I don't know if someone might find this useful and/or if it is even considered a RCE-Tool.

Nevertheless i just wanted to share my tool here.
It is currently BETA and by no means stable.





[1] Homepage: http://home.arcor.de/neotracer/hookshark.html
[2] Download: http://home.arcor.de/neotracer/HookShark.rar

Heh,

for sure its useful, i actually need such a tool to detect what PACE & Solidshield/Tages is hooked. Great.

Thx.

Thanks.



That could be a problem though. I am very sure that Tages hooks functions in kernel-mode. Until i found a reliable and non-invasive way to read out kernel-memory, HookShark remains a usermode-detector.

Amazing I tested on a program of mine that redirect imports to my code and it shows them all
Good work and also thanks for BlueUnits, I can now use proper hooking than my jumble hook code.
You should add both to Collaborative RCE Tool Library and I hope some day you will release the detection code

PS: I got AV while scanning Yahoo! Messenger when I try to check all modules.

Thanks for your feedback!
I hope all AVs will be fixed in the next version. Otherwise i will have to add some kind of debug-trace to HookShark, so people can post them for me to make sense.

I recently added detection of hidden usermode-modules. (which are unlinked from the Ldr Module-lists) and every hook that is detectable can now be unhooked, including nasty relocation hooks.

Newest version can be found here [1] always. (sometimes i dont announce, when only small changes are made)

[1] http://home.arcor.de/neotracer/HookShark.rar

I still get AV.
You can use http://www.madshi.net/madExceptDescription.htm , http://www.eurekalog.com/ or Jedi Code Library Debug Extension (you can read more at http://sourceforge.net/project/shownotes.php?release_id=378020&group_id=47514 )

Thanks for mentioning Yahoo-Messenger. I installed it and I was able to conduct serious bug-hunting. No AV anymore [1].
But i encountered several unfixed issues with detection of EAT Hooks and some dangerous bugs in some of my Unhooking - Routines.
Gonna take some time

[1] http://home.arcor.de/neotracer/HookShark.rar

Great app, I'm finding it highly useful - keep up the great work^^

I traced down the issue to be in uncorrect handling of different section alignment of some modules. I fixed it now.
No problems scanning Yahoo Messenger and no problems unhooking all IAT hooks i found there.
Thank you again blurcode. I greatly benefit from feedback like this.

Some features if you have the time ofcourse: a) move the scanning engine to a TThread object (if you try to scan Skype for example, that has more than 25k hooks, HookShark seems not responding because of one thread for both UI and scanning engine), b) since you already have disassembler code you should make options to disassemble the hooked or related offsets for quick preview (I think you can also add syntax highlighting and browse the code with SynEdit, more at http://synedit.sourceforge.net/ ). Please also check VirtualTreeview as replacement of ListView because it is faster, especially if you add many items to list, more at http://www.lischke-online.de/VirtualTreeview/

Two bugs I encountered while working on Skype, while scanning and UI was not responding I closed HookShark and it popup AV after a while (I could not reproduce this again). While unhooking all the hooks Skype crashed and closed and HookShark didn't popup any error and it was not responding plus it had high cpu usage.

Thanks for your support blurcode.



The Engine already uses another Thread (WINAPI Createthread though).
There must be another reason for hanging. I will look into this. Skype is downloading now.



Wow. Very advanced and good idea. But as you know, i am at the moment more concerned about stability than usability. I think you can understand.

Maybe there will be some huge rewrites of parts of the scanning engine, before i reach this goal. There is still a long way to go.



I will certainly look into this. Thanks for that suggestion.



Yes. The problem is, that i dont synchronize the scanning thread in any way and there is no safe abort feature as of now. If you Close HookShark while scan is in progress all objects and handles will not be closed and freed properly. I have to get around to make this properly some time.



When HookShark fails to unhook an entry, it allocates Memory for a String to report failure on this particular Hook-Entry. After all Hook-Entrys are looped through a messagebox shows this error-report string.
So the problem is, HookShark is not prepared to unhook thousands of patches all at once. It will very likely fail.

Ok. I know what is going on with Skype. The problem was simple:
Skype was packed in a way that the static code-section becomes the new place for the unpacked code. So HookShark of course detects thousands of discrepancies.
When you tried to "Unhook", HookShark wrote the packed code from the file back to the memory. No wonder Skype crashes.

Also, the GUI did not hang. I simply disabled all controls. I enabled the listview again during scan, but disabled all other things.

Now i added, when HookShark finds too many code-patches inside a module (over 100), it prompts the user if it should list them.

Hi DeepBlueSea,

nice to see you outside of GD...

First, nice tool you've released here !

You're modules detection looks weird to me... can you try to hide a module using my lame DeepMonitor tool ? ( http://orkblutt.free.fr/DeepMonitor.exe only under XP SP2)
All the not linked modules are displayed like if they was unlinked.

It also not detecting my hooks, simple jmp ones, in a process that i can't say the name here... pm me please.

regards,

orkblutt

Hmm. Can you rephrase that? "not linked modules" should be displayed as unlinked shouldnt they?

I tested some things and it went fine. Maybe an example would be good. On Notepad or something. Which modules did you hide?

Also if you FULLY hide a module (wipe the entry), then HookShark resorts to another method of detection. But in that case it can't determine original Module-Names. Its says [unknown_image].



Detecting hooks in Apps depends on certain factors:
- The hook/patch has to be inside a module
- The hook/patch has to be inside the code-section where PEheader.OptionalHeader.BaseOfCode points to.
- The section has to have following attributes:
IMAGE_SCN_CNT_CODE and has to be Read-Only!

Otherwise we would find tons of discrepancies between mapped memory image and file image.

ooopsss... i meant all the linked modules are showed as unlinked.
But i just checked again and not happening on a simple example like notepad.



I see...

Anyway, nice tool again

very usefull. i was looking for such a tool, without knowing it.

Nice tool indeed, and since noone added it to CRCETL yet, here it is:

http://www.woodmann.com/collaborative/tools/HookShark

You are very welcome to keep this entry updated yourself DeepBlueSea, and everyone will then be automatically notified by the RSS feeds for all your updates.

There has been an update.

Stay tuned for the planned Vtable-Hook detection, which will be implemented any time soon.
Since this is a beta run, any feedback is greatly appreciated.

http://www.woodmann.com/collaborative/tools/HookShark