HookShark - User-mode detector of installed hooks and patches
By: DeepBlueSea
HookShark is a detector of installed hooks and patches installed on the system (only usermode for now). It scans through the code-section of every loaded module of each running process and compares it with the file-image. If it detects discrepancies it tries to determine the type of hook or patch and reports it to the user. The detailed report about the type of patch is not 100% reliable and can be wrong. HookShark makes many assumptions and guesses during analysis and report, because of the nature of assembly. In some cases we can't theoretically determine with 100% accuracy whether a block of bytes is data or code. We also can not determine where the next instruction begins, if we are in the middle of a patched block of bytes. An almost safe presumption can only be achieved through full-blown x86 emulation tracing from the entry-point of the binary. But even then not all execution paths are necessarily covered. Yes, even IDA has problems with this in extreme cases.
Implented / planned features:
Currently implented: Inline patches / Hooks (NOP, Exceptionhandler, relative Jumps, Custom patches) Other custom patches [...] IAT and EAT Hooks Relocation Hooks Hardware Breakpoints
08-26-2008 Small Update on Module detection. (new option)
08-21-2008 *UPDATE* *UPDATE* *UPDATE* This update to version 0.5 is mostly solely focused on Module Detection.
08-21-2008 *HOTFIX* *HOTFIX* *HOTFIX* Fixed critical issue with modules having an unsusal section alignment. Thanks to blurcode from woodman. Notice: http://home.arcor.de/neotracer/HookShark.rar always contains the latest build!
