Security product hook detection

Related tags

Utilities hooking edr redteam-tools
Overview

HookDump

EDR function hook dumping

Please refer to the Zeroperil blog post for more information https://zeroperil.co.uk/hookdump/

Building source

  • In order to build this you will need Visual Studio 2019 (community edition is fine) and CMake. The batch file Configure.bat will create two build directories with Visual Studio solutions.
  • The project may build with MinGW with the correct CMake command line, this is untested YMMV.
  • There is a dependency on zydis disassembler, so be sure to update the sub-modules in git before configuring the project.
  • There is a 32bit and 64bit project, you may find that EDR's hook different functions in 32/64 bit so building and running both executables may provide more complete results

Notes

  • Some EDRs replace the WOW stub in the TEB structure (specifically Wow32Reserved) in order to hook system calls for 32 bit binaries. In this case you may see zero hooks since no jump instructions are present in NTDLL. Most likley you will see hooks in the x64 version as the syscall instruction is used for system calls instead of a WOW stub
  • We have noted that Windows Defender does not use any user mode hooks
  • This tool is designed to be run as a standard user, elevation is not required

Hook Types Detected

JMP

A jump instruction has been patched into the function to redirect execution flow

WOW

Detection of the WOW64 syscall stub being hooked, which allows filtering of all system calls

EAT

The address in the export address table does not match the address in the export address table in the copy on disc

GPA

GetProcAddress hook, an experimental feature, this is only output in verbose mode, when the result of GetProcAddress does not match the manually resolved function address. YYMV with this and some care should be taken to verify the results.

Verification

The only way to truly verify the correct working of the program is to check in a debugger if hooks are present. If you are getting a zero hooks result and are expecting to see something different, then first verify this in a debugger and please get in touch.

You might also like...
android analysis tools, jni trace by native hook, libc hook, write log with caller's addr in file or AndroidLog

编译方法 unix like mkdir "build" cd build cmake .. -DNDK=your_ndk_path/Android/sdk/ndk/22.0.7026061 -DANDROID_ABI=armeabi-v7a make -j8 或者使用andriod studio编

pony 63 Dec 1, 2022
WIP / DIN-rail compatible WiFi security camera with additional features (doorbell detection, magnetic / reed switch door & PIR sensor...) that sends you alerts on Telegram if someone unauthorised breaks into your house.
WIP / DIN-rail compatible WiFi security camera with additional features (doorbell detection, magnetic / reed switch door & PIR sensor...) that sends you alerts on Telegram if someone unauthorised breaks into your house.

WIP / DIN-rail compatible WiFi security camera with additional features (doorbell detection, magnetic / reed switch door & PIR sensor...) that sends you alerts on Telegram if someone unauthorised breaks into your house.

François Leparoux 2 Dec 18, 2021
A C library for product recommendations/suggestions using collaborative filtering (CF)

Recommender A C library for product recommendations/suggestions using collaborative filtering (CF). Recommender analyzes the feedback of some users (i

Ghassen Hamrouni 254 Dec 29, 2022
A C library for product recommendations/suggestions using collaborative filtering (CF)

Recommender A C library for product recommendations/suggestions using collaborative filtering (CF). Recommender analyzes the feedback of some users (i

Ghassen Hamrouni 254 Dec 29, 2022
AgileX Product Gazebo Simulate

AgileX Product Gazebo Simulate Install the Gazebo software Gazebo is a simulator. Gazebo simulates multiple robots in a 3D environment, with extensive

null 47 Dec 9, 2022
Source code to the 1980s Amiga product, version dated 1992

HyperCacheAmiga Source code to the 1980s Amiga product, version dated 1992 A fellow named Matthew Kott reached out and asked me to release the source

Plummer's Software LLC 33 Nov 19, 2022
This is a product / project developed by a team of Five Members including Mithilesh Ghadge for the Engineering Clinics at Vellore Institute Of Technology

UltrasonicSensorGlasses-for-blind-people This is a product / project developed by a team of Five Members including Mithilesh Ghadge for the Engineerin

Mithilesh Ghadge 2 Oct 14, 2021
Xerus - A general purpose library for numerical calculations with higher order tensors, Tensor-Train Decompositions / Matrix Product States and other Tensor Networks

About The xerus library is a general purpose library for numerical calculations with higher order tensors, Tensor-Train Decompositions / Matrix Produc

null 18 Apr 20, 2021
The Gecko SDK (GSDK) combines all Silicon Labs 32-bit IoT product software development kits (SDKs) based on Gecko Platform into a single, integrated SDK.

Silicon Labs Gecko SDK (GSDK) The Gecko SDK (GSDK) combines Silicon Labs wireless software development kits (SDKs) and Gecko Platform into a single, i

Silicon Labs 163 Dec 28, 2022
An open source library for face detection in images. The face detection speed can reach 1000FPS.
An open source library for face detection in images. The face detection speed can reach 1000FPS.

libfacedetection This is an open source library for CNN-based face detection in images. The CNN model has been converted to static variables in C sour

Shiqi Yu 11.4k Jan 8, 2023
A project demonstrating how to train your own gesture recognition deep learning pipeline. We start with a pre-trained detection model, repurpose it for hand detection using Transfer Learning Toolkit 3.0, and use it together with the purpose-built gesture recognition model. Once trained, we deploy this model on NVIDIA® Jetson™ using Deepstream SDK.
A project demonstrating how to train your own gesture recognition deep learning pipeline. We start with a pre-trained detection model, repurpose it for hand detection using Transfer Learning Toolkit 3.0, and use it together with the purpose-built gesture recognition model. Once trained, we deploy this model on NVIDIA® Jetson™ using Deepstream SDK.

Using NVIDIA Pre-trained Models and Transfer Learning Toolkit 3.0 to Create Gesture-based Interactions with a Robot In this project, we demonstrate ho

NVIDIA AI IOT 31 Dec 15, 2022
Canny edge detection, one of the efficient edge detection algorithms is implemented on a Zedboard FPGA using verilog
Canny edge detection, one of the efficient edge detection algorithms is implemented on a Zedboard FPGA using verilog

In this project, Canny edge detection, one of the efficient edge detection algorithms is implemented on a Zedboard FPGA using verilog. The input image is stored on a PC and fed to the FPGA. The output processed image is displayed on a VGA monitor.

Jeffrey Samuel 4 Jan 4, 2023
C++ Type Traits for Smart Pointers that are not included in the standard library, containing inheritance detection and member detection.
C++ Type Traits for Smart Pointers that are not included in the standard library, containing inheritance detection and member detection.

Smart Pointer Type Trait 🎈 A simple, header-only cpp library implementing smart pointer type traits. You can easily compile your code diffrently depe

Woon2 12 Sep 14, 2022
A collection of hash functions, ciphers, tools, libraries, and materials related to cryptography & security. :closed_lock_with_key::closed_lock_with_key::closed_lock_with_key::closed_lock_with_key::closed_lock_with_key: (project was renamed, libchaos is main)

_""^^"-. / / \ \ | |.-""-.| ___ ___ _____ _____ ___ ___ ////`.;;;;.`\ | _ \ __|_ _|_ _| __| _

Maciej A. Czyzewski 79 Nov 26, 2022
Modify Android linker to provide loading module and hook function

fake-linker Chinese document click here Project description Modify Android linker to provide loading module and plt hook features.Please check the det

sanfengAndroid 216 Jan 4, 2023
台大 計算機安全 - Pwn 簡報、影片、作業題目 - Computer Security Fall 2019 @ CSIE NTU Taiwan

NTU Computer Security Fall 2019 - 台大 計算機安全 擔任台大大助教,與三週 Pwn 課程講師。 課程內容 Week 1: Binary Exploitation - Basic Slide: link Video: link Lab: bof stack buffe

yuan 290 Jan 3, 2023
MiniDumpWriteDump behavior modification hook

MiniDumpWriteDumpPoC MiniDumpWriteDump behavior modification hook Read the full article in our blog: Adepts Of 0xCC: Hooks On Hoot Off This is a funct

Adepts of 0xCC 48 Nov 9, 2022
Gunyah is a Type-1 hypervisor designed for strong security, performance and modularity.
Gunyah is a Type-1 hypervisor designed for strong security, performance and modularity.

Gunyah is a Type-1 hypervisor, meaning that it is independent of any high-level OS kernel, and runs in a higher CPU privilege level. It does not depend on any lower-privileged OS kernel/code for its core functionality. This increases its security and can support a much smaller trusted computing base than a Type-2 hypervisor.

Qualcomm Innovation Center 84 Jan 2, 2023
Class containing Anti-RE, Anti-Debug and Anti-Hook methods. Made for C++/CLI

Umium Class containing Anti-RE, Anti-Debug and Anti-Hook methods. Easy to use and easy to implement. Disclaimer This code has been made and optimized

null 59 Dec 23, 2022
Releases(1.1)
Owner
zeroperil
zeroperil
GitHub https://zeroperil.co.uk/hookdump/
Find patterns of vulnerabilities on Windows in order to find 0-day and write exploits of 1-days. We use Microsoft security updates in order to find the patterns.

Back 2 the Future Find patterns of vulnerabilities on Windows in order to find 0-day and write exploits of 1-days. We use Microsoft security updates i

SafeBreach Labs 118 Dec 30, 2022
Hook up the OnePlus6(T) tri-state key in PostmarketOS!

OnePlus 6(T) tri-state key support in PostmarketOS As the name suggest, the goal of this little project is to hook up the OnePlus6(T) tri-state key in

Michele Perrone 7 Nov 14, 2021
use ptrace hook Hotspot JavaVM, instrument java bytecode

taycan 通过native层修改java层(JVM),使用JVMTI及JNI API可以修改java任意类、执行任意代码,完成hook、插入内存马、反射等功能。 适用环境 LINUX KERNEL version > 3.2 GLIBC > 2.15 openJDK/OracleJDK 1.8

null 26 Jul 12, 2022
Applications based on Wi-Fi CSI (Channel state information), such as indoor positioning, human detection

ESP-CSI The main purpose of this project is to show the use of ESP-WIFI-CSI. The human body detection algorithm is still being optimized. You can get

Espressif Systems 314 Jan 4, 2023
You Only Look Twice: Rapid Multi-Scale Object Detection In Satellite Imagery

YOLT You Only Look Twice: Rapid Multi-Scale Object Detection In Satellite Imagery As of 24 October 2018 YOLT has been superceded by SIMRDWN YOLT is an

CosmiQ Works 618 Dec 23, 2022
PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases

Filip Olszak 188 Dec 26, 2022
WhyNotWin11 - Detection Script to help identify why your PC isn't Windows 11 ready

Detection Script to help identify why your PC isn't Windows 11 ready

Robert C. Maehl 5.9k Dec 28, 2022
Hybrid Detect demonstrates CPU topology detection using multiple intrinsic and OS level APIs.

Hybrid Detect Hybrid Detect demonstrates CPU topology detection using multiple intrinsic and OS level APIs. First, we demonstrate usage of CPUID intri

null 38 Dec 23, 2022
A 2D collision detection and physics library written in C.

A 2D collision detection and physics library written in C. WARNING: This library is in an early alpha stage, use it at your own risk. Documentation —

c-krit 85 Dec 24, 2022
Take Damage hook hook made to increase weapon damage, the game I made is Free Fire in version 1.65

Take-Damage Simple Take Damage hook hook made to increase weapon damage, the game I made is Free Fire in version 1.65 Bool bool isTakeDemageBool = fal

Master Games 3 Jan 1, 2022