Debug Hook v1.2

just write whatever you want
Post Reply
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Debug Hook v1.2

Post by iconic »

I updated kX-Ray's Ring3 Inline API Hook scan method and since I haven't had the time to release a new build yet I created a Free stand alone program out of this very fast, smart and robust scan method. All processes are enumerated and all exported APIs in all loaded modules are scanned for code overwriting (inline) API hooks. I've yet to find a faster, more accurate Ring3 inline API hook scanner anywhere. Screen shots are below and DbgHook PE scanning settings allow for specific scan types such as module type inclusion/exclusions as well as just scanning typical win32 processes or including System processes too.

Even madExcept's .BPL module hooks (loaded by Delphi) are detected. Of course the purpose of such is a tool is simple, discovering existing hooks can help you diagnose your system, especially if you find instability between hooking packages or just want to know what process hooks what. I have not included any sort of "unhook" option in DbgHook, kX-Ray does this for any type of hook, kernel or user mode. I feel that in doing so I would be "working against" what Madshi has spent a lot of time developing so please do not ask me for such an option. If you absolutely need that option you can download my other program "kX-Ray".

I would appreciate any feedback if you find this utility useful. For best performance please run DbgHook.exe more than once, you'll find that after scanning one time, the second scan and any thereafter will be much faster. This week I plan to add support for IAT hook detection so I will post an updated build when I have the free time to do it. Email bindshell <at> gmail <dot> com for comments and/or bug reports.

Debug Hook v1.2
32-bit OS support only (at present)
2K, XP, 2K3, Vista

Note:
Debug Hook is Ring3 Code ONLY so it requires no driver. Do not let this fool you however, it doesn't use standard methods for enumerating processes, opening them or reading memory, all of these APIs are emulated and are part of my Symbiote Project.

*Vista users* You must right-click DbgHook.exe and choose "Run as Administrator" so that Debug Hook has sufficient access rights.

Download Installer

Image

Image

Image

Image

Image

Image

Image

Image

Image

Image

Image

--Iconic
Last edited by iconic on Wed Dec 24, 2008 6:15 am, edited 1 time in total.
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

PErvert v1.3

Post by iconic »

PErvert v1.3 is now released

ChangeLog
  • Changed name of DbgHook to "PErvert" - PE Export Redirection VERification Tool
  • View->"Clear" menu is now properly disabled when there are no entries in the listview
  • File->"Save As HTML" menu is now properly disabled when there are no entries in the listview
  • Added Export Address Table (EAT) hook detection
  • Added "Scan" menu to listview popup menu
  • Added "Analysis" tab to "Options->Settings" window for scan type selection
  • Added "Type" listview column to show what type of hook was identified (EAT, Inline JMP [0x25FF, 0xE9, Push/Ret] etc.)
  • Improved "Save As HTML" option so now only unique images are saved once, not the same one repeatedly as in v1.2
  • Added total detected hook count column to status bar
  • Fixed annoying cosmetic issue with horizontal scrollbar appearing in listview when it didn't need to be
Download PErvert v1.3

My private copy also has IAT hook detection but I'm actually improving that (speed wise) so it didn't make this release, EAT is what a serious IAT patcher would also hook too which is detected in this build. I would appreciate any feedback.

--Iconic
lastOne
Posts: 9
Joined: Wed Sep 03, 2008 4:50 am
Contact:

Post by lastOne »

can you release it as single .exe, portable ?
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

Yes. It could be standalone. I just created the installer in order to force people to see the EULA which accompanies the software.

--Iconic
lastOne
Posts: 9
Joined: Wed Sep 03, 2008 4:50 am
Contact:

Post by lastOne »

i have the feeling that 99% of software installations are something like : Next > Next > Next > Finish


:crazy:
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

1.4 released

Post by iconic »

PErvert v1.4 is now released

Had a few spare minutes today for an update, so here it is.

ChangeLog
  • Added IAT (Import Address Table) Hook Detection
  • Added Kernel Mode Driver Support for Opening Processes (admin rights needed for this option)
  • Removed "Module Types" Tab from Settings
  • Other Minor Engine Optimizations
Download PErvert v1.4


--Iconic
aiwnjoo
Posts: 52
Joined: Tue Mar 06, 2007 1:06 pm

Post by aiwnjoo »

gj on iat
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

Thanks. IAT, EAT and inline API hook scanning should be pretty accurate and fast. Nobody likes to wait forever so only having to wait a few seconds is a plus.

--Iconic
aiwnjoo
Posts: 52
Joined: Tue Mar 06, 2007 1:06 pm

Post by aiwnjoo »

This is similar to HookShark isn't it by DBS? I use this tool quite a lot.
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

I tried HookShark once but it seemed to miss some hooks, depending on method used and even when hooks were detected in a few instances the actual hook address was wrong but it is a decent tool from what I remember, just needs a speed increase and auto-scan option instead of selecting a process manually. PErvert is just a sub-component extension to it's real parent which is kX-Ray, my anti-rootkit tool. You can read about it here viewtopic.php?t=4575 if you haven't already. Post is 6 mos. old but I still plan to continue it's development soon. Another thing to note is, kX-Ray and PErvert can open just about any process, even if ZwOpenProcess is hooked in the kernel (option needs checked in Settings under "Additional"). 99% of other "super" tools from my tests can't do this or at least not in a stable manner which is a real shame. kX-Ray has had this ability since day 1 of development.

--Iconic
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

PErvert v1.5

Post by iconic »

http://bugczech.fu8.com/bin/PErvert15_en.zip

Had a few spare minutes today and made a very minor update to Inline API Hook handling. I extended support for less common hook types which include these opcode instructions:

0x15FF absolute/indirect far call
0xEB jmp near rel8
0xEA jmp far imm32

Prior to this only the main 3 hook types were flagged which were 0xE9 relative jmp, 0x25FF absolute indirect far jmp and push/ret 0x68 <offs32> 0xC3. Enjoy!

--Iconic
Post Reply