1. Home
  2. Detection Strategies
  3. Detection of Hooking

Detection of Hooking

Technique Detected:  Hooking | T0874

ID: DET0722
Domains: ICS
Analytics: AN1855
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1855

Monitor for API calls that can be used to install a hook procedure, such as the SetWindowsHookEx and SetWinEventHook functions.[1][2] Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools[2][3][4] or by programmatically examining internal kernel structures.[5][6]
Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.

Log Sources
Data Component Name Channel
OS API Execution (DC0021) Process None
Process Metadata (DC0034) Process None

References

  1. Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
  2. Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
  3. Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
  1. Satiro, J. (2011, September 14). GetHooks. Retrieved December 12, 2017.
  2. Felici, M. (2006, December 6). Any application-defined hook procedure on my machine?. Retrieved December 12, 2017.
  3. Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense against user-land. Retrieved December 12, 2017.