{
	"id": "73a62dc8-233b-47b6-806b-7375bdb7052b",
	"created_at": "2026-04-06T00:17:21.110961Z",
	"updated_at": "2026-04-10T13:12:55.941155Z",
	"deleted_at": null,
	"sha1_hash": "39e798b654a0f2ebc9a837f35e1ee3cf0bb0dde5",
	"title": "What are the methods to find hooked functions and APIs?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40019,
	"plain_text": "What are the methods to find hooked functions and APIs?\r\nPublished: 2012-07-31 · Archived: 2026-04-05 23:46:43 UTC\r\nHooks are implemented in a whole bunch of ways:\r\nModifying legitimate jump instructions to point at hooks instead of the normal code.\r\nUser call table (IAT) hooking - modifying the addresses of user-mode APIs in a process.\r\nKernel call table hooking (e.g. SSDT / GDT ) - replacing a call table pointer with the address of your hook.\r\nWndProc hooks (e.g. PeekMessage ) - hooking onto window notification messages.\r\nLegitimate callbacks like PsSetCreateProcessNotifyRoutine .\r\nI'm guessing you're most interested in the first two types.\r\nJump hooks can be created in a near-infinite number of ways. This makes it almost impossible to write a tool to\r\nidentify the hooks. However, you can use integrity checking tricks, e.g. comparing code in the binary file (e.g.\r\nexe or dll ) to the code in memory. You could also hook WriteProcessMemory and other such APIs to detect\r\nmodification of process memory, though this only works against user-mode attacks.\r\nIAT hooks are a little easier to check for. Take a snapshot of the IAT of a process when it starts (e.g. from the static\r\nbinary) and compare the in-memory IAT to the real addresses of the functions that should be in there. For\r\nexample, if you know IAT entry 4 points to user32.MessageBoxA , you can use GetProcAddress to find the real\r\naddress of that function and compare the address in the IAT to that. If they don't match, you know it's been\r\nhooked.\r\nFor further reading, there's a great paper on the subject, and I highly recommend reading \"The Rootkit Arsenal\" by\r\nBill Blunden.\r\nSource: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis\r\nhttps://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis"
	],
	"report_names": [
		"what-are-the-methods-to-find-hooked-functions-and-apis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434641,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/39e798b654a0f2ebc9a837f35e1ee3cf0bb0dde5.pdf",
		"text": "https://archive.orkl.eu/39e798b654a0f2ebc9a837f35e1ee3cf0bb0dde5.txt",
		"img": "https://archive.orkl.eu/39e798b654a0f2ebc9a837f35e1ee3cf0bb0dde5.jpg"
	}
}