๐ User Mode Hook Scanner (Alpha)
๐ก Newskategorie: Video
๐ Quelle: malwaretech.com
Advanced Scanning
mov eax, 0xAAThis function does not use a relative call, instead it moves a pointer into the edx register and performs an absolute indirect call with it. Carberp replaces the address moved into the edx register, resulting in redirecting the call to an arbitrary location, and not showing up in hook scanners searching for jmp/call hooks. More advanced hook scanners will log any modifications; however, the user would then have to disassemble the modified function and determine the destination address of the hook, which my engine does automatically (if it fails to resolve the location or detect a control transfer, the modification will still be logged for further investigation).
mov edx, 0x7FFE0300
call dword ptr [edx]
retn 0x10
Destination Dumping
Conclusion
Here's a demo video to prove it does at least work on my system:
Download Link: https://www.malwaretech.net/downloads/HookScanner.rar