Analyze patches in a process for investigation or repairment purposes.

Related tags

Utilities HookHunter
Overview

HookHunter

Analyze patches in a process for investigation or repairment purposes.

Details

HookHunter is a multi-purpose Windows tool that can search a target process in order to find patches and hooks, then build a report.

In addition, HookHunter is also capable of following generic hooks to their final destination, making it convenient to simply run the tool and know exactly where specific hooks land.

HookHunter also allows a few other options.

  • The mod argument allows specified modules to be scanned. By default, HookHunter searches the entire set of loaded modules.
  • The dump argument allows HookHunter to spit out the patched and unpatched variants of a modified image, making it simple to throw the binary into a disassembler for further analysis.
  • The pecheck argument tells HookHunter to read a custom image's imports (usually a DLL), and alert you if you're using an import that the process is currently hooking.
  • The heal argument tells HookHunter to begin repairing known patches and hooks to their original variant (be wary of using this option on X86, see notes in Main/etc).
  • The verbose argument allows explicit logging of HookHunter's current scan.

Usage

Usage:  hookhunter
  -proc         (required) process name/process id
  -mod:         (optional) names of modules to check (or all if none specified).
  -dump:        (optional) dumps patched and unpatched modules for further investigation.
  -pecheck:     (optional) path to a file to alert if any imports the executable uses are being modified.
  -heal:        (optional) repair all modifications to the target binary to the original byte code.
  -verbose:     (optional) log redundant messages associated with HookHunter's scanning

Examples

CSGO DESTINY2 FIREFOX

Dependencies

You might also like...
This is a experimental tool to hide process in FreeBSD
This is a experimental tool to hide process in FreeBSD

FreeBSD process hiding This is a experimental tool to hide process in FreeBSD. Requirements clang pkg install clang kernel modules git clone --depth=

Gabriel M. Dutra 4 Oct 18, 2021
Linux 4.19 + PS4 patches + Latest security patches

Linux kernel ============ There are several guides for kernel developers and users. These guides can be rendered in a number of formats, like HTML an

kquote03 1 Oct 12, 2021
Linux v4.14 with the latest security patches and PS4 patches.

Patches are from https://github.com/Ps3itaTeam/ps4-linux Linux kernel ============ This file was moved to Documentation/admin-guide/README.rst Plea

kquote03 2 Oct 12, 2021
Fork of the RPCEmu RISC PC emulator, with patches. The "master" branch is the original RPCEmu, the "philpem" branch contains my patches.

RPCEmu ~~~~~~ RPCEmu is an emulator of Acorn's Risc PC and A7000 machines. It is a work in progress and should be considered of Alpha Quality. The l

Phil Pemberton 3 Jan 21, 2022
Kernel mode WinDbg extension and PoCs for token privilege investigation.

PrivFu Kernel mode WinDbg extension and PoCs for testing how token privileges work. There are notable repository and articles about token privilege ab

null 376 Dec 21, 2022
C/C++ Windows Process Injector for Educational Purposes.

ProcessInjector C/C++ Windows Process Injector for Educational Purposes. What does this software do? This is a simple process injector that uses the C

Berat Çağrı Eroğlu 8 May 3, 2022
A tool for use with clang to analyze #includes in C and C++ source files

Include What You Use For more in-depth documentation, see docs. Instructions for Users "Include what you use" means this: for every symbol (type, func

null 3.2k Jan 4, 2023
A tool for use with clang to analyze #includes in C and C++ source files

Include What You Use For more in-depth documentation, see docs. Instructions for Users "Include what you use" means this: for every symbol (type, func

null 3.2k Jan 4, 2023
Calleree helps to analyze Ruby's caller-callee relationships.

Calleree Calleree helps to analyze Ruby's caller-callee relationships. Note that this tool consumes memory and introduces additional overhead because

Koichi Sasada 18 Oct 3, 2022
A program and toolset to analyze iDevice USB sessions

A program and toolset to analyze iDevice USB sessions

T2 Development Team 24 Nov 12, 2022
Strings Analyze tool for all platforms

Strings Analyze Inspired by @UnrealSecurity Strings Analyze Strings Analyze is a tool for all platform to analyze string dumps from process' memory or

Austin 3 Oct 11, 2021
Development of a system which can capture and analyze transmitted data on a USB wire.
Development of a system which can capture and analyze transmitted data on a USB wire.

FPGA based USB protocol analyser Development of a system which can capture and analyze transmitted data on a

Harsha Sandirigama 0 Apr 3, 2022
Ios-malicious-bithunter - iOS Malicious Bit Hunter is a malicious plug-in detection engine for iOS applications. It can analyze the head of the macho file of the injected dylib dynamic library based on runtime. If you are interested in other programs of the author, please visit https://github.com/SecurityLife
Ios-malicious-bithunter - iOS Malicious Bit Hunter is a malicious plug-in detection engine for iOS applications. It can analyze the head of the macho file of the injected dylib dynamic library based on runtime. If you are interested in other programs of the author, please visit https://github.com/SecurityLife

iOS Malicious Bit Hunter Abstract iOS Malicious Bit Hunter is a malicious plug-in detection engine for iOS applications. It can analyze the head of th

Alipay 70 Sep 12, 2022
Binary Ninja plugin & workflow to help analyze Objective-C code
Binary Ninja plugin & workflow to help analyze Objective-C code

Objective Ninja Objective Ninja is a Binary Ninja plugin to assist in reverse engineering Objective-C code. Beware, Objective Ninja is still in very e

Jon Palmisciano 80 Aug 16, 2022
Analyze precision

analyze-precision Analyze fix-point precision for unary functions This program allows, for a given unary function, to explore the relations between th

Yann Orlarey 2 May 3, 2022
Stealthy way to hijack the existing game process handle within the game launcher (currently supports Steam and Battle.net). Achieve external game process read/write with minimum footprint.
Stealthy way to hijack the existing game process handle within the game launcher (currently supports Steam and Battle.net). Achieve external game process read/write with minimum footprint.

Launcher Abuser Stealthy way to hijack the existing game process handle within the game launcher (currently supports Steam and Battle.net). Achieve ex

Ricardo Nacif 80 Nov 25, 2022
Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file
Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable

hasherezade 514 Jan 3, 2023
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 203 Dec 20, 2022
Add extra features to Discord via patches!

DiscordExtras An iOS tweak that lets you apply patches the iOS Discord client. Available on my repo here. Components DiscordExtrasPrefs This includes

Zoey 32 Sep 28, 2022
Comments
  • Techniques absent on the README.md

    Techniques absent on the README.md

    Would be nice to know what HookHunter explicitly looks for. Just code patches? Or does it also look for IAT/EAT redirections too? Can you list these in the README.md?

    Also does it filter out relocations (from PE header IMAGE_DIRECTORY_ENTRY_BASERELOC section)? This is an issue if not. For instance WKE (closed source) has a UM hook detection feature, but since it doesn't filter out relocations it literally spams the output Window to a stall. Then you have to filter by size to manually discern what might be an actual hook or not.

    opened by BigJim 0
  • Add option to scan non-exports

    Add option to scan non-exports

    Would be interesting if you could diff every part of the process with the image on disk (for initialized sections at least), preferably with relocations filtered out

    opened by mrexodia 0
Releases(1.0)
Owner
Mike
null
GitHub
A tool for use with clang to analyze #includes in C and C++ source files

Include What You Use For more in-depth documentation, see docs. Instructions for Users "Include what you use" means this: for every symbol (type, func

null 3.2k Jan 4, 2023
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

hasherezade 1.5k Jan 4, 2023
PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases

Filip Olszak 188 Dec 26, 2022
Extended Process List (Search functionality)

Extended Process List (ps with search) (64-bit only) Added search functionality for process listing. Credits to @odzhan, Alfie Champion (@ajpc500), Sy

snoom 26 May 7, 2022
Beacon Object File (BOF) for remote process injection via thread hijacking

cThreadHijack ___________.__ .______ ___ .__ __ __ ___\__ ___/| |_________ ____ _____

Connor McGarr 158 Dec 28, 2022
A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.

FindObjects-BOF A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific modules or process

Outflank B.V. 247 Dec 28, 2022
fpicker is a Frida-based fuzzing suite supporting various modes (including AFL++ in-process fuzzing)

fpicker fpicker is a Frida-based fuzzing suite that offers a variety of fuzzing modes for in-process fuzzing, such as an AFL++ mode or a passive traci

Dennis Heinze 184 Dec 30, 2022
x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code

NoPatchGuardCallback x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code Read: https://www.godeye.club/2021/05/22/00

Kento Oki 139 Dec 26, 2022
CacheLib is a C++ library providing in-process high performance caching mechanism.

Pluggable in-process caching engine to build and scale high performance services

Facebook 808 Jan 5, 2023
Section Mapping Process Injection (secinject): Cobalt Strike BOF

Section Mapping Process Injection (secinject): Cobalt Strike BOF Beacon Object File (BOF) that leverages Native APIs to achieve process injection thro

null 77 Dec 16, 2022