HookDump : Security Product Hook Detection

HookDump is a tool for security product hook detection.

Building Source

  • In order to build this you will need Visual Studio 2019 (community edition is fine) and CMake. The batch file Configure.bat will create two build directories with Visual Studio solutions.
  • The project may build with MinGW with the correct CMake command line, this is untested YMMV.
  • There is a dependency on zydis disassembler, so be sure to update the sub-modules in git before configuring the project.
  • There is a 32bit and 64bit project, you may find that EDR’s hook different functions in 32/64 bit so building and running both executables may provide more complete results

Notes

  • Some EDRs replace the WOW stub in the TEB structure (specifically Wow32Reserved) in order to hook system calls for 32 bit binaries. In this case you may see zero hooks since no jump instructions are present in NTDLL. Most likley you will see hooks in the x64 version as the syscall instruction is used for system calls instead of a WOW stub
  • We have noted that Windows Defender does not use any user mode hooks
  • This tool is designed to be run as a standard user, elevation is not required

Hook Types Detected

JMP

A jump instruction has been patched into the function to redirect execution flow

WOW

Detection of the WOW64 syscall stub being hooked, which allows filtering of all system calls

EAT

The address in the export address table does not match the address in the export address table in the copy on disc

GPA

GetProcAddress hook, an experimental feature, this is only output in verbose mode, when the result of GetProcAddress does not match the manually resolved function address. YYMV with this and some care should be taken to verify the results.

Verification

The only way to truly verify the correct working of the program is to check in a debugger if hooks are present. If you are getting a zero hooks result and are expecting to see something different, then first verify this in a debugger and please get in touch.

R K

Recent Posts

Install Pip on Ubuntu 18.04: Python 3 and Python 2 Setup Guide

Pip is the official package manager for Python and the standard way to install libraries from…

18 hours ago

Install R on Ubuntu 18.04 from CRAN: Statistical Computing Setup

R is an open-source programming language and environment built for statistical computing and data visualization. It…

18 hours ago

Install Jenkins on Ubuntu 18.04: CI/CD Server Setup Guide

Jenkins is an open-source automation server that makes it easy to build CI/CD pipelines. Continuous integration…

18 hours ago

Install Android Studio on Ubuntu 18.04 with Snap and OpenJDK 8

Android Studio is the official IDE for Android development, built on JetBrains' IntelliJ IDEA platform. It…

18 hours ago

Install and Configure GitLab on Ubuntu 18.04 with Omnibus

GitLab is a web-based, open-source Git repository manager written in Ruby. It includes built-in tools for…

18 hours ago

Install Anaconda on Ubuntu 18.04: Python Data Science Setup Guide

Anaconda is the most widely used Python distribution for data science and machine learning. It bundles…

2 days ago