├── Detector.sln
├── Detector
    ├── Detector.cpp
    ├── Detector.vcxproj
    ├── Detector.vcxproj.filters
    └── Detector.vcxproj.user
├── LICENSE
└── README.md


/Detector.sln:
--------------------------------------------------------------------------------
 1 | ﻿
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.4.33213.308
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Detector", "Detector\Detector.vcxproj", "{53AFDE73-5251-4FD0-B877-DBFB4F359128}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{53AFDE73-5251-4FD0-B877-DBFB4F359128}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{53AFDE73-5251-4FD0-B877-DBFB4F359128}.Debug|x64.Build.0 = Debug|x64
18 | 		{53AFDE73-5251-4FD0-B877-DBFB4F359128}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{53AFDE73-5251-4FD0-B877-DBFB4F359128}.Debug|x86.Build.0 = Debug|Win32
20 | 		{53AFDE73-5251-4FD0-B877-DBFB4F359128}.Release|x64.ActiveCfg = Release|x64
21 | 		{53AFDE73-5251-4FD0-B877-DBFB4F359128}.Release|x64.Build.0 = Release|x64
22 | 		{53AFDE73-5251-4FD0-B877-DBFB4F359128}.Release|x86.ActiveCfg = Release|Win32
23 | 		{53AFDE73-5251-4FD0-B877-DBFB4F359128}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {74E5A3E4-26C0-4F93-A59E-8B704689D3F4}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/Detector/Detector.cpp:
--------------------------------------------------------------------------------
  1 | #include <stdio.h>
  2 | #include <windows.h>
  3 | #include <winternl.h>
  4 | 
  5 | BOOL DetectHook(LPVOID hookedfuncaddr) {
  6 |     BYTE realbytes[] = "\x4C\x8B\xD1\xB8";
  7 |     if (memcmp(realbytes, hookedfuncaddr, 4) == 0) {
  8 |         return true;
  9 |     }
 10 |     else {
 11 |         return false;
 12 |     }
 13 | }
 14 | 
 15 | void Banner() {
 16 |     printf(R"EOF(
 17 | 
 18 |     _   ___ ___   _  _          _   _             ___      _          _           
 19 |    /_\ | _ \_ _| | || |___  ___| |_(_)_ _  __ _  |   \ ___| |_ ___ __| |_ ___ _ _ 
 20 |   / _ \|  _/| |  | __ / _ \/ _ \ / / | ' \/ _` | | |) / -_)  _/ -_) _|  _/ _ \ '_|
 21 |  /_/ \_\_| |___| |_||_\___/\___/_\_\_|_||_\__, | |___/\___|\__\___\__|\__\___/_|  
 22 |                                           |___/                        
 23 |                                   
 24 |                                     [Coded by Brosck]
 25 |                                          [v2.0]
 26 | 
 27 | )EOF");
 28 | }
 29 | 
 30 | void Help(char* progname) {
 31 |     printf(R"EOF(usage: %s OUTPUT
 32 |     options:
 33 |       OUTPUT,                   output file
 34 | )EOF", progname);
 35 | }
 36 | 
 37 | int main(int argc, char* argv[]) {
 38 |     bool hasHook = false;
 39 | 
 40 |     HMODULE ntdll = LoadLibraryA("ntdll.dll");
 41 |     if (ntdll == NULL) {
 42 |         printf("[-] Error loading ntdll.dll\n");
 43 |         return 1;
 44 |     }
 45 | 
 46 |     if (argv[1] == NULL) {
 47 |         Banner();
 48 |         Help(argv[0]);
 49 |         return 1;
 50 |     }
 51 | 
 52 |     PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)ntdll;
 53 |     PIMAGE_NT_HEADERS nt_headers = (PIMAGE_NT_HEADERS)((char*)dos_header + dos_header->e_lfanew);
 54 |     PIMAGE_EXPORT_DIRECTORY exports = (PIMAGE_EXPORT_DIRECTORY)((char*)ntdll + nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
 55 | 
 56 |     DWORD* function_names = (DWORD*)((char*)ntdll + exports->AddressOfNames);
 57 | 
 58 |     int outputfname = strlen(argv[1]) + 1;
 59 |     int wlen = MultiByteToWideChar(CP_UTF8, 0, argv[1], outputfname, NULL, 0);
 60 |     wchar_t* wdmpout = (wchar_t*)malloc(wlen * sizeof(wchar_t));
 61 |     MultiByteToWideChar(CP_UTF8, 0, argv[1], outputfname, wdmpout, wlen);
 62 |     HANDLE outputf = CreateFileW(wdmpout, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
 63 |     char breakline[] = "\n";
 64 | 
 65 |     Banner();
 66 |     puts("[*] NT API being hooked:");
 67 |     puts("=========================================================================================");
 68 |     for (int i = 0; i < exports->NumberOfFunctions; i++) {
 69 |         char* ntFunction = (char*)ntdll + function_names[i];
 70 |         //printf("%s\n", ntFunction);
 71 |         if (strncmp(ntFunction, "Nt", 2) == 0) {
 72 |             if (strncmp(ntFunction, "NtdllDialogWndProc", 18) != 0 && strncmp(ntFunction, "NtdllDefWindowProc", 18) != 0) {       // blacklist nt funcs
 73 |                 FARPROC procaddr = GetProcAddress(ntdll, (LPCSTR)ntFunction);
 74 |                 if (procaddr == NULL) {
 75 |                     printf("[-] Error finding function %s\n", ntFunction);
 76 |                     return 1;
 77 |                 }
 78 |                 LPBYTE lpprocaddr = (LPBYTE)procaddr;
 79 |                 DWORD dwprocaddr = *(DWORD*)lpprocaddr;
 80 |                 char realbytes[] = "0xB8D18B4C";
 81 |                 DWORD Written;
 82 | 
 83 |                 if (strncmp(ntFunction, "NtQuerySystemTime", 17) == 0 && memcmp("\xE9\x4B", procaddr, 2) != 0) {
 84 |                     hasHook = true;
 85 |                     printf("[-] %s [%s != 0x%02X]\n", ntFunction, "0x****4BE9", dwprocaddr);
 86 |                     WriteFile(outputf, ntFunction, strlen(ntFunction), &Written, NULL);
 87 |                     WriteFile(outputf, breakline, strlen(breakline), &Written, NULL);
 88 |                 }
 89 |                 else if (strncmp(ntFunction, "NtGetTickCount", 14) == 0 && memcmp("\xB9\x20", procaddr, 2) != 0) {
 90 |                     hasHook = true;
 91 |                     printf("[-] %s [%s != 0x%02X]\n", ntFunction, "0x****20B9", dwprocaddr);
 92 |                     WriteFile(outputf, ntFunction, strlen(ntFunction), &Written, NULL);
 93 |                     WriteFile(outputf, breakline, strlen(breakline), &Written, NULL);
 94 |                 }
 95 |                 else if (strncmp(ntFunction, "NtQuerySystemTime", 17) != 0 && strncmp(ntFunction, "NtGetTickCount", 14) != 0 && !DetectHook(procaddr)) {
 96 |                     hasHook = true;
 97 |                     printf("[-] %s [%s != 0x%02X]\n", ntFunction, realbytes, dwprocaddr);
 98 |                     WriteFile(outputf, ntFunction, strlen(ntFunction), &Written, NULL);
 99 |                     WriteFile(outputf, breakline, strlen(breakline), &Written, NULL);
100 |                 }
101 |             }
102 |         }
103 |     }
104 | 
105 |     if (!hasHook) {
106 |         puts("[+] You are safe, there is no hook in the NT API");
107 |     }
108 | 
109 |     puts("=========================================================================================");
110 | 
111 |     CloseHandle(outputf);
112 |     FreeLibrary(ntdll);
113 |     return 0;
114 | }
115 | 


--------------------------------------------------------------------------------
/Detector/Detector.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{53afde73-5251-4fd0-b877-dbfb4f359128}</ProjectGuid>
 25 |     <RootNamespace>Detector</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <ClCompile>
 75 |       <WarningLevel>Level3</WarningLevel>
 76 |       <SDLCheck>true</SDLCheck>
 77 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 78 |       <ConformanceMode>true</ConformanceMode>
 79 |     </ClCompile>
 80 |     <Link>
 81 |       <SubSystem>Console</SubSystem>
 82 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 83 |     </Link>
 84 |   </ItemDefinitionGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 89 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 90 |       <SDLCheck>true</SDLCheck>
 91 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 92 |       <ConformanceMode>true</ConformanceMode>
 93 |     </ClCompile>
 94 |     <Link>
 95 |       <SubSystem>Console</SubSystem>
 96 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
 97 |       <OptimizeReferences>true</OptimizeReferences>
 98 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 99 |     </Link>
100 |   </ItemDefinitionGroup>
101 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
102 |     <ClCompile>
103 |       <WarningLevel>Level3</WarningLevel>
104 |       <SDLCheck>true</SDLCheck>
105 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
106 |       <ConformanceMode>true</ConformanceMode>
107 |     </ClCompile>
108 |     <Link>
109 |       <SubSystem>Console</SubSystem>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
114 |     <ClCompile>
115 |       <WarningLevel>Level3</WarningLevel>
116 |       <FunctionLevelLinking>true</FunctionLevelLinking>
117 |       <IntrinsicFunctions>true</IntrinsicFunctions>
118 |       <SDLCheck>true</SDLCheck>
119 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
120 |       <ConformanceMode>true</ConformanceMode>
121 |     </ClCompile>
122 |     <Link>
123 |       <SubSystem>Console</SubSystem>
124 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
125 |       <OptimizeReferences>true</OptimizeReferences>
126 |       <GenerateDebugInformation>true</GenerateDebugInformation>
127 |     </Link>
128 |   </ItemDefinitionGroup>
129 |   <ItemGroup>
130 |     <ClCompile Include="Detector.cpp">
131 |       <RuntimeLibrary Condition="'$(Configuration)|$(Platform)'=='Release|x64'">MultiThreaded</RuntimeLibrary>
132 |     </ClCompile>
133 |   </ItemGroup>
134 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
135 |   <ImportGroup Label="ExtensionTargets">
136 |   </ImportGroup>
137 | </Project>


--------------------------------------------------------------------------------
/Detector/Detector.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | ﻿<?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Arquivos de Origem">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Arquivos de Cabeçalho">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Arquivos de Recurso">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="Detector.cpp">
19 |       <Filter>Arquivos de Origem</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/Detector/Detector.vcxproj.user:
--------------------------------------------------------------------------------
1 | ﻿<?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2023 MrEmpy
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # 「⚙️」API Hooking Detector
 2 | Detect which native Windows API's (NtAPI) are being hooked
 3 | 
 4 | ## Usage
 5 | 
 6 | ```
 7 | PS C:> .\Detector.exe output.txt
 8 | 
 9 | 
10 |     _   ___ ___   _  _          _   _             ___      _          _
11 |    /_\ | _ \_ _| | || |___  ___| |_(_)_ _  __ _  |   \ ___| |_ ___ __| |_ ___ _ _
12 |   / _ \|  _/| |  | __ / _ \/ _ \ / / | ' \/ _` | | |) / -_)  _/ -_) _|  _/ _ \ '_|
13 |  /_/ \_\_| |___| |_||_\___/\___/_\_\_|_||_\__, | |___/\___|\__\___\__|\__\___/_|
14 |                                           |___/
15 | 
16 |                                     [Coded by brosck]
17 |                                          [v2.0]
18 | 
19 | [*] NT API being hooked:
20 | =========================================================================================
21 | [+] You are safe, there is no hook in the NT API
22 | =========================================================================================
23 | ```
24 | 


--------------------------------------------------------------------------------