As first step we need to verify if the main Hooking DLL is loaded. Depending if the process is 32 bit or 64bit we will be looking either for mfaphook.dll or mfaphook64.dll.
In order to verify the DLL is loaded, we need to make use of a third party tool. In this case we will be using Process Explorer from Microsoft’s Sysinternals Suite.
Here is an example for mfaphook64.dll and winlogon.exe process:
- Download Process Explorer and unzip the content on your VDA or XenApp server where the target process is running
- Run procexp.exe as a user with administrative privileges
- From the menu, select View -> Show Lower Pane to enable the lower pane
- From the menu, select View -> Lower Pane View -> DLLs
- In the upper panel, select the target process (i.e. winlogon.exe) by clicking on its name
- The lower panel will refresh and display the DLLs loaded by the process
- Now we can see that mfaphook64.dll is loaded by the process
The same procedure can be repeated for child hooks (those that drives XenApp and XenDesktop features) such as scardhook64.dll (Smart Card virtual channel hooking):