Refactor of hooks detection function, add 2 more functions to check

pafish/hooks.c

@@ -5,23 +5,20 @@
 #include "types.h"
 
 /* Thx Inaki for this! (@virtualminds_es) */
-int check_hook_DeleteFileW_m1() {
+static int check_hook_m1(DWORD * dwAddress) {
-	DWORD *dwAddress = (DWORD *)DeleteFileW;
 	BYTE *b = (BYTE *)dwAddress;
-	if ((*b == 0xff) && (*(b+1) == 0x25)) {
+	return (*b == 0x8b) && (*(b+1) == 0xff) ? FALSE : TRUE;
-		b++; b++;
-		dwAddress = (DWORD *)b;
-		DWORD *c = (DWORD *)(*dwAddress);
-		BYTE *op = (BYTE *)*c;
-
-		if ((*op == 0x8b) && (*(op+1) == 0xff)) {
-			return FALSE;
-		}
-		else {
-			return TRUE;
-		}
-	}
-	else {
-		return FALSE;
-	}
 }
+
+int check_hook_DeleteFileW_m1() {
+	return check_hook_m1((DWORD *)DeleteFileW);
+}
+
+int check_hook_ShellExecuteExW_m1() {
+	return check_hook_m1((DWORD *)ShellExecuteExW);
+}
+
+int check_hook_CreateProcessA_m1() {
+	return check_hook_m1((DWORD *)CreateProcessA);
+}
+

pafish/hooks.h

@@ -4,4 +4,8 @@
 
 int check_hook_DeleteFileW_m1();
 
+int check_hook_ShellExecuteExW_m1();
+
+int check_hook_CreateProcessA_m1();
+
 #endif

pafish/main.c

@@ -144,7 +144,15 @@ int main(void)
 	exec_check("Checking function DeleteFileW method 1",
 		   &check_hook_DeleteFileW_m1,
 		   "Hooks traced using DeleteFileW method 1",
-		   "hi_hooks_deletefile_m1");
+		   "hi_hooks_deletefilew_m1");
+	exec_check("Checking function ShellExecuteExW method 1",
+		   &check_hook_ShellExecuteExW_m1,
+		   "Hooks traced using ShellExecuteExW method 1",
+		   "hi_hooks_shellexecuteexw_m1");
+	exec_check("Checking function CreateProcessA method 1",
+		   &check_hook_CreateProcessA_m1,
+		   "Hooks traced using CreateProcessA method 1",
+		   "hi_hooks_createprocessa_m1");
 
 	/* Sandboxie detection tricks */
 	print_check_group("Sandboxie detection");