{"id":16714039,"url":"https://github.com/therealdreg/emuhookdetector","last_synced_at":"2025-10-28T23:14:55.434Z","repository":{"id":97023353,"uuid":"136678445","full_name":"therealdreg/emuhookdetector","owner":"therealdreg","description":"hook detector using emulation and comparing static with dynamic outputs","archived":false,"fork":false,"pushed_at":"2023-08-11T06:20:57.000Z","size":12,"stargazers_count":17,"open_issues_count":2,"forks_count":6,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-24T07:13:40.287Z","etag":null,"topics":["capstone-project","emulation","forensic-analysis","hooking","hooks","linux","rootkit-hunter","unicorn-emulator"],"latest_commit_sha":null,"homepage":"https://rootkit.es/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/therealdreg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["therealdreg"],"patreon":"dreg","custom":["https://www.paypal.me/therealdreg","https://www.paypal.me/therealdreg"]}},"created_at":"2018-06-09T00:43:04.000Z","updated_at":"2022-12-23T11:57:06.000Z","dependencies_parsed_at":null,"dependency_job_id":"58faa207-2fcf-4095-bdce-9dd2948faa6c","html_url":"https://github.com/therealdreg/emuhookdetector","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Femuhookdetector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Femuhookdetector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Femuhookdetector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Femuhookdetector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/therealdreg","download_url":"https://codeload.github.com/therealdreg/emuhookdetector/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248166925,"owners_count":21058481,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["capstone-project","emulation","forensic-analysis","hooking","hooks","linux","rootkit-hunter","unicorn-emulator"],"created_at":"2024-10-12T20:48:56.423Z","updated_at":"2025-10-28T23:14:55.383Z","avatar_url":"https://github.com/therealdreg.png","language":"C","funding_links":["https://github.com/sponsors/therealdreg","https://patreon.com/dreg","https://www.paypal.me/therealdreg"],"categories":[],"sub_categories":[],"readme":"# emuhookdetector\nhook detector using emulation and comparing static with dynamic outputs\n\nPlese, consider make a donation: https://github.com/sponsors/therealdreg\n\nWarning!!: the code is bullshit (is only a beta prototype).\n\nMIT LICENSE - Copyright (c) emuhookdetector 0.1Beta-crap - January 2016\nby: David Reguera Garcia aka Dreg - dreg@fr33project.org\nhttps://github.com/David-Reguera-Garcia-Dreg\nhttp://www.fr33project.org\n\n## Usage\nGenerate the dynamic link exe report:\n\n```\n./emuhookdetector_dynamic\nmv report.txt report_dynamic.txt\n```\n\nGenerate the static link exe report:\n```\n ./emuhookdetector_static\n mv report.txt report_static.txt\n```\n\nThe ldd output in a non hooked machine should be:\n```\nroot@ubuntu:~/emuhookdetector# ldd emuhookdetector_static\n        not a dynamic executable\nroot@ubuntu:~/emuhookdetector# ldd emuhookdetector_dynamic\n        linux-vdso.so.1 =\u003e  (0x00007ffe37b1c000)\n        libunicorn.so.1 =\u003e /usr/lib/libunicorn.so.1 (0x00007f01ab045000)\n        libcapstone.so.3 =\u003e /usr/lib/libcapstone.so.3 (0x00007f01aab97000)\n        libpthread.so.0 =\u003e /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f01aa978000)\n        libc.so.6 =\u003e /lib/x86_64-linux-gnu/libc.so.6 (0x00007f01aa598000)\n        libm.so.6 =\u003e /lib/x86_64-linux-gnu/libm.so.6 (0x00007f01aa242000)\n        /lib64/ld-linux-x86-64.so.2 (0x00007f01ab549000)\n```\n\nThe static report in a non hooked machine can be like this:\n\n```\nroot@ubuntu:~/emuhookdetector# cat report_static.txt\n** RIP = 0x1000000 (converted: 0x573640) ***:\n        41 55\n                                                                push            r13\n*** RIP = 0x1000002 (converted: 0x573642) ***:\n        41 54\n                                                                push            r12\n*** RIP = 0x1000004 (converted: 0x573644) ***:\n        49 89 fd\n                                                                mov             r13, rdi\n*** RIP = 0x1000007 (converted: 0x573647) ***:\n        55\n                                                                push            rbp\n*** RIP = 0x1000008 (converted: 0x573648) ***:\n        53\n                                                                push            rbx\n*** RIP = 0x1000009 (converted: 0x573649) ***:\n        be 01 00 00 00\n                                                                mov             esi, 1\n*** RIP = 0x100000e (converted: 0x57364e) ***:\n        31 c0\n                                                                xor             eax, eax\n*** RIP = 0x1000010 (converted: 0x573650) ***:\n        48 83 ec 08\n                                                                sub             rsp, 8\n*** RIP = 0x1000014 (converted: 0x573654) ***:\n        48 c7 c5 b8 ff ff ff\n                                                                mov             rbp, -0x48\n*** RIP = 0x100001b (converted: 0x57365b) ***:\n        64 44 8b 65 00\n                                                                mov             r12d, dword ptr fs:[rbp]\n```\n\nThe dynamic report in a non hooked machine should be very similar to static report.\n\nExample: Compare the results \u0026 ldd output in a machine infected by vlany rootkit: https://github.com/mempodippy/vlany/\n\nThe ldd output in a hooked machine by vlany rootkit is:\n\n```\nroot@ubuntu:~/emuhookdetector# ldd emuhookdetector_static\n        linux-vdso.so.1 =\u003e  (0x00007ffffbdc2000)\n        libm.so.6 =\u003e /lib/x86_64-linux-gnu/libm.so.6 (0x00007fb512217000)\n        libpthread.so.0 =\u003e /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fb511ff8000)\n        libc.so.6 =\u003e /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb511c18000)\n        /lib64/ld-linux-x86-64.so.2 (0x00007fb51294c000)\nroot@ubuntu:~/emuhookdetector# ldd emuhookdetector_dynamic\n        linux-vdso.so.1 =\u003e  (0x00007ffc10b6c000)\n        libunicorn.so.1 =\u003e /usr/lib/libunicorn.so.1 (0x00007f726348f000)\n        libcapstone.so.3 =\u003e /usr/lib/libcapstone.so.3 (0x00007f7262fe1000)\n        libpthread.so.0 =\u003e /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f7262dc2000)\n        libc.so.6 =\u003e /lib/x86_64-linux-gnu/libc.so.6 (0x00007f72629e2000)\n        libm.so.6 =\u003e /lib/x86_64-linux-gnu/libm.so.6 (0x00007f726268c000)\n        /lib64/ld-linux-x86-64.so.2 (0x00007f7263993000)\n```\n\nAs you can see the static exe should be empty, but is linked!\n\nYou also should compare the results of both reports to check if there are changes in the flow instructions (then can be hooked).\n\n# Compilation\n\n## Compile \u0026 install deps\n\n```\napt-get install git\napt-get install python2.7 # or try: apt-get install python or apt-get install python27\ngit clone https://github.com/unicorn-engine/unicorn.git\ncd unicorn\nUNICORN_STATIC=yes UNICORN_SHARED=yes UNICORN_ARCHS=\"x86\" UNICORN_QEMU_FLAGS=\"--python=/usr/bin/python2.7\" ./make.sh\nmake install\ncd ..\ngit clone https://github.com/aquynh/capstone.git\ncd capstone/\nCAPSTONE_ARCHS=\"x86\" CAPSTONE_STATIC=yes CAPSTONE_SHARED=yes ./make.sh\nmake install\ncd ..\n```\n\n## Compile emuhookdetector\n\n```\ngit clone https://github.com/David-Reguera-Garcia-Dreg/emuhookdetector.git\ncd emuhookdetector\ngcc -pthread -o emuhookdetector_dynamic emuhookdetector.c -lunicorn -lcapstone\ngcc -static -pthread -o emuhookdetector_static emuhookdetector.c /usr/lib/libunicorn.a /usr/lib/libcapstone.a -lm\n```\n\nThe output should of ldd should be something like:\n\n```\nroot@ubuntu:~/emuhookdetector# ldd emuhookdetector_dynamic\n        linux-vdso.so.1 =\u003e  (0x00007ffe1fd95000)\n        libunicorn.so.1 =\u003e /usr/lib/libunicorn.so.1 (0x00007f85523aa000)\n        libcapstone.so.3 =\u003e /usr/lib/libcapstone.so.3 (0x00007f8551efc000)\n        libpthread.so.0 =\u003e /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f8551cdd000)\n        libc.so.6 =\u003e /lib/x86_64-linux-gnu/libc.so.6 (0x00007f85518fd000)\n        libm.so.6 =\u003e /lib/x86_64-linux-gnu/libm.so.6 (0x00007f85515a7000)\n        /lib64/ld-linux-x86-64.so.2 (0x00007f85528ae000)\nroot@ubuntu:~/emuhookdetector# ldd emuhookdetector_static\n        not a dynamic executable\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Femuhookdetector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftherealdreg%2Femuhookdetector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Femuhookdetector/lists"}