Skip to content

ZeroMemoryEx/Hooks_Hunter

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Hooks_Hunter

introduction

  • API Hooking is the act of detouring the flow of code via hotpatching. Hotpatching is defined as the modification of code during the runtime of an executable . The purpose of inline hooking to be able to capture the instance the program calls a function and then from there, observation and/or manipulation of the call can be accomplished

  • Example of an API hook

    image

  • this technique is used by user-mode rootkits to monitor/intercept system calls and manipulate values returned by APIs to gain control of the machine .

  • the purpose of this project is to Detect user-mode API Hooks by scanning opcodes patterns then follow the jump address, and see if it jumps to a legitimate module or malicious module from the AV/malware and locate that module in all processes to get a full view of the affected processes .

DETAILS

  • an Example of hooked flow

    image

  • first the program will scan for any hooking signs if any hook detected its will read the jump address and follow it and retrieves the base address of the jump address then enumerate over all processes modules in the system and locate that module in all of them.

  • an example of clean flow

    image

VIDEO

2022-06-08.00-55-36.mp4

lastly

  • altough this detection can be bypassed easly using IAT hooking or any kernel mode rootkit .