Closed hasherezade closed 2 years ago
Related commits: b26a8047a62b460ea24757b92943137f915f71d5 5278ae61b822c17ada9d44847994f12bfb2c61d4 dd8a6f60f165faf69044993ed0fb93359d47848b
Result:
Fields are detected correctly, yet, marking them the same way as inline hooks may be misleading. A different hook type should be introduced.
Such hooks are now displayed as addr_replaced_<id>
:
Hello, am I wrong, I wonder if the vtable hook here could not detect it?
Information about hook not found in the folder?
@maskelihileci - can you share this sample? I will check...
Go here from cheat engine software : KERNEL32.VirtualProtectStub
jmp qword ptr [7FFCE1564E68]
In this way, viruses are hooked and cannot be detected. This is because there is no change to the assembly code
When it said it detected the vtable hook I thought it might detect it.
@maskelihileci - ok, I reproduced it. this is actually an IAT hook, not VTable hook. those are usually detected with a parameter /iat [option]
- but I see it is not detected this time, so there is a bug. thank you for your report, it will be fixed soon.
BTW - would you like to create a new issue for this? by this way you can keep track on the progress, and get notified when it is fixed
Thanks, I opened the issue.
@maskelihileci - thank you!
Example - a virtual table (not patched):
The same table, patched:
Patches detected by PE-sieve:
As the above example demonstrates, the patches are properly detected by PE-sieve. However, the way in which they are reported could be improved. Instead of a vague description
patch_<id>
and the size, a full address of the redirection should be reported, just like in the case of inline hooks.Current report:
Desired report: