload objects against a local NDK sysroot
 - Linux x86_64: runtime-tested in CI
 - macOS x86_64: core library and example payload cross-compiled
+- Windows x86_64: core library cross-compiled
+- Windows AArch64: core library cross-compiled
+
+Windows support is currently build-validated but not yet covered by a runtime
+smoke test.
 
 x86_64 replay coverage:
 
@@ -89,6 +97,7 @@ Deployment model by platform:
 - Linux: runtime patching or prepatched trap sites, usually with `LD_PRELOAD` or `patchelf`
 - iOS: recommended prepatched trap sites plus inserted dylib + re-sign
 - Android: Linux-family backend plus sidecar `.so`, typically loaded via patched ELF metadata / app packaging
+- Windows: explicit sidecar DLL load, or an external injector / launcher that loads the hook DLL before patch-point use
 
 Current execute-original replay whitelist for PC-relative AArch64 instructions:
 

examples/README.md

@@ -5,7 +5,7 @@ These examples mirror the intent of the Rust `sighook` demos.
 Current coverage:
 
 - **AArch64 / ARM64:** macOS / iOS / Linux / Android
-- **x86_64:** macOS / Linux with entry hooks and instruction-level replay
+- **x86_64:** macOS / Linux with entry hooks and instruction-level replay, plus Windows runtime smoke
 
 Each example directory is intentionally a standalone mini-project with exactly:
 
@@ -23,6 +23,9 @@ The example payloads now auto-select the constructor section:
 - Mach-O (`macOS`, `iOS`): `__DATA,__mod_init_func`
 - ELF (`Linux`, `Android`): `.init_array`
 
+Windows uses an explicit `LoadLibrary(...)` + exported install function instead
+of a constructor-based preload path.
+
 Common build pattern from inside an example directory:
 
 ```bash
@@ -66,7 +69,8 @@ Available examples:
 - `instrument_no_original`: trap one instruction and replace it, expected output `result=99`
 - `instrument_unhook_restore`: install a trap hook, call `unhook`, and confirm restoration, expected output `hooked=123` then `restored=5`
 - `prepatched_inline_hook`: use `prepatched.inline_hook(...)` on a binary that already contains `brk`, expected output `result=77`
+- `windows_inline_hook_smoke`: explicit Windows DLL load + `inline_hook(...)`, expected output `result=42`
 
 Each example README contains the exact commands and expected output. CI executes
-the documented runtime smokes on both macOS and Linux and compares stdout
+the documented runtime smokes on macOS, Linux, and Windows and compares stdout
 against those values.

examples/windows_inline_hook_smoke/README.md

@@ -0,0 +1,50 @@
+# windows_inline_hook_smoke
+
+This example is the minimal native Windows runtime smoke for `zighook`.
+
+Unlike the Mach-O / ELF examples, Windows does not use `DYLD_INSERT_LIBRARIES`
+or `LD_PRELOAD`. Instead, the target process loads `hook.dll` explicitly with
+`LoadLibraryA`, resolves the exported `zighook_example_install` function, and
+lets that function install `zighook.inline_hook(...)` on the exported
+`target_add` symbol.
+
+The example is intentionally simple so it validates the essential Windows path:
+
+- executable page patching through `VirtualProtect`
+- trap delivery through a vectored exception handler (VEH)
+- `CONTEXT` remapping into `zighook.HookContext`
+- `inline_hook(...)` return-to-caller behavior
+
+## Build
+
+Build the C target in release mode:
+
+```bash
+zig cc -O3 -DNDEBUG -o target.exe target.c
+```
+
+Build the Zig hook DLL in release mode:
+
+```bash
+(cd ../.. && zig build --fetch)
+ZYDIS_BRIDGE_C="$(../../scripts/zydis-package-path.sh bridge-c)"
+
+zig build-lib -dynamic -OReleaseFast -femit-bin=hook.dll \
+  "$ZYDIS_BRIDGE_C" \
+  --dep zighook \
+  -Mroot=hook.zig \
+  -Mzighook=../../src/root.zig \
+  -lc
+```
+
+## Run
+
+```bash
+./target.exe
+```
+
+## Expected Output
+
+```text
+result=42
+```

examples/windows_inline_hook_smoke/hook.zig

@@ -0,0 +1,34 @@
+const builtin = @import("builtin");
+const std = @import("std");
+const zighook = @import("zighook");
+
+const windows = std.os.windows;
+const kernel32 = windows.kernel32;
+
+comptime {
+    if (builtin.os.tag != .windows) {
+        @compileError("windows_inline_hook_smoke only supports Windows targets");
+    }
+    switch (builtin.cpu.arch) {
+        .x86_64, .aarch64 => {},
+        else => @compileError("windows_inline_hook_smoke only supports x86_64 and AArch64"),
+    }
+}
+
+fn setReturnValue(ctx: *zighook.HookContext, value: u64) void {
+    switch (builtin.cpu.arch) {
+        .x86_64 => ctx.regs.named.rax = value,
+        .aarch64 => ctx.regs.named.x0 = value,
+        else => unreachable,
+    }
+}
+
+fn onHit(_: u64, ctx: *zighook.HookContext) callconv(.c) void {
+    setReturnValue(ctx, 42);
+}
+
+pub export fn zighook_example_install() callconv(.c) void {
+    const main_module = kernel32.GetModuleHandleW(null) orelse return;
+    const symbol = kernel32.GetProcAddress(main_module, "target_add") orelse return;
+    _ = zighook.inline_hook(@intFromPtr(symbol), onHit) catch {};
+}

examples/windows_inline_hook_smoke/target.c

@@ -0,0 +1,30 @@
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#include <stdio.h>
+
+__declspec(dllexport) __declspec(noinline) int target_add(int a, int b) {
+    return a + b;
+}
+
+typedef void (__cdecl *hook_install_fn)(void);
+
+int main(void) {
+    volatile int a = 2;
+    volatile int b = 3;
+
+    HMODULE hook = LoadLibraryA(".\\hook.dll");
+    if (hook == NULL) {
+        fprintf(stderr, "load_hook_failed=%lu\n", (unsigned long)GetLastError());
+        return 1;
+    }
+
+    hook_install_fn install = (hook_install_fn)GetProcAddress(hook, "zighook_example_install");
+    if (install == NULL) {
+        fprintf(stderr, "resolve_install_failed=%lu\n", (unsigned long)GetLastError());
+        return 1;
+    }
+
+    install();
+    printf("result=%d\n", target_add(a, b));
+    return 0;
+}

src/arch/aarch64/context/root.zig

@@ -2,23 +2,25 @@
 //!
 //! Files under `context/` are split by responsibility:
 //! - `types.zig`: stable public register/context layout
-//! - `darwin.zig`: Darwin signal-frame bridge
-//! - `linux.zig`: Linux / Android signal-frame bridge
+//! - `unix/*`: Darwin and Linux-family signal-frame bridges
+//! - `windows.zig`: Windows `CONTEXT` bridge
 //! - `root.zig`: backend selector and public re-exports
 //!
 //! The register layout itself is OS-independent, but the signal-frame bridge is
 //! platform-specific:
 //! - Darwin (`macOS`, `iOS`) remaps from `mcontext.ss + mcontext.ns`
 //! - Linux-family targets (`Linux`, `Android`) remap from `ucontext_t` plus
 //!   AArch64 extension records stored in the reserved signal-frame area
+//! - Windows remaps from the native ARM64 `CONTEXT` record used by VEH / SEH
 
 const builtin = @import("builtin");
 
 const types = @import("types.zig");
 const backend = switch (builtin.os.tag) {
-    .macos, .ios => @import("darwin.zig"),
-    .linux => @import("linux.zig"),
-    else => @compileError("AArch64 signal-context remapping is only implemented for Darwin and Linux-family targets."),
+    .macos, .ios => @import("unix/darwin.zig"),
+    .linux => @import("unix/linux.zig"),
+    .windows => @import("windows.zig"),
+    else => @compileError("AArch64 context remapping is only implemented for Darwin, Linux-family targets, and Windows."),
 };
 
 pub const XRegistersNamed = types.XRegistersNamed;

src/arch/aarch64/context/darwin.zig src/arch/aarch64/context/unix/darwin.zigsrc/arch/aarch64/context/darwin.zig renamed to src/arch/aarch64/context/unix/darwin.zig

@@ -7,7 +7,7 @@
 
 const std = @import("std");
 
-const types = @import("types.zig");
+const types = @import("../types.zig");
 
 /// Darwin thread-state type used by the currently supported backend.
 const DarwinThreadState = @FieldType(std.c.mcontext_t, "ss");

src/arch/aarch64/context/linux.zig src/arch/aarch64/context/unix/linux.zigsrc/arch/aarch64/context/linux.zig renamed to src/arch/aarch64/context/unix/linux.zig

@@ -6,7 +6,7 @@
 
 const std = @import("std");
 
-const types = @import("types.zig");
+const types = @import("../types.zig");
 
 const linux = std.os.linux;
 const LinuxMContext = linux.mcontext_t;

src/arch/aarch64/context/windows.zig

@@ -0,0 +1,74 @@
+//! Windows AArch64 exception-context remapping.
+//!
+//! Windows ARM64 exposes breakpoint state through the native `CONTEXT` record.
+//! This module copies that record into zighook's stable callback-facing
+//! `HookContext` layout and writes callback edits back into the Windows record
+//! before execution resumes.
+
+const std = @import("std");
+
+const types = @import("types.zig");
+
+const windows = std.os.windows;
+
+fn readU128(bytes: []const u8) u128 {
+    return std.mem.readInt(u128, bytes[0..16], .little);
+}
+
+fn writeU128(bytes: []u8, value: u128) void {
+    std.mem.writeInt(u128, bytes[0..16], value, .little);
+}
+
+fn captureFromContext(context: *const windows.CONTEXT) types.HookContext {
+    var ctx = std.mem.zeroes(types.HookContext);
+
+    for (context.DUMMYUNIONNAME.X, 0..) |reg, index| {
+        ctx.regs.x[index] = reg;
+    }
+    ctx.sp = context.Sp;
+    ctx.pc = context.Pc;
+    ctx.cpsr = context.Cpsr;
+    ctx.pad = 0;
+
+    for (context.V, 0..) |vreg, index| {
+        ctx.fpregs.v[index] = readU128(std.mem.asBytes(&vreg));
+    }
+    ctx.fpsr = context.Fpsr;
+    ctx.fpcr = context.Fpcr;
+
+    return ctx;
+}
+
+fn writeBackToContext(context: *windows.CONTEXT, ctx: *const types.HookContext) void {
+    for (ctx.regs.x, 0..) |reg, index| {
+        context.DUMMYUNIONNAME.X[index] = reg;
+    }
+    context.Sp = ctx.sp;
+    context.Pc = ctx.pc;
+    context.Cpsr = ctx.cpsr;
+
+    for (ctx.fpregs.v, 0..) |vreg, index| {
+        writeU128(std.mem.asBytes(&context.V[index]), vreg);
+    }
+    context.Fpsr = ctx.fpsr;
+    context.Fpcr = ctx.fpcr;
+}
+
+pub fn captureMachineContext(context_opaque: ?*anyopaque) ?types.HookContext {
+    if (context_opaque == null) return null;
+
+    const context: *align(1) const windows.CONTEXT = @ptrCast(context_opaque.?);
+    return captureFromContext(@alignCast(context));
+}
+
+pub fn writeBackMachineContext(context_opaque: ?*anyopaque, ctx: *const types.HookContext) bool {
+    if (context_opaque == null) return false;
+
+    const context: *align(1) windows.CONTEXT = @ptrCast(context_opaque.?);
+    writeBackToContext(@alignCast(context), ctx);
+    return true;
+}
+
+comptime {
+    std.debug.assert(@sizeOf(windows.NEON128) == 16);
+}