-
Notifications
You must be signed in to change notification settings - Fork 441
4.7. Scan for IAT Hooks (iat)
hasherezade edited this page Apr 13, 2020
·
18 revisions
/iat <*scan_mode>
: Scan for IAT hooks.
*scan_mode:
0 - none: do not scan for IAT Hooks (default)
1 - filtered: scan for IAT Hooks, filter out system hooks
2 - unfiltered: scan for IAT Hooks, report all
PE-sieve can scan IAT to detect eventual hooks. It generates a report in a following format:
<call via RVA>;<original function>-><hook function>;<hook module addr>+<offset>;<is module detected as suspicious>