Hooksware (Volume 2, page 63) pattern originally came from memory dump analysis pattern catalog and is too general for malware analysis pattern catalog. So we decided to factor out 3 separate patterns. The first one includes cases such as in-place patching:
0:004> u ntdll!ZwQueryDirectoryFile ntdll!ZwQueryDirectoryFile: 77814db4 b8da000000 mov eax,0DAh 77814db9 bae8af0500 mov edx,5AFE8h 77814dbe ff12 call dword ptr [edx] 77814dc0 c22c00 ret 2Ch 77814dc3 90 nop ntdll!NtQueryDirectoryObject: 77814dc4 b8db000000 mov eax,0DBh 77814dc9 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300) 77814dce ff12 call dword ptr [edx]
And detour patching:
0:004> u wininet!InternetReadFile wininet!InternetReadFile: 7758654b e98044ac88 jmp 0004a9d0 77586550 83ec24 sub esp,24h 77586553 53 push ebx 77586554 56 push esi 77586555 57 push edi 77586556 33ff xor edi,edi 77586558 393db8116277 cmp dword ptr [wininet!GlobalDataInitialized (776211b8)],edi 7758655e 897df4 mov dword ptr [ebp-0Ch],edi
In case of WinDbg such pattern is usually detected on the crash spot such as from RIP Stack Trace (page 244) or from !chkimg command output.