A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #21893  by beenu
 Tue Jan 07, 2014 7:54 pm
Hi Friends,

Here is the updated version of the project.

Project home - http://hookanalyser.blogspot.in/2013/12 ... hreat.html


Change Summary -

In terms of improvements, a new module has been added - Cyber Threat Intelligence. Threat Intel module is being created to gather and analyse information related to Cyber Threats and vulnerabilities. The module can be run using HookAnalyser.exe (via Option 6 ), or can be run directly.

The module present information on a web browser (with dashboard alike representation) with the following sections -


Threat Vectors - by (%) Country
Threat Vectors - by Geography
Malware Intelligence (Beta) 2013
Vulnerability / Threat Feed.
 #28093  by beenu
 Wed Mar 23, 2016 4:05 am
For those who're following this project, the new version has been released.

Key features added -

- ThreatIntel module can now parse pdf files as well (along with text and pcap files) for extracting IOCs, and can then perform keyboard-based intelligence on it
- Several bug-fixes and improved stability

link: http://www.hookanalyser.com/2016/03/hoo ... -news.html

For those who are interested to understand the project roadmap, and interested to understand how would threat intel, malware analysis module and a "new" probe module will work together and the relevant use cases it'd addresses - http://www.hookanalyser.com/2016/03/upd ... oject.html
 #28094  by Microwave89
 Wed Mar 23, 2016 10:11 am
Hey, seems that your Hook Analyzer 3.3 process is not x86-64 aware when opening the respective image files for a process.

I externally opened notepad.exe, then choose to open and hook into a process (I pressed "2" on the welcome screen of Hook Analyzer) and entered the notepad.exe PID as told.
Next I got some extensive analysis results. However, the shown base address of the notepad.exe file did not seem to be the standard one for PE32+ (0x140000000).

Then I did a test and renamed the notepad.exe file in the \SystemRoot\SysWoW64\ directory.
I fired up Hook Analyzer 3.3 again and retried to open and hook into the newly started 64-bits notepad.exe.
This is what I got while the 64-bits notepad.exe was running perfectly fine:
Code: Select all
[*] Welcome to interactive mode
[!] Displaying Modules for the process - 15292
[*] Process path is :c:\windows\system32\notepad.exe[+] Parsing the log files for high level summary
[!] Program exited
[+] Parsing the log files for high level summary
[+] Extracting any potential IP address
In the log wasn't written more information.
You are likely redirected to SysWow64 directory.

Test system was a Windows 10 10586.103, x64 machine. The same test was conducted with another file in x64 mode.
I tested another file copied to the native System32\ as well, and the result was the same.
The analysis was completing successfully if the process image file was not located in the native \SystemRoot\System32\ directory.

The option to spawn and hook into a process (pressing "1") does only open the correct file if I enter "C:\Windows\sysnative\notepad.exe".

Kind regards,
Microwave89