Much of the functionality of CAPE is contained within the monitor; the CAPE debugger, extracted payloads, process dumps and import reconstruction are implemented within capemon. CAPE's loader is also part of this project.
capemon is derived from cuckoomon-modified from spender-sandbox (https://github.com/spender-sandbox/cuckoomon-modified) from which it inherits the API hooking engine. It also includes a PE dumping engine and import reconstruction derived from Scylla (https://github.com/NtQuery/Scylla), WOW64Ext Library from ReWolf (http://blog.rewolf.pl/) and W64oWoW64 from George Nicolaou.
At the time of writing, capemon is compiled using Microsoft Visual Studio 2017.
Upon compilation, copy the capemon binaries (capemon.dll or capemon_x64.dll) into your CAPEv2 directory so the modified libraries are used during analysis. The specific path is: CAPEv2/analyzer/windows/dll/. If required, the loader binaries (loader.exe or loader_x64.exe) should be copied to CAPEv2/analyzer/windows/bin/.
If you want to add more hooks to capemon or change those already existing, you can take a look at past commits that did just that. You can do so by searching for commits containing "hook for" in their description (or any other keyword combination). For instance, you can take a look at the commit that added the hook for GetCommandLineA.
There are three main files that define the hooks implemented in capemon:
HOOKDEF) using Windows SAL notation. That is, HOOKDEF(ReturnValue, CallingConvention, ApiName, _ParameterAnnotation_ ParameterName).hook_t arrays. For example, hook_t full_hooks[],hook_t min_hooks[] or hook_t office_hooks[], among others. You should add the hooks you want capemon to perform in the corresponding array. By default, full_hooks is executed (so probably you want to add your hooks there). The hooks must be added using the following naming pattern: HOOK(dllname, ApiName).hooks.h file and write the code. Remember you can call the original function with Old_{ApiName} .