Scans all modules in target process for jmp/int3 hooks dissassembles then and follows jmps to destination

Overview

hook-scanner

Scans all modules in target process for jmp/int3 hooks dissassembles then and follows jmps to destination.

Procedure

  1. The process enumerates every modules .text section and dissassembles each instruction using zydis dissassembler
  2. The instruction is compared against the module on disk to check for patch.
  3. If it is a patched instruction checks if it is a jmp and proceeds to resolve the jmp destination
  4. If the jmp destination leads to an absolute jmp it follows it and prints the result (module + offset)
  5. It can be customized to decent int3 (breakpoint hooks) and other patches like nop
  6. Before logging gets symbol name of remote function for easier/cleaner analysis
  7. It can be customized to skip modules that you don't want to get scanned here

Example Usage

Valorant Example

Note: this project was coded in 1 day so it might have some bugs (open ticket)

Usage

hook_scanner.exe process.exe

You might also like...
A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.
A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

manual-syscall-detect A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks. Description A full write-up of this to

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file
Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable

Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

A LoadLibrary injector for CS:GO that automatically bypasses Trusted Mode by disabling various Win32 function hooks.

TrustedInjector This is a LoadLibrary injector for Counter-Strike: Global Offensive. Information It automatically bypasses trusted mode by removing ho

RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks,

This PoC uses two diferent technics for stealing  the primary token from all running processes, showing that is possible to impersonate and use whatever token present at any process
This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate and use whatever token present at any process

StealAllTokens This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate

Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

P4 driver SW for P4 DPDK target.

P4 DPDK Target Components ========================= p4-dpdk-target repo contains the P4-DPDK target specific code that supports the target independent

This repository shows my all (maybe all) solved problem (CodeForces & AtCoder) and their description with my Codes!!!

Submissions Auto-generated with ❤ using Harwest Introduction A repository to keep track of problem solving practice, containing solutions from platfor

Owner
Discord: flushin#9408
null
Your ultimate destination for Competitive Coding this Hacktoberfest21

The-CP-Companion with ISTE-VIT Your ultimate destination for Competitive Coding. Hello Fellow < Developers/ >! ??‍?? ??‍?? Competitive Programming is

ISTE-VIT 21 Dec 21, 2021
Scans a given text file for any misspelled words

speller-program Scans a given text file for any misspelled words Directories: dictionaries: a file that contains all words in the dictionary texts: co

Martin Guevara 1 Oct 14, 2021
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 199 Sep 28, 2022
If the button pressed esp will reset and App mode will on. App mode will on then led will on, network is connected led will off.

DHT22-to-Google-sheet-Reset-Using-ESP8266-LED-Switch If button pressed esp will reset and App mode will on. App mode will on then led will on, network

Md. Harun-Or-Rashid 3 Aug 17, 2022
Simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled (faking secure boot)

SecureFakePkg is a simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled. In other words, it fakes secure boot status.

Samuel Tulach 79 Oct 1, 2022
Comparing data of module exports from disk and memory, then caching any differences.

Inline-PatchFinder Need to see if the process you're reversing/analyzing is patching/hooking any loaded module's exports? Well, look no further. Inlin

null 12 Jun 20, 2022
Best practices, conventions, and tricks for ROS. Do you want to become a robotics master? Then consider graduating or working at the Robotics Systems Lab at ETH in Zürich!

ROS Best Practices, Conventions and Tricks Best practices for ROS2 in the making. See the Foxy branch in the meanwhile. This is a loose collection of

Robotic Systems Lab - Legged Robotics at ETH Zürich 1.2k Sep 27, 2022
An advanced in-memory evasion technique fluctuating shellcode's memory protection between RW/NoAccess & RX and then encrypting/decrypting its contents

Shellcode Fluctuation PoC A PoC implementation for an another in-memory evasion technique that cyclically encrypts and decrypts shellcode's contents t

Mariusz Banach 567 Sep 29, 2022
Example code for collecting weather data from an ESP32 and then uploading this data to InfluxDB in order to create a dashboard using Grafana.

InfluxGrafanaTutorial Example code for collecting weather data from an ESP32 and then uploading this data to InfluxDB in order to create a dashboard u

Michael Klements 5 May 12, 2022