Get the list of Hooked library functions

Most of the library hooking mechanism uses inline patching. Most of the time it uses x86 “jmp” instructions to hook the first instruction in the function. Here is a simple Immunity debugger script to find those hooked functions.

import pefile
import immlib
import libanalyze

def print_sym(imm,sym):
        imm.Log( "%s == 0x%08X"%(sym.getName(),sym.getAddress()))

#
"""return the key of dictionary dic given the value"""
#
def find_key(dic, val):
    return [k for k, v in dic.iteritems() if v == val][0]

def main(args):
    imm = immlib.Debugger()
    all_modules=imm.getAllModules()
    for module in all_modules.values():
        imm.Log("Module name %s"% find_key(all_modules,module))
        if module.symbols :
            for Sym in module.symbols.values():
                    if ‘export’ in Sym.getType().lower():
                        disassembled=imm.disasm(Sym.getAddress())
                        if disassembled.isJmp():
                           imm.Log("\t%s == 0x%08X"%(Sym.getName(),Sym.getAddress()))

Advertisements
This entry was posted in python, Reversing and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s