├── .github └── FUNDING.yml ├── .vs └── HookFinder │ ├── FileContentIndex │ ├── 6996a67d-0f67-4875-8921-06496a080535.vsidx │ └── read.lock │ └── v17 │ └── .suo ├── CHANGELOG.md ├── HookFinder.sln ├── HookFinder.vcxproj ├── HookFinder.vcxproj.filters ├── HookFinder.vcxproj.user ├── Main.c ├── README.md ├── Structs.h ├── demo └── demo.png ├── x64 └── Release │ ├── HookFinder.Build.CppClean.log │ ├── HookFinder.exe │ ├── HookFinder.exe.recipe │ ├── HookFinder.iobj │ ├── HookFinder.ipdb │ ├── HookFinder.log │ ├── HookFinder.pdb │ ├── HookFinder.tlog │ ├── CL.command.1.tlog │ ├── CL.read.1.tlog │ ├── CL.write.1.tlog │ ├── HookFinder.lastbuildstate │ ├── HookFinder.write.1u.tlog │ ├── link.command.1.tlog │ ├── link.read.1.tlog │ └── link.write.1.tlog │ ├── HookFinder.vcxproj.FileListAbsolute.txt │ ├── Main.obj │ └── vc143.pdb └── ~AutoRecover.HookFinder.vcxproj /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: fin3ss3g0d 2 | -------------------------------------------------------------------------------- /.vs/HookFinder/FileContentIndex/6996a67d-0f67-4875-8921-06496a080535.vsidx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/.vs/HookFinder/FileContentIndex/6996a67d-0f67-4875-8921-06496a080535.vsidx -------------------------------------------------------------------------------- /.vs/HookFinder/FileContentIndex/read.lock: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/.vs/HookFinder/FileContentIndex/read.lock -------------------------------------------------------------------------------- /.vs/HookFinder/v17/.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/.vs/HookFinder/v17/.suo -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # 07/15/2023 2 | 3 | Made the announcement of my transition into `GitHub Sponsors` as well as added a `Sponsor` button. -------------------------------------------------------------------------------- /HookFinder.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.3.32804.467 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HookFinder", "HookFinder.vcxproj", "{9D827A36-C3B2-4603-9A26-CFEBBA3952C8}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {9D827A36-C3B2-4603-9A26-CFEBBA3952C8}.Debug|x64.ActiveCfg = Debug|x64 17 | {9D827A36-C3B2-4603-9A26-CFEBBA3952C8}.Debug|x64.Build.0 = Debug|x64 18 | {9D827A36-C3B2-4603-9A26-CFEBBA3952C8}.Debug|x86.ActiveCfg = Debug|Win32 19 | {9D827A36-C3B2-4603-9A26-CFEBBA3952C8}.Debug|x86.Build.0 = Debug|Win32 20 | {9D827A36-C3B2-4603-9A26-CFEBBA3952C8}.Release|x64.ActiveCfg = Release|x64 21 | {9D827A36-C3B2-4603-9A26-CFEBBA3952C8}.Release|x64.Build.0 = Release|x64 22 | {9D827A36-C3B2-4603-9A26-CFEBBA3952C8}.Release|x86.ActiveCfg = Release|Win32 23 | {9D827A36-C3B2-4603-9A26-CFEBBA3952C8}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {DC7BA02A-DDDF-45CE-9BC2-A28DADA642AD} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /HookFinder.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {9d827a36-c3b2-4603-9a26-cfebba3952c8} 25 | HookFinder 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | MultiByte 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 78 | true 79 | 80 | 81 | Console 82 | true 83 | 84 | 85 | 86 | 87 | Level3 88 | true 89 | true 90 | true 91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | true 98 | true 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | true 118 | true 119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | 122 | 123 | Console 124 | true 125 | true 126 | true 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | -------------------------------------------------------------------------------- /HookFinder.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /HookFinder.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /Main.c: -------------------------------------------------------------------------------- 1 | /* 2 | Author: Dylan Evans (fin3ss3g0d) 3 | Credits: https://github.com/trickster0 4 | */ 5 | 6 | #pragma once 7 | #include 8 | #include "Structs.h" 9 | #include 10 | 11 | /*-------------------------------------------------------------------- 12 | Function prototypes. 13 | --------------------------------------------------------------------*/ 14 | PTEB RtlGetThreadEnvironmentBlock(); 15 | BOOL GetImageExportDirectory( 16 | _In_ PVOID pModuleBase, 17 | _Out_ PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory 18 | ); 19 | int HookFinder( 20 | _In_ PVOID pModuleBase, 21 | _In_ PIMAGE_EXPORT_DIRECTORY pImageExportDirectory 22 | ); 23 | 24 | INT wmain() { 25 | 26 | PTEB pCurrentTeb = RtlGetThreadEnvironmentBlock(); 27 | PPEB pCurrentPeb = pCurrentTeb->ProcessEnvironmentBlock; 28 | if (!pCurrentPeb || !pCurrentTeb || pCurrentPeb->OSMajorVersion != 0xA) 29 | return 0x1; 30 | 31 | // Get NTDLL module 32 | PLDR_DATA_TABLE_ENTRY pLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)((PBYTE)pCurrentPeb->LoaderData->InMemoryOrderModuleList.Flink->Flink - 0x10); 33 | // Get the EAT of NTDLL 34 | PIMAGE_EXPORT_DIRECTORY pImageExportDirectory = NULL; 35 | if (!GetImageExportDirectory(pLdrDataEntry->DllBase, &pImageExportDirectory) || pImageExportDirectory == NULL) 36 | return 0x01; 37 | 38 | printf("************ BEGIN HOOK DETECTION ************\n"); 39 | HookFinder(pLdrDataEntry->DllBase, pImageExportDirectory); 40 | 41 | return 0x00; 42 | } 43 | 44 | PTEB RtlGetThreadEnvironmentBlock() { 45 | #if _WIN64 46 | return (PTEB)__readgsqword(0x30); 47 | #else 48 | return (PTEB)__readfsdword(0x16); 49 | #endif 50 | } 51 | 52 | BOOL GetImageExportDirectory(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory) { 53 | // Get DOS header 54 | PIMAGE_DOS_HEADER pImageDosHeader = (PIMAGE_DOS_HEADER)pModuleBase; 55 | if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) { 56 | return FALSE; 57 | } 58 | 59 | // Get NT headers 60 | PIMAGE_NT_HEADERS pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)pModuleBase + pImageDosHeader->e_lfanew); 61 | if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE) { 62 | return FALSE; 63 | } 64 | 65 | // Get the EAT 66 | *ppImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)pModuleBase + pImageNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress); 67 | return TRUE; 68 | } 69 | 70 | int HookFinder(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY pImageExportDirectory) { 71 | PDWORD pdwAddressOfFunctions = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfFunctions); 72 | PDWORD pdwAddressOfNames = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNames); 73 | PWORD pwAddressOfNameOrdinales = (PWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNameOrdinals); 74 | 75 | for (WORD cx = 0; cx < pImageExportDirectory->NumberOfNames; cx++) { 76 | PCHAR pczFunctionName = (PCHAR)((PBYTE)pModuleBase + pdwAddressOfNames[cx]); 77 | PVOID pFunctionAddress = (PBYTE)pModuleBase + pdwAddressOfFunctions[pwAddressOfNameOrdinales[cx]]; 78 | 79 | if (strncmp(pczFunctionName, "Nt", strlen("Nt")) == 0 || strncmp(pczFunctionName, "Zw", strlen("Zw")) == 0) { 80 | 81 | char* st; 82 | st = strstr(pczFunctionName, "QuerySystemTime"); 83 | if (st) { 84 | continue; 85 | } 86 | else if (*((PBYTE)pFunctionAddress) == 0xe9) { 87 | printf("[+] %s is hooked with JMP at first byte!\n", pczFunctionName); 88 | } 89 | else if (*((PBYTE)pFunctionAddress + 3) == 0xe9) { 90 | printf("[+] %s is hooked with JMP at third byte!\n", pczFunctionName); 91 | } 92 | else { 93 | printf("[*] No hooks detetcted for %s!\n", pczFunctionName); 94 | } 95 | } 96 | } 97 | 98 | return 0; 99 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # HookFinder 2 | 3 | A simple PoC to locate hooked functions within ntdll.dll to further EDR evasion research. 4 | 5 | ## About 6 | 7 | This PoC uses the same checks that [TartarusGate](https://github.com/trickster0/TartarusGate) uses in order to find hooked system calls. Breaking it down further, the first and third bytes of a function are checked for the bytes matching a JMP instruction. If either are a match, this is a good indicator that the function is hooked. 8 | 9 | ## Demo 10 | 11 | The below screenshot is a demo running the program against an endpoint with EDR. 12 | 13 | ![demo](demo/demo.png) 14 | 15 | ## A Word About Sponsorship 16 | 17 | On `July 15, 2023` I created my `GitHub Sponsors` sponsorship tiers. Be sure to check them out to find out what kind of perks you could be getting! 18 | 19 | ## Credits 20 | 21 | Code heavily borrowed from [TartarusGate](https://github.com/trickster0/TartarusGate). -------------------------------------------------------------------------------- /Structs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | /*-------------------------------------------------------------------- 5 | STRUCTURES 6 | --------------------------------------------------------------------*/ 7 | typedef struct _LSA_UNICODE_STRING { 8 | USHORT Length; 9 | USHORT MaximumLength; 10 | PWSTR Buffer; 11 | } LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING, * PUNICODE_STR; 12 | 13 | typedef struct _LDR_MODULE { 14 | LIST_ENTRY InLoadOrderModuleList; 15 | LIST_ENTRY InMemoryOrderModuleList; 16 | LIST_ENTRY InInitializationOrderModuleList; 17 | PVOID BaseAddress; 18 | PVOID EntryPoint; 19 | ULONG SizeOfImage; 20 | UNICODE_STRING FullDllName; 21 | UNICODE_STRING BaseDllName; 22 | ULONG Flags; 23 | SHORT LoadCount; 24 | SHORT TlsIndex; 25 | LIST_ENTRY HashTableEntry; 26 | ULONG TimeDateStamp; 27 | } LDR_MODULE, * PLDR_MODULE; 28 | 29 | typedef struct _PEB_LDR_DATA { 30 | ULONG Length; 31 | ULONG Initialized; 32 | PVOID SsHandle; 33 | LIST_ENTRY InLoadOrderModuleList; 34 | LIST_ENTRY InMemoryOrderModuleList; 35 | LIST_ENTRY InInitializationOrderModuleList; 36 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 37 | 38 | typedef struct _PEB { 39 | BOOLEAN InheritedAddressSpace; 40 | BOOLEAN ReadImageFileExecOptions; 41 | BOOLEAN BeingDebugged; 42 | BOOLEAN Spare; 43 | HANDLE Mutant; 44 | PVOID ImageBase; 45 | PPEB_LDR_DATA LoaderData; 46 | PVOID ProcessParameters; 47 | PVOID SubSystemData; 48 | PVOID ProcessHeap; 49 | PVOID FastPebLock; 50 | PVOID FastPebLockRoutine; 51 | PVOID FastPebUnlockRoutine; 52 | ULONG EnvironmentUpdateCount; 53 | PVOID* KernelCallbackTable; 54 | PVOID EventLogSection; 55 | PVOID EventLog; 56 | PVOID FreeList; 57 | ULONG TlsExpansionCounter; 58 | PVOID TlsBitmap; 59 | ULONG TlsBitmapBits[0x2]; 60 | PVOID ReadOnlySharedMemoryBase; 61 | PVOID ReadOnlySharedMemoryHeap; 62 | PVOID* ReadOnlyStaticServerData; 63 | PVOID AnsiCodePageData; 64 | PVOID OemCodePageData; 65 | PVOID UnicodeCaseTableData; 66 | ULONG NumberOfProcessors; 67 | ULONG NtGlobalFlag; 68 | BYTE Spare2[0x4]; 69 | LARGE_INTEGER CriticalSectionTimeout; 70 | ULONG HeapSegmentReserve; 71 | ULONG HeapSegmentCommit; 72 | ULONG HeapDeCommitTotalFreeThreshold; 73 | ULONG HeapDeCommitFreeBlockThreshold; 74 | ULONG NumberOfHeaps; 75 | ULONG MaximumNumberOfHeaps; 76 | PVOID** ProcessHeaps; 77 | PVOID GdiSharedHandleTable; 78 | PVOID ProcessStarterHelper; 79 | PVOID GdiDCAttributeList; 80 | PVOID LoaderLock; 81 | ULONG OSMajorVersion; 82 | ULONG OSMinorVersion; 83 | ULONG OSBuildNumber; 84 | ULONG OSPlatformId; 85 | ULONG ImageSubSystem; 86 | ULONG ImageSubSystemMajorVersion; 87 | ULONG ImageSubSystemMinorVersion; 88 | ULONG GdiHandleBuffer[0x22]; 89 | ULONG PostProcessInitRoutine; 90 | ULONG TlsExpansionBitmap; 91 | BYTE TlsExpansionBitmapBits[0x80]; 92 | ULONG SessionId; 93 | } PEB, * PPEB; 94 | 95 | typedef struct __CLIENT_ID { 96 | HANDLE UniqueProcess; 97 | HANDLE UniqueThread; 98 | } CLIENT_ID, * PCLIENT_ID; 99 | 100 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT { 101 | ULONG Flags; 102 | PCHAR FrameName; 103 | } TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT; 104 | 105 | typedef struct _TEB_ACTIVE_FRAME { 106 | ULONG Flags; 107 | struct _TEB_ACTIVE_FRAME* Previous; 108 | PTEB_ACTIVE_FRAME_CONTEXT Context; 109 | } TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME; 110 | 111 | typedef struct _GDI_TEB_BATCH { 112 | ULONG Offset; 113 | ULONG HDC; 114 | ULONG Buffer[310]; 115 | } GDI_TEB_BATCH, * PGDI_TEB_BATCH; 116 | 117 | typedef PVOID PACTIVATION_CONTEXT; 118 | 119 | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME { 120 | struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous; 121 | PACTIVATION_CONTEXT ActivationContext; 122 | ULONG Flags; 123 | } RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME; 124 | 125 | typedef struct _ACTIVATION_CONTEXT_STACK { 126 | PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; 127 | LIST_ENTRY FrameListCache; 128 | ULONG Flags; 129 | ULONG NextCookieSequenceNumber; 130 | ULONG StackId; 131 | } ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK; 132 | 133 | typedef struct _TEB { 134 | NT_TIB NtTib; 135 | PVOID EnvironmentPointer; 136 | CLIENT_ID ClientId; 137 | PVOID ActiveRpcHandle; 138 | PVOID ThreadLocalStoragePointer; 139 | PPEB ProcessEnvironmentBlock; 140 | ULONG LastErrorValue; 141 | ULONG CountOfOwnedCriticalSections; 142 | PVOID CsrClientThread; 143 | PVOID Win32ThreadInfo; 144 | ULONG User32Reserved[26]; 145 | ULONG UserReserved[5]; 146 | PVOID WOW32Reserved; 147 | LCID CurrentLocale; 148 | ULONG FpSoftwareStatusRegister; 149 | PVOID SystemReserved1[54]; 150 | LONG ExceptionCode; 151 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 152 | PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer; 153 | UCHAR SpareBytes1[0x30 - 3 * sizeof(PVOID)]; 154 | ULONG TxFsContext; 155 | #elif (NTDDI_VERSION >= NTDDI_WS03) 156 | PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; 157 | UCHAR SpareBytes1[0x34 - 3 * sizeof(PVOID)]; 158 | #else 159 | ACTIVATION_CONTEXT_STACK ActivationContextStack; 160 | UCHAR SpareBytes1[24]; 161 | #endif 162 | GDI_TEB_BATCH GdiTebBatch; 163 | CLIENT_ID RealClientId; 164 | PVOID GdiCachedProcessHandle; 165 | ULONG GdiClientPID; 166 | ULONG GdiClientTID; 167 | PVOID GdiThreadLocalInfo; 168 | PSIZE_T Win32ClientInfo[62]; 169 | PVOID glDispatchTable[233]; 170 | PSIZE_T glReserved1[29]; 171 | PVOID glReserved2; 172 | PVOID glSectionInfo; 173 | PVOID glSection; 174 | PVOID glTable; 175 | PVOID glCurrentRC; 176 | PVOID glContext; 177 | NTSTATUS LastStatusValue; 178 | UNICODE_STRING StaticUnicodeString; 179 | WCHAR StaticUnicodeBuffer[261]; 180 | PVOID DeallocationStack; 181 | PVOID TlsSlots[64]; 182 | LIST_ENTRY TlsLinks; 183 | PVOID Vdm; 184 | PVOID ReservedForNtRpc; 185 | PVOID DbgSsReserved[2]; 186 | #if (NTDDI_VERSION >= NTDDI_WS03) 187 | ULONG HardErrorMode; 188 | #else 189 | ULONG HardErrorsAreDisabled; 190 | #endif 191 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 192 | PVOID Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)]; 193 | GUID ActivityId; 194 | PVOID SubProcessTag; 195 | PVOID EtwLocalData; 196 | PVOID EtwTraceData; 197 | #elif (NTDDI_VERSION >= NTDDI_WS03) 198 | PVOID Instrumentation[14]; 199 | PVOID SubProcessTag; 200 | PVOID EtwLocalData; 201 | #else 202 | PVOID Instrumentation[16]; 203 | #endif 204 | PVOID WinSockData; 205 | ULONG GdiBatchCount; 206 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 207 | BOOLEAN SpareBool0; 208 | BOOLEAN SpareBool1; 209 | BOOLEAN SpareBool2; 210 | #else 211 | BOOLEAN InDbgPrint; 212 | BOOLEAN FreeStackOnTermination; 213 | BOOLEAN HasFiberData; 214 | #endif 215 | UCHAR IdealProcessor; 216 | #if (NTDDI_VERSION >= NTDDI_WS03) 217 | ULONG GuaranteedStackBytes; 218 | #else 219 | ULONG Spare3; 220 | #endif 221 | PVOID ReservedForPerf; 222 | PVOID ReservedForOle; 223 | ULONG WaitingOnLoaderLock; 224 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 225 | PVOID SavedPriorityState; 226 | ULONG_PTR SoftPatchPtr1; 227 | ULONG_PTR ThreadPoolData; 228 | #elif (NTDDI_VERSION >= NTDDI_WS03) 229 | ULONG_PTR SparePointer1; 230 | ULONG_PTR SoftPatchPtr1; 231 | ULONG_PTR SoftPatchPtr2; 232 | #else 233 | Wx86ThreadState Wx86Thread; 234 | #endif 235 | PVOID* TlsExpansionSlots; 236 | #if defined(_WIN64) && !defined(EXPLICIT_32BIT) 237 | PVOID DeallocationBStore; 238 | PVOID BStoreLimit; 239 | #endif 240 | ULONG ImpersonationLocale; 241 | ULONG IsImpersonating; 242 | PVOID NlsCache; 243 | PVOID pShimData; 244 | ULONG HeapVirtualAffinity; 245 | HANDLE CurrentTransactionHandle; 246 | PTEB_ACTIVE_FRAME ActiveFrame; 247 | #if (NTDDI_VERSION >= NTDDI_WS03) 248 | PVOID FlsData; 249 | #endif 250 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 251 | PVOID PreferredLangauges; 252 | PVOID UserPrefLanguages; 253 | PVOID MergedPrefLanguages; 254 | ULONG MuiImpersonation; 255 | union 256 | { 257 | struct 258 | { 259 | USHORT SpareCrossTebFlags : 16; 260 | }; 261 | USHORT CrossTebFlags; 262 | }; 263 | union 264 | { 265 | struct 266 | { 267 | USHORT DbgSafeThunkCall : 1; 268 | USHORT DbgInDebugPrint : 1; 269 | USHORT DbgHasFiberData : 1; 270 | USHORT DbgSkipThreadAttach : 1; 271 | USHORT DbgWerInShipAssertCode : 1; 272 | USHORT DbgIssuedInitialBp : 1; 273 | USHORT DbgClonedThread : 1; 274 | USHORT SpareSameTebBits : 9; 275 | }; 276 | USHORT SameTebFlags; 277 | }; 278 | PVOID TxnScopeEntercallback; 279 | PVOID TxnScopeExitCAllback; 280 | PVOID TxnScopeContext; 281 | ULONG LockCount; 282 | ULONG ProcessRundown; 283 | ULONG64 LastSwitchTime; 284 | ULONG64 TotalSwitchOutTime; 285 | LARGE_INTEGER WaitReasonBitMap; 286 | #else 287 | BOOLEAN SafeThunkCall; 288 | BOOLEAN BooleanSpare[3]; 289 | #endif 290 | } TEB, * PTEB; 291 | 292 | typedef struct _LDR_DATA_TABLE_ENTRY { 293 | LIST_ENTRY InLoadOrderLinks; 294 | LIST_ENTRY InMemoryOrderLinks; 295 | LIST_ENTRY InInitializationOrderLinks; 296 | PVOID DllBase; 297 | PVOID EntryPoint; 298 | ULONG SizeOfImage; 299 | UNICODE_STRING FullDllName; 300 | UNICODE_STRING BaseDllName; 301 | ULONG Flags; 302 | WORD LoadCount; 303 | WORD TlsIndex; 304 | union { 305 | LIST_ENTRY HashLinks; 306 | struct { 307 | PVOID SectionPointer; 308 | ULONG CheckSum; 309 | }; 310 | }; 311 | union { 312 | ULONG TimeDateStamp; 313 | PVOID LoadedImports; 314 | }; 315 | PACTIVATION_CONTEXT EntryPointActivationContext; 316 | PVOID PatchInformation; 317 | LIST_ENTRY ForwarderLinks; 318 | LIST_ENTRY ServiceTagLinks; 319 | LIST_ENTRY StaticLinks; 320 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 321 | 322 | typedef struct _OBJECT_ATTRIBUTES { 323 | ULONG Length; 324 | PVOID RootDirectory; 325 | PUNICODE_STRING ObjectName; 326 | ULONG Attributes; 327 | PVOID SecurityDescriptor; 328 | PVOID SecurityQualityOfService; 329 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; 330 | 331 | typedef struct _INITIAL_TEB { 332 | PVOID StackBase; 333 | PVOID StackLimit; 334 | PVOID StackCommit; 335 | PVOID StackCommitMax; 336 | PVOID StackReserved; 337 | } INITIAL_TEB, * PINITIAL_TEB; -------------------------------------------------------------------------------- /demo/demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/demo/demo.png -------------------------------------------------------------------------------- /x64/Release/HookFinder.Build.CppClean.log: -------------------------------------------------------------------------------- 1 | b:\osep\payloads\c\edr\hookfinder\x64\release\vc143.pdb 2 | b:\osep\payloads\c\edr\hookfinder\x64\release\main.obj 3 | b:\osep\payloads\c\edr\hookfinder\x64\release\hookfinder.ipdb 4 | b:\osep\payloads\c\edr\hookfinder\x64\release\hookfinder.iobj 5 | b:\osep\payloads\c\edr\hookfinder\x64\release\hookfinder.exe 6 | b:\osep\payloads\c\edr\hookfinder\x64\release\hookfinder.pdb 7 | b:\osep\payloads\c\edr\hookfinder\x64\release\hookfinder.tlog\cl.command.1.tlog 8 | b:\osep\payloads\c\edr\hookfinder\x64\release\hookfinder.tlog\cl.read.1.tlog 9 | b:\osep\payloads\c\edr\hookfinder\x64\release\hookfinder.tlog\cl.write.1.tlog 10 | b:\osep\payloads\c\edr\hookfinder\x64\release\hookfinder.tlog\hookfinder.write.1u.tlog 11 | b:\osep\payloads\c\edr\hookfinder\x64\release\hookfinder.tlog\link.command.1.tlog 12 | b:\osep\payloads\c\edr\hookfinder\x64\release\hookfinder.tlog\link.read.1.tlog 13 | b:\osep\payloads\c\edr\hookfinder\x64\release\hookfinder.tlog\link.write.1.tlog 14 | -------------------------------------------------------------------------------- /x64/Release/HookFinder.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/x64/Release/HookFinder.exe -------------------------------------------------------------------------------- /x64/Release/HookFinder.exe.recipe: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | B:\OSEP\Payloads\C\EDR\HookFinder\x64\Release\HookFinder.exe 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /x64/Release/HookFinder.iobj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/x64/Release/HookFinder.iobj -------------------------------------------------------------------------------- /x64/Release/HookFinder.ipdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/x64/Release/HookFinder.ipdb -------------------------------------------------------------------------------- /x64/Release/HookFinder.log: -------------------------------------------------------------------------------- 1 |  Main.c 2 | Generating code 3 | Previous IPDB not found, fall back to full compilation. 4 | All 7 functions were compiled because no usable IPDB/IOBJ from previous compilation was found. 5 | Finished generating code 6 | HookFinder.vcxproj -> B:\OSEP\Payloads\C\EDR\HookFinder\x64\Release\HookFinder.exe 7 | -------------------------------------------------------------------------------- /x64/Release/HookFinder.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/x64/Release/HookFinder.pdb -------------------------------------------------------------------------------- /x64/Release/HookFinder.tlog/CL.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/x64/Release/HookFinder.tlog/CL.command.1.tlog -------------------------------------------------------------------------------- /x64/Release/HookFinder.tlog/CL.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/x64/Release/HookFinder.tlog/CL.read.1.tlog -------------------------------------------------------------------------------- /x64/Release/HookFinder.tlog/CL.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/x64/Release/HookFinder.tlog/CL.write.1.tlog -------------------------------------------------------------------------------- /x64/Release/HookFinder.tlog/HookFinder.lastbuildstate: -------------------------------------------------------------------------------- 1 | PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.33.31629:TargetPlatformVersion=10.0.22621.0: 2 | Release|x64|B:\OSEP\Payloads\C\EDR\HookFinder\| 3 | -------------------------------------------------------------------------------- /x64/Release/HookFinder.tlog/HookFinder.write.1u.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/x64/Release/HookFinder.tlog/HookFinder.write.1u.tlog -------------------------------------------------------------------------------- /x64/Release/HookFinder.tlog/link.command.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/x64/Release/HookFinder.tlog/link.command.1.tlog -------------------------------------------------------------------------------- /x64/Release/HookFinder.tlog/link.read.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/x64/Release/HookFinder.tlog/link.read.1.tlog -------------------------------------------------------------------------------- /x64/Release/HookFinder.tlog/link.write.1.tlog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/x64/Release/HookFinder.tlog/link.write.1.tlog -------------------------------------------------------------------------------- /x64/Release/HookFinder.vcxproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | B:\OSEP\Payloads\C\EDR\HookFinder\x64\Release\HookFinder.exe 2 | -------------------------------------------------------------------------------- /x64/Release/Main.obj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/x64/Release/Main.obj -------------------------------------------------------------------------------- /x64/Release/vc143.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fin3ss3g0d/HookFinder/5af9ef21003ffd3cccb2608ca55cde7eed55f26a/x64/Release/vc143.pdb -------------------------------------------------------------------------------- /~AutoRecover.HookFinder.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {9d827a36-c3b2-4603-9a26-cfebba3952c8} 25 | HookFinder 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | MultiByte 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 78 | true 79 | 80 | 81 | Console 82 | true 83 | 84 | 85 | 86 | 87 | Level3 88 | true 89 | true 90 | true 91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | true 98 | true 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | true 118 | true 119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | 122 | 123 | Console 124 | true 125 | true 126 | true 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | --------------------------------------------------------------------------------