Skip to content

3.1. Investigating hooks and patches

hasherezade edited this page Jan 24, 2022 · 11 revisions

By default, PE-sieve detects patches and inline hooks in the code of scanned modules. This section describes such case.

Additionally, it may also detect IAT hooks, but it needs to be enabled by additional parameter: /iat - which is described here.

TAG files

The listing of detected hooks and patches is provided by PE-sieve in form of a file with a .tag extension.

TAG format is a very simple, custom format dedicated to annotate offsets in executable. Its basic form is the following:

{RVA};{comment}

PE-sieve uses this format to annotate offsets in the PE file, where the hooks (or other type of patches) have been discovered.

If the PE-sieve detected any patches, the modified PE file will be dumped along with the accompanying TAG file:

Dumped TAG file

Example of the JSON scan report - noting about the number of patches...

JSON Report

...and a TAG file - describing more details about the found hook/patch, i.e.:

TAG Report

Content of the TAG file:

ec7c;CreateWindowExW->402551[400000+2551:KeygenMe V7.exe:0];5
1e981;CharUpperW->4017be[400000+17be:KeygenMe V7.exe:0];5

Format:

{RVA};{hooked_function}->{VA where the hook leads to}[{details}];{size of the patch}

The {details} are added when the hook redirects execution to some identified module. They include following information:

{module base}+{hook RVA}:{module name}:{is the module identified as suspicious}

For example – in the application presented above, two functions within User32.dll have been hooked: CreateWindowExW and CharUpperW. Their execution was redirected appropriately to offsets 0x402551 and 0x4017be. We can find that those offsets are located in the main module (named KeygenMe V7.exe), that was loaded at the base 0x400000.

Since the file that was patched is also dumped on the disk, we can load it into a disassembler and visit the annotated offsets, to see the hooks/patches in their original context.

Where the hook leads to

Loading TAGs into PE-bear

The TAG file can be loaded i.e. into PE-bear. Thanks to this, we can easily browse the found hooks and check the code that was overwritten.

TAG format is natively supported by PE-bear. Once you load the dumped executable into PE-bear, appropriate tag file will be automatically loaded (the only condition is, the TAG file must be located in the same directory as the PE).

You can see the list of all the tags by opening the dedicated panel:

Tags panel in PE-bear

The tagged offsets will be marked with a "star" in the disassembler view:

Hooks in PE-bear

Loading TAGs into IDA

The same TAG file can be also loaded into IDA, with the help of the IFL plugin.

First load the dumped executable, where the hooks/patches have been detected. Open IFL, then click "Load names" that is located at the bottom of the panel:

IFL -> Load names

Then, choose the TAG format from the menu:

Choose TAG format

And supply the appropriate TAG file. The comments describing patched places will be added into IDA database.

If the hook is installed at the beginning of the function, the name of the function gets annotated, and we can find it using filters in IFL:

IFL listed

The beginning of the hooked function in IDA:

JSON Report