A Windows CLI for detecting inline, IAT, and EAT function hooks in running processes
- Either build yourself with CMAKE, grab from releases, or grab from build artifacts
- Run with
ThorsHookDetector.exe -p <Process Name>
-l / --loadlibs: Will attempt to load all modules in target process into local process with LoadLibrary. Allows for scanning of more modules-d / --ignorediff: Will ignore and NOT skip modules scanner detects as most likely a different dll version (different version determined by different size or new functions)
After the analyis completes, gathering hooks, these commands can be ran after to interact with the process
restore-inline <Module Name> <Function Name>: uses results from the inline hook analysis and restores the functions bytes back to the originalrestore-inline-all (OPTIONAL)<Module Name>: uses results from ALL FUNCTIONS in the inline hook analysis (in specific module if specified) and restores the functions bytes back to the originalrestore-iat <Module Name> <Module Name> <Function Name>: uses results from iat hook analysis to restore addresses in the IAT table back from the hooked function to the originalrestore-iat-all: uses results from ALL FUNCTIONS in iat hook analysis to restore addresses in the IAT table back from the hooked function to the originaldecompile <Relative Virtual Address> || <Module Name> <Function Name>: decompiles the function at the specified address
