D
DioProcess

Hook Detection & Unhooking

Scan process IAT for inline hooks and restore hooked DLLs by replacing the .text section from disk.

Hook Detection

The hook scanner parses the Import Address Table (IAT) and compares imported function bytes with the original DLL from disk.

Detected Hook Patterns

E9 JMP

Near jump (5-byte inline hook)

E8 CALL

Near call hook

EB Short JMP

Short jump (2-byte hook)

FF25 Indirect JMP

Indirect jump via memory

MOV+JMP x64

48 B8 [addr] FF E0 or 48 B8 [addr] 50 C3 patterns

Algorithm

  1. Parse PE Import Directory to enumerate all imported DLLs and functions
  2. Read first 16 bytes of each imported function from process memory
  3. Detect hook patterns via detect_hook_type() function
  4. Read original DLL from System32 and compare function bytes
  5. Display results with hook location, memory vs disk bytes, and target module

Supported DLLs

Hook detection works for all imported DLLs, including:

ntdll.dllkernel32.dllkernelbase.dlluser32.dlladvapi32.dllws2_32.dll

DLL Unhooking

Restore hooked DLLs by reading a clean copy from System32 and replacing the in-memory .text section.

Remote Unhooking Algorithm

  1. Read clean DLL from System32 via GetSystemDirectoryA
  2. Open target process with VM_OPERATION | VM_READ | VM_WRITE
  3. Parse PE headers to find .text section (RVA + raw offset)
  4. Make remote .text writable via VirtualProtectEx(PAGE_EXECUTE_WRITECOPY)
  5. Write clean .text bytes via WriteProcessMemory
  6. Restore original memory protection

Usage

Hook Scan

Right-click process → Inspect → Hook Scan

  • • Results table shows module, address, hook type, bytes comparison
  • • Filter by address or region name
  • • Status shows hook count or clean status

Unhook from Scan Results

Right-click detected hook → "Unhook Module" to restore original bytes

Direct DLL Unhook

Right-click process → Miscellaneous → DLL Unhook → select DLL

Functions

FunctionDescription
scan_process_hooks()Scan IAT for hooks
unhook_dll_remote()Unhook DLL in remote process
unhook_dll()Unhook DLL in current process
is_function_hooked()Check if function bytes match syscall stub

Test Suite

A test suite is included in assets/unhook_test/ with a MinHook-based DLL that hooks NtProtectVirtualMemory for testing the unhooking functionality.