HookShark is a detector of installed hooks and patches installed on the system (only usermode for now).
It scans through the code-section of every loaded module of each running process and compares it with the file-image.
If it detects discrepancies it tries to determine the type of hook or patch and reports it to the user.
The detailed report about the type of patch is not 100% reliable and can be wrong.
HookShark makes many assumptions and guesses during analysis and report, because of the nature of assembly.
In some cases we can't theoretically determine with 100% accuracy whether a block of bytes is data or code. We also can not determine where the next instruction begins, if we are in the middle of a patched block of bytes. An almost safe presumption can only be achieved through full-blown x86 emulation tracing from the entry-point of the binary. But even then not all execution paths are necessarily covered. Yes, even IDA has problems with this.