Identify the hook target

[hasherezade]

Test cases

Case 1:
c999ab160f652e1c6980c50507e1aacb9058d3aa359c92dd74bf3fc5ae5fd47b - KeygenMe v7 by MaxXor
Case 2:
5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e - Floki Bot

How it is

The hooks are tagged in the following way:

ec7c;CreateWindowExW->402551;5
1e981;CharUpperW->4017be;5

We can see the offset where the hook is installed, and the name of the hooked function. Hook target is represented by its VA. However, finding what is the module where the hook leads to, requires manual analysis.

How it should be

The target module should be mentioned in the report, i.e.:

ec7c;CreateWindowExW->402551[400000+2551:KeygenMev7.exe];5
1e981;CharUpperW->4017be[400000+17be:KeygenMev7.exe];5

or, in case if the hook leads to unnamed implant, it should be marked as unnamed:

ec7c;CreateWindowExW->402551[400000+2551:(unnamed)];5
1e981;CharUpperW->4017be[400000+17be:(unnamed)];5

[hasherezade]

Addressed in the commits:

1. 8d9e209
2. 2a8345b
3. 85bee89
4. 07b40ea

[hasherezade]

Result:

All mentioned above is implemented. Additionally, the module is marked with 0 (if not detected as suspicious) or 1 (if detected as suspicious).

• for the use case 1:
  
• for the use case 2: