Ring3 API Hook Scanner

Product Overview

NoVirusThanks Ring3 API Hook Scanner is a powerful usermode utility to help detect some types of usermode hooks in processes such as inline, IAT and EAT hooks. No driver is needed and detailed information is provided about detected API hooks.


We have developed also the command-line version of the program, it has been included into third-party free security applications, such as Buster Sandbox Analyzer and others, to list usermode hooks. Specific processes can be scanned via command-line or all currently running processes can be scanned as well.

Available command-line parameters:

Scan every running process:
Ring3Scan_Cmdline.exe /pid:all

Scan only the running process with PID 1234:
Ring3Scan_Cmdline.exe /pid:1234

Scan only the running process with PID 1234 and redirect output to a file:
Ring3Scan_Cmdline.exe /pid:1234 > C:\Ring3Hooks.log

NoVirusThanks Ring3 API Hook Scanner is fully compatible with the following 32-bit and 64-bit Microsoft Windows Operating Systems: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows Server 2012, Windows 7, Windows 8, Windows 8.1

Reviewed by Martin Brinkmann for gHacks.net

I keep an assortment of tools ready on my PC in case I need to dig deeper than that and Ring3 API Hook Scanner has just been added to it. The program is a free portable security application for the Windows operating system that can be used to scan all running processes for “some types of usermode hooks”. In other words, it is an anti-rootkit software.

Continue reading…

Additional Details

File Version
Last Updated 04 February 2015
Category Malware Analysis
License Type Freeware
Operating System Windows All (32-bit / 64-bit)

Recent Changes and Fixes

[04-02-2015] - v1.6.0.0

+ Added a button to stop the scan

[05-05-2014] - v1.5.0.0

+ Minor fixes and optimizations
+ Optimized the About window

[07-04-2014] - v1.4.0.0

+ Minor fixes and optimizations
+ Created an installer version

[13-10-2012] - v1.3.0.0

+ Fixed the commandline version to not save the file disasm.txt

[16-09-2012] - v1.2.0.0

+ Fixed bug in IAT hook scan for x86 version