Skip to content
/ HookFinder Public

Simple PoC to locate hooked functions by EDR in ntdll.dll

28 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

fin3ss3g0d/HookFinder

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

.github

.github

 
 

.vs/HookFinder

.vs/HookFinder

 
 

demo

demo

 
 

x64/Release

x64/Release

 
 

CHANGELOG.md

CHANGELOG.md

 
 

HookFinder.sln

HookFinder.sln

 
 

HookFinder.vcxproj

HookFinder.vcxproj

 
 

HookFinder.vcxproj.filters

HookFinder.vcxproj.filters

 
 

HookFinder.vcxproj.user

HookFinder.vcxproj.user

 
 

Main.c

Main.c

 
 

README.md

README.md

 
 

Structs.h

Structs.h

 
 

~AutoRecover.HookFinder.vcxproj

~AutoRecover.HookFinder.vcxproj

 
 

Repository files navigation

HookFinder

A simple PoC to locate hooked functions within ntdll.dll to further EDR evasion research.

About

This PoC uses the same checks that TartarusGate uses in order to find hooked system calls. Breaking it down further, the first and third bytes of a function are checked for the bytes matching a JMP instruction. If either are a match, this is a good indicator that the function is hooked.

Demo

The below screenshot is a demo running the program against an endpoint with EDR.

demo

A Word About Sponsorship

On July 15, 2023 I created my GitHub Sponsors sponsorship tiers. Be sure to check them out to find out what kind of perks you could be getting!

Credits

Code heavily borrowed from TartarusGate.

About

Simple PoC to locate hooked functions by EDR in ntdll.dll

Resources

Readme
Activity

Stars

28 stars

Watchers

2 watching

Forks

6 forks
Report repository

Releases

No releases published

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Languages