Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ User Mode Hook Scanner (Alpha)

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š User Mode Hook Scanner (Alpha)


๐Ÿ’ก Newskategorie: Video
๐Ÿ”— Quelle: malwaretech.com

I finally decided to write my first security tool based on an idea I had for advanced hook detection, I couldn't find any evidence of the method being used so I based a tool around it. It's still a working progress but I'm posting so I can get some feedback early on (Currently only x86 systems are supported, but this shouldn't be an issue as most researchers are running 32-bit VMs).



Advanced Scanning

The scanner will iterate the export table for the following system modules: ntdll.dll, kernel32.dll, kernelbase.dll, user32.dll, ws2_32.dll, and wininet.dll. Like a conventional scanner it will go through each instruction of the exported function, comparing it against a clean version of the dll which has been loaded from the disk. Normally at this point a hook scanner would either report the modification or check to see if it's a jump or call, but I've decided to take an extra step towards detecting obscure hooks.

Function Emulation
If any modification is found at any point within the function body, the scanner will use my basic x86 emulator to begin emulating the function, while tracing push, pop, mov, lea, jmp, call, and ret instructions. The emulator will try to determine if control flow is altered by the modified instructions and if so, which instruction redirects execution and to where.

The purpose of the emulator is to detect more obscure hooks as well as accurately determine the destination of the hook, beyond resolving basic jump and call instructions. A good example of where this is applicable is on hooks placed by carberp within the native call stubs of ntdll.

Consider this example call stub:
mov eax, 0xAA
mov edx, 0x7FFE0300
call dword ptr [edx]
retn 0x10
This function does not use a relative call, instead it moves a pointer into the edx register and performs an absolute indirect call with it. Carberp replaces the address moved into the edx register, resulting in redirecting the call to an arbitrary location, and not showing up in hook scanners searching for jmp/call hooks. More advanced hook scanners will log any modifications; however, the user would then have to disassemble the modified function and determine the destination address of the hook, which my engine does automatically (if it fails to resolve the location or detect a control transfer, the modification will still be logged for further investigation).

Destination Dumping

Most rootkits hook by injecting their code (usually shellcode or a PE file) into the target process, hooks are then set to point to locations within the injected code. If the tool is successfully able to work out the destination of a hook, it will query the page it points to and then map out all pages allocated with the same base address. Using this information it is possible to dump the rootkit's entire shellcode, injected PE or DLL, even if it spans multiple pages. 

Conclusion

Again, this is a working progress and I can't guarantee the current version won't be a huge steaming pile of crap. please email any feedback/issues to [email protected] or leave a comment on this post.

Here's a demo video to prove it does at least work on my system:



Download Link: https://www.malwaretech.net/downloads/HookScanner.rar
...













๐Ÿ“Œ User Mode Hook Scanner (Alpha)


๐Ÿ“ˆ 48.63 Punkte

๐Ÿ“Œ User Mode Hook Scanner (Alpha)


๐Ÿ“ˆ 48.63 Punkte

๐Ÿ“Œ CVE-2018-25096 | MdAlAmin-aol Own Health Record 0.1-alpha/0.2-alpha/0.3-alpha/0.3.1-alpha includes/logout.php cross-site request forgery


๐Ÿ“ˆ 40.68 Punkte

๐Ÿ“Œ Difference between Action Hook and Filter Hook in WordPress


๐Ÿ“ˆ 32.15 Punkte

๐Ÿ“Œ [$] A security-module hook for user-namespace creation


๐Ÿ“ˆ 21.87 Punkte

๐Ÿ“Œ 7 Days to Die โ€“ Alpha 16: Das โ€žehrgeizigste Update seit Alpha 1โ€œ ist da [Notiz]


๐Ÿ“ˆ 20.34 Punkte

๐Ÿ“Œ Sony Alpha 7R IV und Alpha 7R III im Vergleich


๐Ÿ“ˆ 20.34 Punkte

๐Ÿ“Œ Sony Alpha 7R IV und Alpha 7R III im Vergleich


๐Ÿ“ˆ 20.34 Punkte

๐Ÿ“Œ Neues APS-C-Duo von Sony: Alpha 6600 und Alpha 6100


๐Ÿ“ˆ 20.34 Punkte

๐Ÿ“Œ Sony stellt High-End-Kamera Alpha 1 vor โ€“ Das neue Alpha-Tier im DSLM-Gehege?


๐Ÿ“ˆ 20.34 Punkte

๐Ÿ“Œ Sony: Stilles Hardware Update Alpha 7R III und Alpha 7R IV Kameras


๐Ÿ“ˆ 20.34 Punkte

๐Ÿ“Œ Sony Alpha 1 im Test: Sonys stilles Alpha-Tier


๐Ÿ“ˆ 20.34 Punkte

๐Ÿ“Œ OpenSSL alpha adds TLS 1.3 support in the alpha version of OpenSSL 1.1.1


๐Ÿ“ˆ 20.34 Punkte

๐Ÿ“Œ Xbox Insiders have the chance to join Alpha and Alpha Skip-Ahead today


๐Ÿ“ˆ 20.34 Punkte

๐Ÿ“Œ Enable Drak Mode in Windows 10 | Dark Mode | Windows Dark Mode


๐Ÿ“ˆ 20.21 Punkte

๐Ÿ“Œ Google Tsunami Security Scanner Pre-Alpha


๐Ÿ“ˆ 20.03 Punkte

๐Ÿ“Œ Advanced IP Scanner โ€“ Fast Lightweight Free Windows Port Scanner


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ yaml-cpp up to 0.5.3 scanner.cpp Scanner::peek denial of service


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ Barcode Scanner Banned By Google: 6 Best Scanner Apps To Use In 2021


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ Advanced IP Scanner โ€“ Fast Lightweight Free Windows Port Scanner


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ Angry IP Scanner โ€“ Fast Network Scanner


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ TLS-Scanner - The TLS-Scanner Module From TLS-Attacker


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ Minimalistic OffSec Scanner โ€“ A Powerful TCP and UDP Scanner


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ Announcing OSV-Scanner: Vulnerability Scanner for Open Source


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ yaml-cpp bis 0.5.3 scanner.cpp Scanner::peek Denial of Service


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ OCR Scanner โ€“ QuickScan 5 erschienen: Kostenlose Scanner-App mit OCR fรผr iOS


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ Vulners Scanner - Vulnerability Scanner Based On Vulners.Com Audit API


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ XSS-Scanner - XSS Scanner That Detects Cross-Site Scripting Vulnerabilities In Website By Injecting Malicious Scripts


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ OCR Scanner โ€“ QuickScan 6 erschienen: Neue Funktionen fรผr die Scanner-App


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ OCR Scanner โ€“ QuickScan 7 erschienen: Neue Funktionen fรผr die Scanner-App


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ APSoft-Web-Scanner-v2 - Powerful Dork Searcher And Vulnerability Scanner For Windows Platform


๐Ÿ“ˆ 19.71 Punkte

๐Ÿ“Œ OSV-Scanner: A free vulnerability scanner for open-source software


๐Ÿ“ˆ 19.71 Punkte

matomo