In the previous articles in the (IT-Security) section, we discussed and described the hooking methods in the video code, namely the Inline Hook DLL and the IAT (Import Access Table) Hook.

However, the question arises as to whether there is a tool that can detect individual methods of hookah. If we realize that in IAT Hook, it is necessary to load an infected library through the Inline Inject .dll. In the end, all we need to do is review / display all inline pinned libraries for the process. If the library is not found in the imported white list, it is displayed in the log and possibly recognized as infected.

In theory this should work, but the question is, is there a tool for similar detection?

For testing I used antirootkit Gmer and Ring3 API Hook Scanner.

The results were zero because neither of them could detect the loaded DLL modules.


I decided to write my own tool, Inline Hook Scanner Test results of all three tools are on the video:






Inline Hook Scanner is a tool that goes through all running processes and lists the attached modules. It recognizes inline hook modules.
The program contains whitelist files which is updatable. The program displays the resulting log with a list of loaded modules.
The program enumeratively goes through the running processes and lists the loaded (hooked) modules.
Malicious modules can be detected by file type.
The program scans the modules at Ring3 level.





Language: C++
Supported OS: Win.XP,7,8,Vista - 32/64 bit platform.
Last revision: 08.28 2016
Version: 3.8
Author: Diallix

   Download File:


[ Verzie ] –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––– [Updates] 
3.6 --- Program revision
3.5 --- Modifying and revising module access.
3.4 --- Test - core modification .
3.3 --- update of Whitelist.
3.2 --- WhiteList revision.
3.1 --- Code revision..
2.3 --- Added White List.
2.2 --- Add module for detecting loaded libraries.
2.1 --- Code revision.
2.0 --- Adding access right.
1.5 --- Creating the core of process management.
1.0 --- Creating the core of process access.