I. Description
HookShark is a detector of installed hooks and patches installed on the system (only usermode for
now). It scans through the code-section of every loaded module of each running process and
compares it with the file-image. If it detects discrepancies it tries to determine the type of hook or
patch and reports it to the user. The detailed report about the type of patch is not 100% reliable and
can be wrong. HookShark makes many assumptions and guesses during analysis and report,
because of the nature of assembly. In some cases we can't theoretically determine with 100%
accuracy whether a block of bytes is data or code. We also can not determine where the next
instruction begins, if we are in the middle of a patched block of bytes. An almost safe presumption
can only be achieved through full-blown x86 emulation tracing from the entry-point of the binary. But
even then not all execution paths are necessarily covered. Yes, even IDA has problems with this in
extreme cases.
II. Implented / planned features
Currently implented:
- Inline patches / Hooks (NOP, Exceptionhandler, relative Jumps, Custom patches)
- Other custom patches [...]
- IAT and EAT Hooks
- Relocation Hooks
- Hardware Breakpoints
Planned:
- PAGE_GUARD Hooks
- PEB LdrList Hooks
- TrapFlag Usage "Hooks"
III. Participate in Beta
It is an open BETA now. Download the too here [1]
[1] HookShark.rar
IV. Devblog
08-14-2008
Just finished detection of Hardware Breakpoints. Seems to work well. Funnily enough two threads
inside winlogon.exe have enabled 4 Hardware Breakpoints on invalid memory (WinXP SP2). I have
no idea why though. Unhooking still only works on: