doc: clarify that scanners are scanners and not inspectors

[FrenchYeti]

Differences between "hook set / scanner" and "inspector" are following :

A hook set is a collection of prebuilt hook - no more - which can be load/unload during analysis. Each hook set has its purpose such as "bypass root detection". It was previously used to import hook redacted by community.

An inspector is a plugin able to:

• register new buit-in hooks
• change Dexcalibur component behaviors
• emit own event
• perform analysis on hook message
• generate hook
• perform own analysis over Dexcalibur internal DB
• extend GUI and so

"Scanner" or "Hook set" are probably not the better words. I created it before inspector concept. The idea is to make something close to Frida's "CodeShare" accessible directly from Dexcalibur's UI.

[monperrus]

Thanks for the explanation.

What puzzles me is that we have hooks both on the Dashboard page and on the Hook-set pages, while they seem to be the same.

The only differences I see are:

• Hooks are in folder inspectors while hook-sets/scanners are in src/scanner.
• Hooks are enabled by default while are hook-sets/scanners disabled by default.

What's the conceptual difference between inspector/hook of page Dashboard and hook-sets/scanners of page Hook Set?

Would it make sense to have them on the same page?

[FrenchYeti]

Short anwser : Hooks defined into src/scanners should be moved into inspectors disabled by default, and Dashboard page should includes a tab panel with a tab for : built-in hook, not loaded hooksets, custom hooks.

An Inspector is an HookSet and several others things deployed at startup. An HookSet has been primarly created for offering "one-click security mechanism bypass" and Inspector concept as a plugin system. But it is not still true.

Long answer: In fact, when you select a method and you click "probe", when you define a hook into an inspector, or when you define a list of hooks into a "hook set", Dexcalibur creates HookPrimitive object. It is like a hook template. When you "deploy" a hook set or an inspector, you ask to HookManager to generate the source code of each hook for the current context. The results is the editable source code displayed into Dashboard.

Dashboard page is the UI of the HookManager component, and display only editable hook.

• Inspectors define built-in hooks, always visible into Dashboard page. When, you start Dexcalibur, all inspectors are loaded before any analysis. An inspector can customize own hooks with data gathered by later analysis or previous hooking sessions or when a particular event is emitted by another inspector.

• HookSets - such root detection bypass - are focus on particular topics and can embed huge white/black list stored into global variable shared by several hooks. Since Dashboard page not offers - actually - a way to remove global variables, I prefered let the user load it on-demand through Hook Set page.