I. Description HookShark is a detector of installed hooks and patches installed on the system (only usermode for now). It scans through the code-section of every loaded module of each running process and compares it with the file-image. If it detects discrepancies it tries to determine the type of hook or patch and reports it to the user. The detailed report about the type of patch is not 100% reliable and can be wrong. HookShark makes many assumptions and guesses during analysis and report, because of the nature of assembly. In some cases we can't theoretically determine with 100% accuracy whether a block of bytes is data or code. We also can not determine where the next instruction begins, if we are in the middle of a patched block of bytes. An almost safe presumption can only be achieved through full-blown x86 emulation tracing from the entry-point of the binary. But even then not all execution paths are necessarily covered. Yes, even IDA has problems with this in extreme cases. II. Implented / planned features Currently implented: - Inline patches / Hooks (NOP, Exceptionhandler, relative Jumps, Custom patches) - Other custom patches [...] - IAT and EAT Hooks - Relocation Hooks - Hardware Breakpoints Planned: - PAGE_GUARD Hooks - PEB LdrList Hooks - TrapFlag Usage "Hooks" III. Participate in Beta It is an open BETA now. Download the too here [1]
[1] HookShark.rar IV. Devblog 08-14-2008 Just finished detection of Hardware Breakpoints. Seems to work well. Funnily enough two threads inside winlogon.exe have enabled 4 Hardware Breakpoints on invalid memory (WinXP SP2). I have no idea why though. Unhooking still only works on:
