HookShark & HookShark64 Download

HookShark & HookShark64 Download 0.1 win10

Hexui Undetected CSGO Cheats PUBG Accounts
HookShark is a detector of installed hooks and patches installed on the system (only usermode for now). It scans through the code-section of every loaded module of each running process and compares it with the file-image. If it detects discrepancies it tries to determine the type of hook or patch and reports it to the user.

Currently implemented hook detection:

* - Inline patches / Hooks (NOP, Exceptionhandler, relative Jumps, Custom patches)
* - Other custom patches [...]
* - VTable Hooks
* - IAT and EAT Hooks
* - Relocation Hooks
* - Hardware Breakpoints
* - PAGE_GAURD Candidates



Why is IAT-Scanning / Hook-Scanning so slow? There are faster tools.

That's because other tools suck. They just walk the IAT Entrys and look for addresses that are out of the module bounds. Thats bollocks. The callback function of the hook, or a redirection (JMP) could be planted well within the module bounds, and there you have a stealth IAT Hook, which HookShark recognizes as "IAT - Local".
And HookShark scans EVERY IAT-Table of EVERY Module. Unlike some other tools, which just examine the main process module.

And Hook Shark does not only check for hooks in exported/known functions. No, byte by byte of disk/memory image is compared, and even one-byte-patches are revealed. That is only for read-only code-sections though.

What the hell is all that crap? So many patches WTF?

Hook Shark looks for differences between the disk image and the scanned memory. There might be cases where you are just looking at a packed module. To counter these false positives, there is an option to filter patches, which are bigger than n-bytes. (Look in the GlobalOptions Tab)

Sometimes after i scanned a process and want to scan another one and it crashes.

Yeah, i hate when that happens. I have no idea why. If i get my lazy ass on the debugger i try to check it out. Until then, just restart HookShark.

The mnemonics of patched instructions are wrongly displayed.

That's because HookShark just cant do a thorough analysis like IDA does for every module in this short time-span. The alignment of instructions is guessed and heuristically computed.

Disadvantages of HookShark64 0.1 in comparison with 0.9:
- Hooks of relocated .data pointers are not detected
- rudimentary vtable-hook detection not implemented yet
- No scanning for Code Injections takes place
- no disassembler, no hex editor
- no Class Instance Browser
- No Listing of code references
- Cant null a region (why would you need hookshark for this anyway?)
- Showing Pageguard Candidates (which was broken anyway)
- no unhook support yet

Advantages of Hook Shark 64 0.1:
- Full support of x64 processes
- like a 15 times faster or something (you will need at least SSE2)
- dumping modules from the module window
- sorting the process list (PID/ImageName)
- Exempt modules from being scanned (checkboxes in module window)
- a lot of Win7 fixes (ApiSetMap, thx to deroko)
- show function name of hook destination if available
- multithreading (IAT/EAT Hooks and Patchscanner have an own thread)
- it saves all settings/filters, window position and size in an ini file

You will get a lot of errors and bogus access violations in your log window. Why? Because checking everything carefully is slow. In 0.9 more checks were implented, which slowed the process down. In 64 0.1 many checks are omitted and simply wrapped around an exception handler. If an exception occurs, the next dll or the next codesection wil be scanned, without losing any results.

However, if HookShark really crashes, or the logwindow output is more suspicous than it should be, for example if you happen to know that it should have picked up something, then feel free to bugreport it right here in this thread.

Also: Beware using the Unchecking function for modules too carelessly. It can have some unwanted implications.
For example: If the unchecked module is the destination of a hook elsewhere, the listing in the hook-result-window might not be as detailed.
Another case would be: If the module has exports, which other modules import, it will show errors in the log and you might miss IAT hooks.

Version History
- Initial Release
- Fixed unchecking and checking an unlinked module being displayed as linked module (red -> blue)
- Show exact Hook Shark Version Number and Build in Log at startup
- fixed attempt to start x64server process on x86 platforms, when CPU was 64bit capable
- allow more user interactions with GUI while scanning
- the offset within a symbol is now shown (example:ntdll.dll!LdrLoadDll+0x15 )

We have to password protect the zip files because sometimes they are detected as malware. Our downloads are not malware, they are false positives and they are safe to download.



First release
Last update
0.00 star(s) 0 ratings

More resources from Rake

Latest updates

  1. now includes win10 x64 version

    now includes win10 x64 version
Community Mods