Recognize Virtual Table hooks

[hasherezade]

Example - a virtual table (not patched):

The same table, patched:

Patches detected by PE-sieve:

As the above example demonstrates, the patches are properly detected by PE-sieve. However, the way in which they are reported could be improved. Instead of a vague description patch_<id> and the size, a full address of the redirection should be reported, just like in the case of inline hooks.

Current report:

21d8c;patch_0;4
21d94;patch_1;8

Desired report:

21d8c;6172C380
21d94;61721790
21d98;6172C450

[hasherezade]

Related commits: b26a8047a62b460ea24757b92943137f915f71d5 5278ae61b822c17ada9d44847994f12bfb2c61d4 dd8a6f60f165faf69044993ed0fb93359d47848b

Result:

Fields are detected correctly, yet, marking them the same way as inline hooks may be misleading. A different hook type should be introduced.

[hasherezade]

Such hooks are now displayed as addr_replaced_<id>:

[maskelihileci]

Hello, am I wrong, I wonder if the vtable hook here could not detect it?

Information about hook not found in the folder?

[hasherezade]

@maskelihileci - can you share this sample? I will check...

[maskelihileci]

Go here from cheat engine software : KERNEL32.VirtualProtectStub

jmp qword ptr [7FFCE1564E68]

In this way, viruses are hooked and cannot be detected. This is because there is no change to the assembly code

When it said it detected the vtable hook I thought it might detect it.

[hasherezade]

@maskelihileci - ok, I reproduced it. this is actually an IAT hook, not VTable hook. those are usually detected with a parameter /iat [option] - but I see it is not detected this time, so there is a bug. thank you for your report, it will be fixed soon.

[hasherezade]

BTW - would you like to create a new issue for this? by this way you can keep track on the progress, and get notified when it is fixed

[maskelihileci]

Thanks, I opened the issue.

[hasherezade]

@maskelihileci - thank you!