| View previous topic :: View next topic |
| Author |
Message |
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
 Posted: Tue Aug 19, 2008 1:54 pm Post subject: Hook scanner? |
 |
|
| Is there a scanner to see what functions are hooked in kernel mode and defines what drivers were used?
|
|
| Back to top |
|
 |
DoomsDay
Grandmaster Cheater
 Reputation: 0
Joined: 06 Jan 2007
Posts: 768
Location: %HomePath%
|
| Posted: Tue Aug 19, 2008 2:18 pm Post subject: |
|
|
rku
google it ^^
|
|
| Back to top |
|
|
rapion124
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Mar 2007
Posts: 1095
|
| Posted: Tue Aug 19, 2008 7:58 pm Post subject: |
|
|
| Yes, you can make your own... Scan ntoskrnl.exe for jumps or calls (0xE9 or 0xE8). Determine the addresses of the calls and check if they are outside ntoskrnl.exe's address space (ModuleBase+ModuleSize). If they are, flag the address as a hook and attempt to resolve the function name. You could turn out false positives because sometimes, 0xE9/0xE9 might not be an instruction such as they are part of an address or a string.
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Wed Aug 20, 2008 9:35 am Post subject: |
|
|
| I didn't find that process in my process manager O.o
|
|
| Back to top |
|
|
Zand
Master Cheater
![]() Reputation: 0
Joined: 21 Jul 2006
Posts: 424
|
| Posted: Wed Aug 20, 2008 9:56 am Post subject: |
|
|
| dnsi0 wrote: | | I didn't find that process in my process manager O.o |
lol. 
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
 Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Wed Aug 20, 2008 11:00 am Post subject: |
|
|
| dnsi0 wrote: | | I didn't find that process in my process manager O.o |
Loaded into kernel mode as a special type of object, not necessarily a process. Think of it as Window's brain.
|
|
| Back to top |
|
|
samuri25404
Grandmaster Cheater
 Reputation: 7
Joined: 04 May 2007
Posts: 955
Location: Why do you care?
|
| Posted: Wed Aug 20, 2008 2:33 pm Post subject: |
|
|
| rapion124 wrote: | | Yes, you can make your own... Scan ntoskrnl.exe for jumps or calls (0xE9 or 0xE8). Determine the addresses of the calls and check if they are outside ntoskrnl.exe's address space (ModuleBase+ModuleSize). If they are, flag the address as a hook and attempt to resolve the function name. You could turn out false positives because sometimes, 0xE9/0xE9 might not be an instruction such as they are part of an address or a string. |
Couldn't you just check the beginnings of exported functions for those?
I.e. instead of scanning the entire process, just check the addresses of the exports for those bytes.
Yes, it may not be completely accurate, and it might not pick up some, but it'd probably be a good bit faster, and not have nearly as many false-positives.
_________________
|
|
| Back to top |
|
|
rapion124
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Mar 2007
Posts: 1095
|
| Posted: Wed Aug 20, 2008 8:17 pm Post subject: |
|
|
| Sure, that might work. Scanning the beginning of an API for hardcoded values. It's a lot of work though. Truth is, there is no "perfect" method for finding hooks unless you manually look through the function. For example, checking for a jmp (0xE9) can easily be bypassed by using other mnemonics, like push address ,retn.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
