The latest candidate is the rather geekily-named Ring3 API Hook Scanner, a new NoVirusThanks release which will scan your system for some user mode hook types (inline, IAT, EAT) and report on anything it finds.
As usual with NoVirusThanks tools, the program is well packaged and easy to use. There’s no installation, no hassles with adware or anything else, just unzip the download and launch either the 32 or 64-bit version, according to your needs (either way, there’s no driver required).
Then just click Scan and, if there are any hooks, within a few seconds you’ll see these listed, with details including the hook type, the owning process and module, the API function being hooked, relevant memory addresses, and so on.
Or, if even that’s too much hassle, a command line interface allows you to automate the process. Add a line such as “Ring3Scan.exe /pid:all /log:C:\Ring3Hooks.log” to a script and all you’ll have to do is check the log file occasionally for the latest details.
This is of course still a fairly basic tool, limited in what it can find, and no substitute for a full-strength rootkit detector.
Ring3 API Hook Scanner is also small, simple, easy and convenient to use, though, and that’s why it merits a place in every geek’s portable security toolkit.
This article originally appeared at softwarecrew.co.uk
