In the previous articles in the (IT-Security) section, we discussed and described the hooking methods in the video code, namely the Inline Hook DLL and the IAT (Import Access Table) Hook.
In theory this should work, but the question is, is there a tool for similar detection?
For testing I used antirootkit Gmer and Ring3 API Hook Scanner.
The results were zero because neither of them could detect the loaded DLL modules.
I decided to write my own tool, Inline Hook Scanner Test results of all three tools are on the video:
Inline Hook Scanner is a tool that goes through all running processes and lists the attached modules. It recognizes inline hook modules.
The program contains whitelist files which is updatable. The program displays the resulting log with a list of loaded modules.
The program enumeratively goes through the running processes and lists the loaded (hooked) modules.
Malicious modules can be detected by file type.
The program scans the modules at Ring3 level.
Mainframe
Scanning
InlineHookScanner.exe
---------------------------------------------------------------------
Language: C++
Supported OS: Win.XP,7,8,Vista - 32/64 bit platform.
Last revision: 08.28 2016
Version: 3.8
Author: Diallix
---------------------------------------------------------------------
[ Verzie ] –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––– [Updates]
3.6 --- Program revision
3.5 --- Modifying and revising module access.
3.4 --- Test - core modification .
3.3 --- update of Whitelist.
3.2 --- WhiteList revision.
3.1 --- Code revision..
2.3 --- Added White List.
2.2 --- Add module for detecting loaded libraries.
2.1 --- Code revision.
2.0 --- Adding access right.
1.5 --- Creating the core of process management.
1.0 --- Creating the core of process access.