Hooker-Looker is a Go-based utility designed for inspecting the functions exported by dynamically linked libraries (DLLs) in Windows. The tool retrieves information about loaded DLLs, their export tables, and identifies if specific system calls are hooked by something like "Sophos" EDR. It provides a structured output of this information to aid in debugging and understanding system DLL behavior. Features
List all loaded DLLs in the current process.
Retrieve and display the base addresses of DLLs.
Extract and display the export table for specified DLLs, including function addresses and syscall numbers.
Identify hooked functions by analyzing the function bytes.
Dependencies
Make sure to have the following:
Go 1.18 or later
The github.com/jedib0t/go-pretty/v6 library for tabular output.
The golang.org/x/sys/windows package for Windows API access.
Installation
Clone the repository to your local machine:
bash
git clone https://github.com/PeaceKeeper96/hooker-looker cd hooker-looker
Install the necessary Go modules:
bash
go mod tidy
Usage
Run the application:
bash
go build
A quick reminder you will not to cross-compile on linux if you are developing there!
Security Considerations
Use this tool responsibly, ensuring you have permission to inspect and analyze the DLLs on your machine.
This tool is primarily for educational and debugging purposes. Ensure that you comply with any applicable laws and guidelines regarding software examination.
Future Improvements
Enhance identification of hooked functions.
Add support for user-defined DLL names to inspect.
Include more comprehensive error handling.
License
This project is intended for educational and research purposes only. Modify and use as necessary while adhering to ethical practices and legal standards.