Scans all modules in target process for jmp/int3 hooks dissassembles then and follows jmps to destination

Related tags

Miscellaneous hook-scanner
Overview

hook-scanner

Scans all modules in target process for jmp/int3 hooks dissassembles then and follows jmps to destination.

Procedure

  1. The process enumerates every modules .text section and dissassembles each instruction using zydis dissassembler
  2. The instruction is compared against the module on disk to check for patch.
  3. If it is a patched instruction checks if it is a jmp and proceeds to resolve the jmp destination
  4. If the jmp destination leads to an absolute jmp it follows it and prints the result (module + offset)
  5. It can be customized to decent int3 (breakpoint hooks) and other patches like nop
  6. Before logging gets symbol name of remote function for easier/cleaner analysis
  7. It can be customized to skip modules that you don't want to get scanned here

Example Usage

Valorant Example

Note: this project was coded in 1 day so it might have some bugs (open ticket)

Usage

hook_scanner.exe process.exe

You might also like...
A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.
A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

manual-syscall-detect A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks. Description A full write-up of this to

Conor Richard 72 Dec 26, 2022
Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file
Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable

hasherezade 514 Jan 3, 2023
Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

anthemtotheego 121 Dec 25, 2022
A LoadLibrary injector for CS:GO that automatically bypasses Trusted Mode by disabling various Win32 function hooks.

TrustedInjector This is a LoadLibrary injector for Counter-Strike: Global Offensive. Information It automatically bypasses trusted mode by removing ho

Brandon 19 Jan 6, 2023
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks,

Halil Dalabasmaz 411 Dec 26, 2022
This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate and use whatever token present at any process
This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate and use whatever token present at any process

StealAllTokens This PoC uses two diferent technics for stealing the primary token from all running processes, showing that is possible to impersonate

lab52.io 50 Dec 13, 2022
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Chris Au 91 Dec 28, 2022
P4 driver SW for P4 DPDK target.

P4 DPDK Target Components ========================= p4-dpdk-target repo contains the P4-DPDK target specific code that supports the target independent

p4language 37 Dec 15, 2022
This repository shows my all (maybe all) solved problem (CodeForces & AtCoder) and their description with my Codes!!!

Submissions Auto-generated with ❤ using Harwest Introduction A repository to keep track of problem solving practice, containing solutions from platfor

Obaydullah Khan 3 Aug 4, 2022
Owner
Discord: flushin#9408
null
GitHub
Your ultimate destination for Competitive Coding this Hacktoberfest21

The-CP-Companion with ISTE-VIT Your ultimate destination for Competitive Coding. Hello Fellow < Developers/ >! ??‍?? ??‍?? Competitive Programming is

ISTE-VIT 21 Dec 21, 2021
Little Computer 3, or LC-3, is a type of computer educational programming language, an assembly language, which is a type of low-level programming language. It features a relatively simple instruction set, but can be used to write moderately complex assembly programs, and is a viable target for a C compiler. It has a simplified instruction set compared to 'x86', but contains all the main ideas used in modern CPUs.

Little-Computer-3-LC-3 What is LC-3? Little Computer 3, or LC-3, is a type of computer educational programming language, an assembly language, which i

Shreyas Srivastava 1 Oct 25, 2021
Scans a given text file for any misspelled words

speller-program Scans a given text file for any misspelled words Directories: dictionaries: a file that contains all words in the dictionary texts: co

Martin Guevara 1 Oct 14, 2021
If the button pressed esp will reset and App mode will on. App mode will on then led will on, network is connected led will off.

DHT22-to-Google-sheet-Reset-Using-ESP8266-LED-Switch If button pressed esp will reset and App mode will on. App mode will on then led will on, network

Md. Harun-Or-Rashid 3 Aug 17, 2022
Comparing data of module exports from disk and memory, then caching any differences.

Inline-PatchFinder Need to see if the process you're reversing/analyzing is patching/hooking any loaded module's exports? Well, look no further. Inlin

null 14 Oct 15, 2022
Best practices, conventions, and tricks for ROS. Do you want to become a robotics master? Then consider graduating or working at the Robotics Systems Lab at ETH in Zürich!

ROS Best Practices, Conventions and Tricks Best practices for ROS2 in the making. See the Foxy branch in the meanwhile. This is a loose collection of

Robotic Systems Lab - Legged Robotics at ETH Zürich 1.2k Jan 5, 2023
An advanced in-memory evasion technique fluctuating shellcode's memory protection between RW/NoAccess & RX and then encrypting/decrypting its contents

Shellcode Fluctuation PoC A PoC implementation for an another in-memory evasion technique that cyclically encrypts and decrypts shellcode's contents t

Mariusz Banach 619 Dec 27, 2022
Example code for collecting weather data from an ESP32 and then uploading this data to InfluxDB in order to create a dashboard using Grafana.

InfluxGrafanaTutorial Example code for collecting weather data from an ESP32 and then uploading this data to InfluxDB in order to create a dashboard u

Michael Klements 9 Dec 30, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 203 Dec 20, 2022
Simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled (faking secure boot)

SecureFakePkg is a simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled. In other words, it fakes secure boot status.

Samuel Tulach 80 Dec 30, 2022