Detect Wow64 User-Mode Hooks

1. //http://waleedassar.blogspot.com - (@waleedassar)
2. //Code to detect Wow64 user-mode hooks.
3. #include "stdafx.h"
4. #include "windows.h"
5.  
6.  
7. int main(int argc, char* argv[])
8. {
9.     unsigned short cs_=0;
10.     unsigned char* WOW32Reserved=0;
11.     unsigned long PEB64=0;
12.     __asm
13.     {
14.         pushad
15.         mov eax, dword ptr fs:[0xC0]
16.         mov WOW32Reserved,eax
17.         mov eax,dword ptr fs:[0x30]
18.         add eax,0x1000
19.         mov PEB64,eax
20.         mov cs_,cs
21.         popad
22.     }
23.     if(!WOW32Reserved) return 1;  //not 64-bit system
24.     if(  (*WOW32Reserved==0xEA)&&( *(unsigned short*)(WOW32Reserved+5)!=cs_ )  )
25.     {
26.         unsigned long CpupReturnFromSimulatedCode=*(unsigned long*)(WOW32Reserved+1);
27.         MEMORY_BASIC_INFORMATION MBI={0};
28.         VirtualQuery((void*)CpupReturnFromSimulatedCode,&MBI,sizeof(MBI));
29.         if(MBI.Type==MEM_IMAGE)
30.         {
31.             unsigned long ldrData=*(unsigned long*)(PEB64+0x18);
32.             unsigned long pInLoadOrder=(ldrData+0x10);
33.             unsigned long runner=*(unsigned long*)pInLoadOrder;
34.             while(runner!=pInLoadOrder)
35.             {
36.                 unsigned long IB=*(unsigned long*)(runner+0x30);
37.                 unsigned long szImage=*(unsigned long*)(runner+0x40);
38.                 wchar_t* BaseName=*(wchar_t**)(runner+0x60);
39.                 if(lstrcmpiW(BaseName,L"wow64cpu.dll")==0)
40.                 {
41.                     if( (CpupReturnFromSimulatedCode>=IB)&&(CpupReturnFromSimulatedCode<(IB+szImage)) ) return 1;  //the wow64 process is not hooked
42.                     else break;
43.                 }
44.                 runner=*(unsigned long*)runner;
45.             }
46.         }
47.     }
48.     MessageBox(0,"Hooked Wow64 process","waliedassar",0);
49.     return 0;  //hooked
50. }