├── unHookedSyscall
├── x64
│ └── Debug
│ │ ├── unHookedSyscall.vcxproj.FileListAbsolute.txt
│ │ ├── vc143.idb
│ │ ├── vc143.pdb
│ │ ├── unHookedSyscall.ilk
│ │ ├── unHookedSyscall.obj
│ │ ├── unHookedSyscall.tlog
│ │ ├── CL.read.1.tlog
│ │ ├── CL.write.1.tlog
│ │ ├── link.read.1.tlog
│ │ ├── CL.command.1.tlog
│ │ ├── link.command.1.tlog
│ │ ├── link.write.1.tlog
│ │ └── unHookedSyscall.lastbuildstate
│ │ ├── unHookedSyscall.log
│ │ ├── unHookedSyscall.exe.recipe
│ │ └── unHookedSyscall.Build.CppClean.log
├── unHookedSyscall.vcxproj.user
├── unHookedSyscall.vcxproj.filters
├── unHookedSyscall.cpp
└── unHookedSyscall.vcxproj
├── x64
└── Debug
│ ├── unHookedSyscall.exe
│ └── unHookedSyscall.pdb
├── unHookedSyscall.sln
└── README.md
/unHookedSyscall/x64/Debug/unHookedSyscall.vcxproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/x64/Debug/unHookedSyscall.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CyberSecurityUP/SyscallHookDetector/HEAD/x64/Debug/unHookedSyscall.exe
--------------------------------------------------------------------------------
/x64/Debug/unHookedSyscall.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CyberSecurityUP/SyscallHookDetector/HEAD/x64/Debug/unHookedSyscall.pdb
--------------------------------------------------------------------------------
/unHookedSyscall/x64/Debug/vc143.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CyberSecurityUP/SyscallHookDetector/HEAD/unHookedSyscall/x64/Debug/vc143.idb
--------------------------------------------------------------------------------
/unHookedSyscall/x64/Debug/vc143.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CyberSecurityUP/SyscallHookDetector/HEAD/unHookedSyscall/x64/Debug/vc143.pdb
--------------------------------------------------------------------------------
/unHookedSyscall/x64/Debug/unHookedSyscall.ilk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CyberSecurityUP/SyscallHookDetector/HEAD/unHookedSyscall/x64/Debug/unHookedSyscall.ilk
--------------------------------------------------------------------------------
/unHookedSyscall/x64/Debug/unHookedSyscall.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CyberSecurityUP/SyscallHookDetector/HEAD/unHookedSyscall/x64/Debug/unHookedSyscall.obj
--------------------------------------------------------------------------------
/unHookedSyscall/x64/Debug/unHookedSyscall.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CyberSecurityUP/SyscallHookDetector/HEAD/unHookedSyscall/x64/Debug/unHookedSyscall.tlog/CL.read.1.tlog
--------------------------------------------------------------------------------
/unHookedSyscall/x64/Debug/unHookedSyscall.log:
--------------------------------------------------------------------------------
1 | unHookedSyscall.cpp
2 | unHookedSyscall.vcxproj -> C:\Users\Operator\Desktop\Packt\HookedSyscall\unHookedSyscall\x64\Debug\unHookedSyscall.exe
3 |
--------------------------------------------------------------------------------
/unHookedSyscall/x64/Debug/unHookedSyscall.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CyberSecurityUP/SyscallHookDetector/HEAD/unHookedSyscall/x64/Debug/unHookedSyscall.tlog/CL.write.1.tlog
--------------------------------------------------------------------------------
/unHookedSyscall/x64/Debug/unHookedSyscall.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CyberSecurityUP/SyscallHookDetector/HEAD/unHookedSyscall/x64/Debug/unHookedSyscall.tlog/link.read.1.tlog
--------------------------------------------------------------------------------
/unHookedSyscall/x64/Debug/unHookedSyscall.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CyberSecurityUP/SyscallHookDetector/HEAD/unHookedSyscall/x64/Debug/unHookedSyscall.tlog/CL.command.1.tlog
--------------------------------------------------------------------------------
/unHookedSyscall/x64/Debug/unHookedSyscall.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CyberSecurityUP/SyscallHookDetector/HEAD/unHookedSyscall/x64/Debug/unHookedSyscall.tlog/link.command.1.tlog
--------------------------------------------------------------------------------
/unHookedSyscall/x64/Debug/unHookedSyscall.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/CyberSecurityUP/SyscallHookDetector/HEAD/unHookedSyscall/x64/Debug/unHookedSyscall.tlog/link.write.1.tlog
--------------------------------------------------------------------------------
/unHookedSyscall/unHookedSyscall.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/unHookedSyscall/x64/Debug/unHookedSyscall.tlog/unHookedSyscall.lastbuildstate:
--------------------------------------------------------------------------------
1 | PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.35.32215:TargetPlatformVersion=10.0.22000.0:
2 | Debug|x64|C:\Users\Operator\Desktop\Packt\HookedSyscall\unHookedSyscall\|
3 |
--------------------------------------------------------------------------------
/unHookedSyscall/x64/Debug/unHookedSyscall.exe.recipe:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | C:\Users\Operator\Desktop\Packt\HookedSyscall\unHookedSyscall\x64\Debug\unHookedSyscall.exe
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/unHookedSyscall/unHookedSyscall.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/unHookedSyscall/x64/Debug/unHookedSyscall.Build.CppClean.log:
--------------------------------------------------------------------------------
1 | c:\users\operator\desktop\packt\hookedsyscall\unhookedsyscall\unhookedsyscall\x64\debug\vc143.pdb
2 | c:\users\operator\desktop\packt\hookedsyscall\unhookedsyscall\unhookedsyscall\x64\debug\vc143.idb
3 | c:\users\operator\desktop\packt\hookedsyscall\unhookedsyscall\unhookedsyscall\x64\debug\unhookedsyscall.obj
4 | c:\users\operator\desktop\packt\hookedsyscall\unhookedsyscall\unhookedsyscall\x64\debug\unhookedsyscall.ilk
5 | c:\users\operator\desktop\packt\hookedsyscall\unhookedsyscall\x64\debug\unhookedsyscall.exe
6 | c:\users\operator\desktop\packt\hookedsyscall\unhookedsyscall\x64\debug\unhookedsyscall.pdb
7 | c:\users\operator\desktop\packt\hookedsyscall\unhookedsyscall\unhookedsyscall\x64\debug\unhookedsyscall.tlog\cl.command.1.tlog
8 | c:\users\operator\desktop\packt\hookedsyscall\unhookedsyscall\unhookedsyscall\x64\debug\unhookedsyscall.tlog\cl.read.1.tlog
9 | c:\users\operator\desktop\packt\hookedsyscall\unhookedsyscall\unhookedsyscall\x64\debug\unhookedsyscall.tlog\cl.write.1.tlog
10 | c:\users\operator\desktop\packt\hookedsyscall\unhookedsyscall\unhookedsyscall\x64\debug\unhookedsyscall.tlog\link.command.1.tlog
11 | c:\users\operator\desktop\packt\hookedsyscall\unhookedsyscall\unhookedsyscall\x64\debug\unhookedsyscall.tlog\link.read.1.tlog
12 | c:\users\operator\desktop\packt\hookedsyscall\unhookedsyscall\unhookedsyscall\x64\debug\unhookedsyscall.tlog\link.write.1.tlog
13 |
--------------------------------------------------------------------------------
/unHookedSyscall.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.5.33530.505
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unHookedSyscall", "unHookedSyscall\unHookedSyscall.vcxproj", "{5B620DFF-4C84-4176-95EE-D35071F22B94}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {5B620DFF-4C84-4176-95EE-D35071F22B94}.Debug|x64.ActiveCfg = Debug|x64
17 | {5B620DFF-4C84-4176-95EE-D35071F22B94}.Debug|x64.Build.0 = Debug|x64
18 | {5B620DFF-4C84-4176-95EE-D35071F22B94}.Debug|x86.ActiveCfg = Debug|Win32
19 | {5B620DFF-4C84-4176-95EE-D35071F22B94}.Debug|x86.Build.0 = Debug|Win32
20 | {5B620DFF-4C84-4176-95EE-D35071F22B94}.Release|x64.ActiveCfg = Release|x64
21 | {5B620DFF-4C84-4176-95EE-D35071F22B94}.Release|x64.Build.0 = Release|x64
22 | {5B620DFF-4C84-4176-95EE-D35071F22B94}.Release|x86.ActiveCfg = Release|Win32
23 | {5B620DFF-4C84-4176-95EE-D35071F22B94}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {7167C567-7519-4D4E-88F8-36F154BFFBE2}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # SyscallHookDetector
2 |
3 | **SyscallHookDetector** is a C++ tool designed to detect hooked syscalls in the `ntdll.dll` library on Windows systems. This tool scans exported syscalls in `ntdll.dll` and checks for potential hooks or modifications by analyzing the function's prologue and common redirection instructions like `jmp` and `call`.
4 |
5 | ## Features
6 |
7 | - Detects hooked or modified syscalls (e.g., `Nt` or `Zw` functions).
8 | - Compares the function's prologue with the standard syscall stub.
9 | - Flags potential hooks using common indicators like `jmp` and `call` instructions.
10 | - Simple and efficient approach to syscall hook detection.
11 |
12 | ## How It Works
13 |
14 | The tool scans through the exported syscalls in `ntdll.dll` and checks the first few bytes of each function to determine whether it has been altered. A typical syscall prologue starts with:
15 |
16 | ```assembly
17 | 4c 8b d1 b8
18 | ```
19 |
20 | If the prologue does not match or if a redirection (`jmp` or `call`) is detected, the tool flags the function as hooked or potentially modified.
21 |
22 | ## Usage
23 |
24 | 1. Clone the repository:
25 |
26 | ```bash
27 | git clone https://github.com/CyberSecurityUP/SyscallHookDetector.git
28 | ```
29 |
30 | 2. Open the project in your preferred C++ development environment.
31 |
32 | 3. Compile and run the program on a Windows system.
33 |
34 | 4. The tool will output a list of syscalls and indicate whether each function is hooked or not.
35 |
36 | ## Example Output
37 |
38 | ```plaintext
39 | Not hooked: NtCreateFile : 0x7ffb31a3b210
40 | Hooked or modified: NtOpenProcess : 0x7ffb31a3b360
41 | ```
42 |
43 | ## Requirements
44 |
45 | - Windows operating system
46 | - C++ Compiler (MSVC, MinGW, etc.)
47 | - `Windows.h` for accessing Windows APIs
48 |
49 | ## License
50 |
51 | This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for more information.
52 |
53 | ---
54 |
55 | ## Contribution
56 |
57 | Contributions are welcome! Feel free to submit issues or pull requests for new features or bug fixes.
58 |
59 | ---
60 |
61 | ## Disclaimer
62 |
63 | This tool is for educational and research purposes only. Use it responsibly and in compliance with local laws.
64 |
65 | ---
66 |
67 | ### Author
68 |
69 | - Joas Antonio dos Santos
70 |
71 | ---
72 |
73 | ### References
74 |
75 | - https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions
76 | - https://github.com/Helixo32/SimpleEDR
77 | - https://github.com/Mr-Un1k0d3r/EDRs
78 | - https://docs.redteamleaders.com/offensive-security/windows-internals-and-api/detection-of-hooked-syscalls-in-ntdll.dll
79 |
--------------------------------------------------------------------------------
/unHookedSyscall/unHookedSyscall.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | bool IsHookedFunction(PVOID functionAddress)
5 | {
6 | // Syscall stubs start with these bytes in ntdll
7 | unsigned char syscallPrologue[4] = { 0x4c, 0x8b, 0xd1, 0xb8 };
8 |
9 | // Check if the first few bytes match the expected prologue
10 | if (memcmp(functionAddress, syscallPrologue, sizeof(syscallPrologue)) == 0)
11 | {
12 | return false; // Function is not hooked, matches syscall stub
13 | }
14 |
15 | // If it's a JMP instruction, likely a hook
16 | if (*(unsigned char*)functionAddress == 0xE9 || *(unsigned char*)functionAddress == 0xE8)
17 | {
18 | return true; // Function appears to be hooked
19 | }
20 |
21 | return true; // If it doesn't match the prologue or has an unexpected instruction, it's potentially hooked
22 | }
23 |
24 | int main()
25 | {
26 | PDWORD functionAddress = nullptr;
27 |
28 | // Get ntdll base address
29 | HMODULE libraryBase = LoadLibraryA("ntdll");
30 |
31 | PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)libraryBase;
32 | PIMAGE_NT_HEADERS imageNTHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)libraryBase + dosHeader->e_lfanew);
33 |
34 | // Locate export address table
35 | DWORD_PTR exportDirectoryRVA = imageNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
36 | PIMAGE_EXPORT_DIRECTORY imageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD_PTR)libraryBase + exportDirectoryRVA);
37 |
38 | // Offsets to list of exported functions and their names
39 | PDWORD addressOfFunctionsRVA = (PDWORD)((DWORD_PTR)libraryBase + imageExportDirectory->AddressOfFunctions);
40 | PDWORD addressOfNamesRVA = (PDWORD)((DWORD_PTR)libraryBase + imageExportDirectory->AddressOfNames);
41 | PWORD addressOfNameOrdinalsRVA = (PWORD)((DWORD_PTR)libraryBase + imageExportDirectory->AddressOfNameOrdinals);
42 |
43 | // Iterate through exported functions of ntdll
44 | for (DWORD i = 0; i < imageExportDirectory->NumberOfNames; i++)
45 | {
46 | // Resolve exported function name
47 | DWORD functionNameRVA = addressOfNamesRVA[i];
48 | DWORD_PTR functionNameVA = (DWORD_PTR)libraryBase + functionNameRVA;
49 | char* functionName = (char*)functionNameVA;
50 |
51 | // Resolve exported function address
52 | DWORD_PTR functionAddressRVA = addressOfFunctionsRVA[addressOfNameOrdinalsRVA[i]];
53 | functionAddress = (PDWORD)((DWORD_PTR)libraryBase + functionAddressRVA);
54 |
55 | // Only interested in Nt|Zw functions
56 | if (strncmp(functionName, "Nt", 2) == 0 || strncmp(functionName, "Zw", 2) == 0)
57 | {
58 | if (IsHookedFunction(functionAddress))
59 | {
60 | printf("Hooked or modified: %s : %p\n", functionName, functionAddress);
61 | }
62 | else
63 | {
64 | printf("Not hooked: %s : %p\n", functionName, functionAddress);
65 | }
66 | }
67 | }
68 |
69 | return 0;
70 | }
71 |
--------------------------------------------------------------------------------
/unHookedSyscall/unHookedSyscall.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {5b620dff-4c84-4176-95ee-d35071f22b94}
25 | unHookedSyscall
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | true
77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
78 | true
79 |
80 |
81 | Console
82 | true
83 |
84 |
85 |
86 |
87 | Level3
88 | true
89 | true
90 | true
91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | true
93 |
94 |
95 | Console
96 | true
97 | true
98 | true
99 |
100 |
101 |
102 |
103 | Level3
104 | true
105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 |
108 |
109 | Console
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | true
118 | true
119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
120 | true
121 |
122 |
123 | Console
124 | true
125 | true
126 | true
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
--------------------------------------------------------------------------------