29.12.2011, 02:20
Hey,
hier mal zwei Programme von dem unglaublich talentierten Coder/Hacker DeepBlueSea.
Hookshark 0.9
It has been one month only, and here i come with another big update.
And yes, it's worth it.
I am doing a quick overview of what has changed.
I am introducing the first tool that detects Hooks of VTables.
It does so by tracing certain assembly patterns and relocated blocks in the data section, that might be a table of virtual method-pointers.
If you set the verbosity high HookShark will also list all changed relocated function ptrs. in data sections.
Also all found global instances of polymorphic classes with VTables are listed in one section for your convinience to ease the analysis of your target.
So feel free to test around some stuff. HookShark might not find all virtual function tables. But this is hardly avoidable.
![[Bild: wutuqmn.png]](http://img9.abload.de/img/wutuqmn.png)
Next up is the new built-in Disassembler. Not much functionality. Just to grant a quick look at the area, if this is something worth exploring further with a debugger.
Some targets might fuck with us, guarding pages or even the modulelists. Also time-attacks to detect thread suspensions is a common technique.
So if the target crashes on scan or doesn't seem to be scannable, play around with the new Troubleshooting options in the Global Options Tab.
Also check out the new Credits Dialog. I included the old Chiptune, that you might know from 0.6.
Abso insisted on testing out the new bug-tracking system. So if you want to report bugs, then try it out:
http://forum.gamedeception.net/project.php?projectid=2
I don't know if i will use it. But it doesn't hurt to check it put. If you want to be extra sure, mention the bug here in this thread.
![[Bild: vtablehooksqou2.jpg]](http://img9.abload.de/img/vtablehooksqou2.jpg)
PS: Yeah i know. The pictures show version "0.8" :P
That's because im lazy to make new pictures.
Download:
http://rapidshare.com/files/416679944/Ho...k.rar.html
Changelog:
09-02-2010 - 1 -- Fixed memory leak. Thx to MiDoX
Hookshark x64
Instead of a closed BETA, i thought to myself, an open BETA would just be as good.
We are back at 0.1 with the postfix "64" added to "HookShark". All following releases will support x64. HookShark is dead. HookShark64 is the new "product-line".
But HookShark 0.9 might not become obsolete right away. Not every feature was reimplemented. So in some cases, falling back to 0.9 is the only choice.
Disadvantages of HookShark64 0.1 in comparison with 0.9:
- Hooks of relocated .data pointers are not detected
- rudimentary vtable-hook detection not implemented yet
- No scanning for Code Injections takes place
- no disassembler, no hex editor
- no Class Instance Browser
- No Listing of code references
- Cant null a region (why would you need hookshark for this anyway?)
- Showing Pageguard Candidates (which was broken anyway)
- no unhook support yet
Advantages of HookShark64 0.1:
- Full support of x64 processes
- like a 15 times faster or something (you will need at least SSE2)
- dumping modules from the module window
- sorting the process list (PID/ImageName)
- Exempt modules from being scanned (checkboxes in module window)
- a lot of Win7 fixes (ApiSetMap, thx to deroko)
- show function name of hook destination if available
- multithreading (IAT/EAT Hooks and Patchscanner have an own thread)
- it saves all settings/filters, window position and size in an ini file
You will get a lot of errors and bogus access violations in your log window. Why? Because checking everything carefully is slow. In 0.9 more checks were implented, which slowed the process down. In 64 0.1 many checks are omitted and simply wrapped around an exception handler. If an exception occurs, the next dll or the next codesection wil be scanned, without losing any results.
However, if HookShark really crashes, or the logwindow output is more suspicous than it should be, for example if you happen to know that it should have picked up something, then feel free to bugreport it right here in this thread.
Also: Beware using the Unchecking function for modules too carelessly. It can have some unwanted implications.
For example: If the unchecked module is the destination of a hook elsewhere, the listing in the hook-result-window might not be as detailed.
Another case would be: If the module has exports, which other modules import, it will show errors in the log and you might miss IAT hooks.
At last: A screenshot:
![[Bild: hshark251jww.jpg]](http://www.abload.de/img/hshark251jww.jpg)
Version History
0.1.0.0
- Initial Release
0.1.0.3
- Fixed unchecking and checking an unlinked module being displayed as linked module (red -> blue)
- Show exact HookShark Version Number and Build in Log at startup
0.1.0.5
- fixed attempt to start x64server process on x86 platforms, when CPU was 64bit capable
- allow more user interactions with GUI while scanning
0.1.0.6
- the offset within a symbol is now shown (example:ntdll.dll!LdrLoadDll+0x15 )
Download:
HookShark0.9.rar (Größe: 565,9 KB / Downloads: 3.062)
Hookshark x64:
HookShark64.rar (Größe: 2,32 MB / Downloads: 3.679)
Quelle:
http://www.gamedeception.net/threads/236...4-Beta-0.1
http://www.gamedeception.net/threads/205...ngeance%29
hier mal zwei Programme von dem unglaublich talentierten Coder/Hacker DeepBlueSea.
Hookshark 0.9
It has been one month only, and here i come with another big update.
And yes, it's worth it.
I am doing a quick overview of what has changed.
I am introducing the first tool that detects Hooks of VTables.
It does so by tracing certain assembly patterns and relocated blocks in the data section, that might be a table of virtual method-pointers.
If you set the verbosity high HookShark will also list all changed relocated function ptrs. in data sections.
Also all found global instances of polymorphic classes with VTables are listed in one section for your convinience to ease the analysis of your target.
So feel free to test around some stuff. HookShark might not find all virtual function tables. But this is hardly avoidable.
Next up is the new built-in Disassembler. Not much functionality. Just to grant a quick look at the area, if this is something worth exploring further with a debugger.
Some targets might fuck with us, guarding pages or even the modulelists. Also time-attacks to detect thread suspensions is a common technique.
So if the target crashes on scan or doesn't seem to be scannable, play around with the new Troubleshooting options in the Global Options Tab.
Also check out the new Credits Dialog. I included the old Chiptune, that you might know from 0.6.
Abso insisted on testing out the new bug-tracking system. So if you want to report bugs, then try it out:
http://forum.gamedeception.net/project.php?projectid=2
I don't know if i will use it. But it doesn't hurt to check it put. If you want to be extra sure, mention the bug here in this thread.
PS: Yeah i know. The pictures show version "0.8" :P
That's because im lazy to make new pictures.
Download:
http://rapidshare.com/files/416679944/Ho...k.rar.html
Changelog:
09-02-2010 - 1 -- Fixed memory leak. Thx to MiDoX
Hookshark x64
Instead of a closed BETA, i thought to myself, an open BETA would just be as good.
We are back at 0.1 with the postfix "64" added to "HookShark". All following releases will support x64. HookShark is dead. HookShark64 is the new "product-line".
But HookShark 0.9 might not become obsolete right away. Not every feature was reimplemented. So in some cases, falling back to 0.9 is the only choice.
Disadvantages of HookShark64 0.1 in comparison with 0.9:
- Hooks of relocated .data pointers are not detected
- rudimentary vtable-hook detection not implemented yet
- No scanning for Code Injections takes place
- no disassembler, no hex editor
- no Class Instance Browser
- No Listing of code references
- Cant null a region (why would you need hookshark for this anyway?)
- Showing Pageguard Candidates (which was broken anyway)
- no unhook support yet
Advantages of HookShark64 0.1:
- Full support of x64 processes
- like a 15 times faster or something (you will need at least SSE2)
- dumping modules from the module window
- sorting the process list (PID/ImageName)
- Exempt modules from being scanned (checkboxes in module window)
- a lot of Win7 fixes (ApiSetMap, thx to deroko)
- show function name of hook destination if available
- multithreading (IAT/EAT Hooks and Patchscanner have an own thread)
- it saves all settings/filters, window position and size in an ini file
You will get a lot of errors and bogus access violations in your log window. Why? Because checking everything carefully is slow. In 0.9 more checks were implented, which slowed the process down. In 64 0.1 many checks are omitted and simply wrapped around an exception handler. If an exception occurs, the next dll or the next codesection wil be scanned, without losing any results.
However, if HookShark really crashes, or the logwindow output is more suspicous than it should be, for example if you happen to know that it should have picked up something, then feel free to bugreport it right here in this thread.
Also: Beware using the Unchecking function for modules too carelessly. It can have some unwanted implications.
For example: If the unchecked module is the destination of a hook elsewhere, the listing in the hook-result-window might not be as detailed.
Another case would be: If the module has exports, which other modules import, it will show errors in the log and you might miss IAT hooks.
At last: A screenshot:
Version History
0.1.0.0
- Initial Release
0.1.0.3
- Fixed unchecking and checking an unlinked module being displayed as linked module (red -> blue)
- Show exact HookShark Version Number and Build in Log at startup
0.1.0.5
- fixed attempt to start x64server process on x86 platforms, when CPU was 64bit capable
- allow more user interactions with GUI while scanning
0.1.0.6
- the offset within a symbol is now shown (example:ntdll.dll!LdrLoadDll+0x15 )
Download:
HookShark0.9.rar (Größe: 565,9 KB / Downloads: 3.062)
Hookshark x64:
HookShark64.rar (Größe: 2,32 MB / Downloads: 3.679)
Quelle:
http://www.gamedeception.net/threads/236...4-Beta-0.1
http://www.gamedeception.net/threads/205...ngeance%29
"Auf dieser Welt gibt es mehr Scheisse als auf Festivalklos"
![[Bild: hoglogo_smalpxga.jpg]](http://h-2.abload.de/img/hoglogo_smalpxga.jpg)
![[Bild: signatur6akm7.gif]](https://abload.de/img/signatur6akm7.gif)