HookShark BETA 0.8 by DeepBlueSea
HookShark BETA 0.8 by DeepBlueSeaHookShark is a detector of installed hooks and patches installed on the system (only usermode for now). It scans through the code-section of every loaded module of each running process and compares it with the file-image. If it detects discrepancies it tries to determine the type of hook or patch and reports it to the user.
Currently implemented hook detection:
* - Inline patches / Hooks (NOP, Exceptionhandler, relative Jumps, Custom patches)
* - Other custom patches [...]
* - IAT and EAT Hooks
* - Relocation Hooks
* - Hardware Breakpoints
FAQ
Why is IAT-Scanning / Hook-Scanning so slow? There are faster tools.
=====================================================================
That's because other tools suck. They just walk the IAT Entrys and look for addresses that are out of the module bounds. Thats bollocks. The callback function of the hook, or a redirection (JMP) could be planted well within the module bounds, and there you have a stealth IAT Hook, which HookShark recognizes as "IAT - Local".
And HookShark scans EVERY IAT-Table of EVERY Module. Unlike some other tools, which just examine the main process module.
And HookShark does not only check for hooks in exported/known functions. No, byte by byte of disk/memory image is compared, and even one-byte-patches are revealed. That is only for read-only code-sections though.
What the hell is all that crap? So many patches WTF?
======================================================
HookShark looks for differences between the disk image and the scanned memory. There might be cases where you are just looking at a packed module. To counter these false positives, there is an option to filter patches, which are bigger than n-bytes. (Look in the GlobalOptions Tab)
Sometimes after i scanned a process and want to scan another one and it crashes.
=================================================================================
Yeah, i hate when that happens. I have no idea why. If i get my lazy ass on the debugger i try to check it out. Until then, just restart HookShark.
The mnemonics of patched instructions are wrongly displayed.
============================================================
That's because HookShark just cant do a thorough analysis like IDA does for every module in this short time-span. The alignment of instructions is guessed and heuristically computed.
http://rapidshare.com/files/410470468/HookShark.rar.html 老大的东西。就是好! 这个确实不错,就先给顶起来吧! 这个是做什么用的呀? 我的妈阿。都是英文阿 我的妈阿。都是英文阿
页:
[1]