A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #10707  by DeepBlueSea
 Fri Dec 30, 2011 4:31 am
If you need an usermode hookscanner, which can scan x64 processes, you can now use Hookshark64 to do that.
Remember: HookShark is a forensic tool with no self-defense and thus cannot be really considered to be an anti-rootkit.
We are back at 0.1 with the postfix "64" added to "HookShark". All following releases will support x64. HookShark is dead. HookShark64 is the new "product-line".
But HookShark 0.9 might not become obsolete right away. Not every feature was reimplemented. So in some cases, falling back to 0.9 is the only choice.

Disadvantages of HookShark64 0.1 in comparison with 0.9:
- Hooks of relocated .data pointers are not detected
- rudimentary vtable-hook detection not implemented yet
- No scanning for Code Injections takes place
- no disassembler, no hex editor
- no Class Instance Browser
- No Listing of code references
- Cant null a region (why would you need hookshark for this anyway?)
- Showing Pageguard Candidates (which was broken anyway)
- no unhook support yet

Advantages of HookShark64 0.1:
- Full support of x64 processes
- like a 15 times faster or something (you will need at least SSE2)
- dumping modules from the module window
- sorting the process list (PID/ImageName)
- Exempt modules from being scanned (checkboxes in module window)
- a lot of Win7 fixes (ApiSetMap, thx to deroko)
- show function name of hook destination if available
- multithreading (IAT/EAT Hooks and Patchscanner have an own thread)
- it saves all settings/filters, window position and size in an ini file

You will get a lot of errors and bogus access violations in your log window. Why? Because checking everything carefully is slow. In 0.9 more checks were implented, which slowed the process down. In 64 0.1 many checks are omitted and simply wrapped around an exception handler. If an exception occurs, the next dll or the next codesection wil be scanned, without losing any results.


However, if HookShark really crashes, or the logwindow output is more suspicous than it should be, for example if you happen to know that it should have picked up something, then feel free to bugreport it right here in this thread.

Also: Beware using the Unchecking function for modules too carelessly. It can have some unwanted implications.
For example: If the unchecked module is the destination of a hook elsewhere, the listing in the hook-result-window might not be as detailed.
Another case would be: If the module has exports, which other modules import, it will show errors in the log and you might miss IAT hooks.

Image
Version History
0.1.0.0
- Initial Release
0.1.0.3
- Fixed unchecking and checking an unlinked module being displayed as linked module (red -> blue)
- Show exact HookShark Version Number and Build in Log at startup
0.1.0.5
- fixed attempt to start x64server process on x86 platforms, when CPU was 64bit capable
- allow more user interactions with GUI while scanning
0.1.0.6
- the offset within a symbol is now shown (example:ntdll.dll!LdrLoadDll+0x15 )

http://www.mediafire.com/?43a5twp4k5d5uz9
 #10728  by Brock
 Sat Dec 31, 2011 12:24 pm
I'd recommend truncating addresses if HighPart of QWORD is NULL to that of an x86 hex expression to avoid 0x00000000 prefix. Easier on the eyes ;) Good work however
 #11052  by Johnny5
 Mon Jan 16, 2012 7:14 am
Thanks for continuing to work on this tool. I checked a while back and I thought this project had died.