{"id":19369427,"url":"https://github.com/kara-4search/hookdetection_csharp","last_synced_at":"2025-04-23T15:31:35.435Z","repository":{"id":136106830,"uuid":"395257105","full_name":"Kara-4search/HookDetection_CSharp","owner":"Kara-4search","description":"HookDetection","archived":false,"fork":false,"pushed_at":"2021-09-03T14:21:10.000Z","size":45,"stargazers_count":46,"open_issues_count":0,"forks_count":9,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-02T16:54:02.105Z","etag":null,"topics":["csharp","edr","hook-functions","hookdetect","pentest","redteam","redteam-tools","windows-defender"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Kara-4search.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-12T08:59:23.000Z","updated_at":"2025-03-18T13:03:59.000Z","dependencies_parsed_at":null,"dependency_job_id":"76289ccd-d65f-4ac7-bddf-816a6c5a6d0d","html_url":"https://github.com/Kara-4search/HookDetection_CSharp","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FHookDetection_CSharp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FHookDetection_CSharp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FHookDetection_CSharp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FHookDetection_CSharp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kara-4search","download_url":"https://codeload.github.com/Kara-4search/HookDetection_CSharp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250460414,"owners_count":21434248,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csharp","edr","hook-functions","hookdetect","pentest","redteam","redteam-tools","windows-defender"],"created_at":"2024-11-10T08:11:14.927Z","updated_at":"2025-04-23T15:31:35.428Z","avatar_url":"https://github.com/Kara-4search.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# HookDetection_Csharp\n\nBlog link: working on it\n\n- Detecting if ntdll's funcitons got hook via iterating RVAs.\n- So we could avoid using the functions which already hooked，or unhook them。 \n- Only detect functions start with \"Zw\" or \"Nt\".\n- Only tested in Win10/x64, works fine.\n- Steps\n\t1. Iterate through all the exported functions of the ntdll.dll\n\t2. Read the first 4 bytes of the the syscall stub and check if they start with 4c 8b d1 b8\n\t\t- If yes, the function is not hooked\n\t\t- If no, the function is most likely hooked (with a couple of exceptions mentioned in the False Positives callout).\n- **Although highly effective at detecting functions hooked with inline patching, this method returns a few false positives when enumerating hooked functions inside ntdll.dll, such as:**\n**False Positives**\n```\n\tNtGetTickCount\n\tNtQuerySystemTime\n\tNtdllDefWindowProc_A\n\tNtdllDefWindowProc_W\n\tNtdllDialogWndProc_A\n\tNtdllDialogWndProc_W\n\tZwQuerySystemTime\n```\n**The above functions are not hooked.**\n## Usage \n1. Launch through a white-list application\n- With windowsdefender\n\t![avatar](https://raw.githubusercontent.com/Kara-4search/tempPic/main/HookDetection_WD.png)\n- With EDR\n\t![avatar](https://raw.githubusercontent.com/Kara-4search/tempPic/main/HookDetection_EDR.jpeg)\n\n\n\n## TO-DO list\n- x86 version of it.\n- Maybe check the kernel32.dll.\n\n## Update history\n- Restructure code - 20210821\n\n\n## Reference link:\n\t1. https://blog.csdn.net/sankernel/article/details/104266483\n\t2. https://blog.csdn.net/whatday/article/details/52691109\n\t3. https://blog.csdn.net/sryan/article/details/7950950\n\t4. https://blog.csdn.net/mywsfxzxb/article/details/15336663\n\t5. http://blog.leanote.com/post/snowming/e4bd72b3279b\n\t6. http://lmao123.com/index.php/175.html\n\t7. http://pinvoke.net/default.aspx/Structures/IMAGE_OPTIONAL_HEADER64.html\n\t8. http://pinvoke.net/default.aspx/Structures.IMAGE_EXPORT_DIRECTORY\n\t9. http://pinvoke.net/default.aspx/Structures.IMAGE_DOS_HEADER\n\t10. https://stackoverflow.com/questions/2170843/va-virtual-address-rva-relative-virtual-address\n\t11. https://blog.csdn.net/sankernel/article/details/104266483\n\t12. https://makosecblog.com/malware-dev/dll-unhooking-csharp/","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkara-4search%2Fhookdetection_csharp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkara-4search%2Fhookdetection_csharp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkara-4search%2Fhookdetection_csharp/lists"}