From Collaborative RCE Tool Library
Usermode Hook Detection Tools
| Tool name: | HookShark |
| ||
|---|---|---|---|---|
| Author: | DeepBlueSea | |||
| Website: | http://home.arcor.de/neotracer/hookshark.html | |||
| Current version: | ||||
| Last updated: | September 22, 2008 | |||
| Direct D/L link: | http://home.arcor.de/neotracer/HookShark.rar | |||
| License type: | Free | |||
| Description: | HookShark is a detector of installed hooks and patches installed on the system (only usermode for now). It scans through the code-section of every loaded module of each running process and compares it with the file-image. If it detects discrepancies it tries to determine the type of hook or patch and reports it to the user. The detailed report about the type of patch is not 100% reliable and can be wrong. HookShark makes many assumptions and guesses during analysis and report, because of the nature of assembly. In some cases we can't theoretically determine with 100% accuracy whether a block of bytes is data or code. We also can not determine where the next instruction begins, if we are in the middle of a patched block of bytes. An almost safe presumption can only be achieved through full-blown x86 emulation tracing from the entry-point of the binary. But even then not all execution paths are necessarily covered. Yes, even IDA has problems with this in extreme cases. Currently implemented hook detection: * - Inline patches / Hooks (NOP, Exceptionhandler, relative Jumps, Custom patches) * - Other custom patches [...] * - IAT and EAT Hooks * - Relocation Hooks * - Hardware Breakpoints Planned hook detection: * - PAGE_GUARD Hooks * - PEB LdrList Hooks * - TrapFlag Usage "Hooks" | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
