5

I'm looking for a tool that is able to check loaded module for any placed patches even on not exported functions.

I'm aware of Gmer, RKU and Co. and frankly I don't really trust their results.

asheeshr
  • 2,465
  • 8
  • 28
  • 41
PhoeniX
  • 3,052
  • 16
  • 30
  • Module loaded into what? Are you analyzing a code image, a running system, a memory dump? This question lacks a lot of context. – Gilles 'SO- stop being evil' Jun 17 '13 at 13:36
  • If the module is loaded than, it must be loaded into memory, no? Where do you think the module could be loaded into and what do you mean by running system? If I wanted to ask about dump files, I sure would not be using loaded modules. – PhoeniX Jun 17 '13 at 13:48

3 Answers3

3

HookShark is a great way of detecting whether anything has patched a process. In my experience it's mostly used when studying the stealth of game hacks.

HookShark is a detector of installed hooks and patches installed on the system (only usermode for now). It scans through the code-section of every loaded module of each running process and compares it with the file-image. If it detects discrepancies it tries to determine the type of hook or patch and reports it to the user.

Currently implemented hook detection:

* - Inline patches / Hooks (NOP, Exceptionhandler, relative Jumps, Custom patches)

* - Other custom patches [...]

* - VTable Hooks

* - IAT and EAT Hooks

* - Relocation Hooks

* - Hardware Breakpoints

* - PAGE_GAURD Candidates

Community
  • 1
Peter Andersson
  • 5,701
  • 1
  • 32
  • 49
  • Hi, I've tried this tool and unfortunately it was unable to find patches on some non-exported functions. Other than that, it looks like a handy tool. – PhoeniX Jun 18 '13 at 13:59
  • I'm very surprised it missed them since it does a byte by byte compare with the binary on disk. Maybe if the binary on disk was patched or if there's a global hook on ReadProcessMemory? – Peter Andersson Jun 18 '13 at 14:21
  • There is no hook on ReadProcessMemory as it was able to find hooks on other exported functions. I'll try once more time just to be sure. Just to validate, the tool is blindly compares all memory to appropriate module on disk? – PhoeniX Jun 18 '13 at 14:49
  • That was my impression. I haven't looked at it in detail and actually verified how it works. – Peter Andersson Jun 18 '13 at 14:58
3

http://msdn.microsoft.com/en-us/library/windows/hardware/ff562217(v=vs.85)

The !chkimg extension detects corruption in the images of executable files by comparing them to the copy on a symbol store or other file repository.

wordmonger
  • 41
  • 2
-1

HookShark will generate false positives in software that uses packer/cryptor to protect their code.

Palaniyappan Bala
  • 99
  • 1
  • 2
  • 2
    Try to give some links to the tool and to elaborate a bit more your answer. What you wrote is, at most, a comment and definitely not an answer. – perror Jan 09 '14 at 10:59