If you need an usermode hookscanner, which can scan x64 processes, you can now use Hookshark64 to do that.
Remember: HookShark is a forensic tool with no self-defense and thus cannot be really considered to be an anti-rootkit.
0.1.0.0
- Initial Release
0.1.0.3
- Fixed unchecking and checking an unlinked module being displayed as linked module (red -> blue)
- Show exact HookShark Version Number and Build in Log at startup
0.1.0.5
- fixed attempt to start x64server process on x86 platforms, when CPU was 64bit capable
- allow more user interactions with GUI while scanning
0.1.0.6
- the offset within a symbol is now shown (example:ntdll.dll!LdrLoadDll+0x15 )
http://www.mediafire.com/?43a5twp4k5d5uz9
Remember: HookShark is a forensic tool with no self-defense and thus cannot be really considered to be an anti-rootkit.
We are back at 0.1 with the postfix "64" added to "HookShark". All following releases will support x64. HookShark is dead. HookShark64 is the new "product-line".Version History
But HookShark 0.9 might not become obsolete right away. Not every feature was reimplemented. So in some cases, falling back to 0.9 is the only choice.
Disadvantages of HookShark64 0.1 in comparison with 0.9:
- Hooks of relocated .data pointers are not detected
- rudimentary vtable-hook detection not implemented yet
- No scanning for Code Injections takes place
- no disassembler, no hex editor
- no Class Instance Browser
- No Listing of code references
- Cant null a region (why would you need hookshark for this anyway?)
- Showing Pageguard Candidates (which was broken anyway)
- no unhook support yet
Advantages of HookShark64 0.1:
- Full support of x64 processes
- like a 15 times faster or something (you will need at least SSE2)
- dumping modules from the module window
- sorting the process list (PID/ImageName)
- Exempt modules from being scanned (checkboxes in module window)
- a lot of Win7 fixes (ApiSetMap, thx to deroko)
- show function name of hook destination if available
- multithreading (IAT/EAT Hooks and Patchscanner have an own thread)
- it saves all settings/filters, window position and size in an ini file
You will get a lot of errors and bogus access violations in your log window. Why? Because checking everything carefully is slow. In 0.9 more checks were implented, which slowed the process down. In 64 0.1 many checks are omitted and simply wrapped around an exception handler. If an exception occurs, the next dll or the next codesection wil be scanned, without losing any results.
However, if HookShark really crashes, or the logwindow output is more suspicous than it should be, for example if you happen to know that it should have picked up something, then feel free to bugreport it right here in this thread.
Also: Beware using the Unchecking function for modules too carelessly. It can have some unwanted implications.
For example: If the unchecked module is the destination of a hook elsewhere, the listing in the hook-result-window might not be as detailed.
Another case would be: If the module has exports, which other modules import, it will show errors in the log and you might miss IAT hooks.
0.1.0.0
- Initial Release
0.1.0.3
- Fixed unchecking and checking an unlinked module being displayed as linked module (red -> blue)
- Show exact HookShark Version Number and Build in Log at startup
0.1.0.5
- fixed attempt to start x64server process on x86 platforms, when CPU was 64bit capable
- allow more user interactions with GUI while scanning
0.1.0.6
- the offset within a symbol is now shown (example:ntdll.dll!LdrLoadDll+0x15 )
http://www.mediafire.com/?43a5twp4k5d5uz9
