How to detect API Hook?

Question

i have been trying to detect API Hook, inline and EAT hook.

For now I did not find anything on how to detect EAT hook.

For Inline Ring 3 hook, what i have so far:

FARPROC Address = GetProcAddress(GetModuleHandle("kernel32.dll"),"ExitProcess");
if (*(BYTE*)Address == 0xE9 || *(BYTE*)Address == 0x90 || *(BYTE*)Address == 0xC3)
{
 printf("Api hooked\n");
}

The problem is that there are several opcodes that can be used to hook/change the prologue of functions, checking JMP / NOP / RET is trivial, I've seen a lot of HOOK types like PUSH RET, MOV, RETN etc ...

I wonder if anyone knows how to detect these hooks (detours) or modifications in the API. And also some way to detect the EAT hook.

Thank you.

Answer 1

GetProcAddress could be hooked as well. Also since you could not know exact API that would be patched, you would have to check all imported functions, which is pretty tedious. Since an intruder has sufficient privileges to inject into your process address space and hook API methods, honestly there is pretty much no way to prevent him from just patching away any protection mechanism altogether. Usually modern software protection systems include kernel mode driver, that scans program memory and prevents dll injection and remote memory modification. Also it is pretty common to use code encryption/obfuscation systems (Themida for example), or even internal virtual execution machines with entirely alien processor instruction sets, which makes patching code on the fly pretty difficult.