After injecting the malicious code into the target process, malware can hook API calls made by the target process to control its execution path and reroute it to the malicious code. The details of hooking techniques were covered in Chapter 8, Code Injection and Hooking (in the Hooking Techniques section). In this section, we will mainly focus on detecting such hooking techniques using memory forensics. To identify API hooks in both processes and kernel memory, you can use the apihooks Volatility plugin. In the following example of Zeus bot, an executable is injected into the explorer.exe process's memory at address 0x2c70000, as detected by the malfind plugin:

$ python vol.py -f zeus.vmem --profile=Win7SP1x86 malfind ...