PreVice: Static Detection of Hooking Capabilities in Machine Code presented at ReconMontreal2018 2018

by Derek Soeder, Claudiu Teodorescu, Andy Wortman,

Summary : In the future, static analysis catches hookers before they have a chance to act.We present PreVice, a static analyzer that very quickly detects a variety of hooking capabilities--including Detours, import, and syscall hooking--in x86 and x64 Windows PEs. We discuss the inner workings of the static analyzer in theory and practice, and then we delve into some of the interesting things we found during a scan of many, many millions of files.