From Collaborative RCE Tool Library
HookShark
| Tool name: | HookShark |
|
||
|---|---|---|---|---|
| Author: | DeepBlueSea | |||
| Website: | http://home.arcor.de/neotracer/hookshark.html | |||
| Current version: | ||||
| Last updated: | September 22, 2008 | |||
| Direct D/L link: | http://home.arcor.de/neotracer/HookShark.rar | |||
| License type: | Free | |||
| Description: | HookShark is a detector of installed hooks and patches installed on the system (only usermode for now). It scans through the code-section of every loaded module of each running process and compares it with the file-image. If it detects discrepancies it tries to determine the type of hook or patch and reports it to the user. The detailed report about the type of patch is not 100% reliable and can be wrong. HookShark makes many assumptions and guesses during analysis and report, because of the nature of assembly. In some cases we can't theoretically determine with 100% accuracy whether a block of bytes is data or code. We also can not determine where the next instruction begins, if we are in the middle of a patched block of bytes. An almost safe presumption can only be achieved through full-blown x86 emulation tracing from the entry-point of the binary. But even then not all execution paths are necessarily covered. Yes, even IDA has problems with this in extreme cases. Currently implemented hook detection: * - Inline patches / Hooks (NOP, Exceptionhandler, relative Jumps, Custom patches) * - Other custom patches [...] * - IAT and EAT Hooks * - Relocation Hooks * - Hardware Breakpoints Planned hook detection: * - PAGE_GUARD Hooks * - PEB LdrList Hooks * - TrapFlag Usage "Hooks" |
|||
| Related URLs: | No related URLs have been submitted for this tool yet | |||
| Screenshot: |
|---|
 |
Feed containing all updates for this tool.
(please also edit it if you think it fits well in some additional category, since this can also be controlled)
You are welcome to add your own useful notes about this tool, for others to see!