hollerith

unhook_ntdl.cxx

Jun 13th, 2020
352
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 1.88 KB | None | 0 0
  1. #include "pch.h"
  2. #include <iostream>
  3. #include <Windows.h>
  4. #include <winternl.h>
  5. #include <psapi.h>
  6.  
  7. int main()
  8. {
  9.     HANDLE process = GetCurrentProcess();
  10.     MODULEINFO mi = {};
  11.     HMODULE ntdllModule = GetModuleHandleA("ntdll.dll");
  12.    
  13.     GetModuleInformation(process, ntdllModule, &mi, sizeof(mi));
  14.     LPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll;
  15.     HANDLE ntdllFile = CreateFileA("c:\\windows\\system32\\ntdll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
  16.     HANDLE ntdllMapping = CreateFileMapping(ntdllFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
  17.     LPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0);
  18.  
  19.     PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase;
  20.     PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader->e_lfanew);
  21.  
  22.     for (WORD i = 0; i < hookedNtHeader->FileHeader.NumberOfSections; i++) {
  23.         PIMAGE_SECTION_HEADER hookedSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));
  24.        
  25.         if (!strcmp((char*)hookedSectionHeader->Name, (char*)".text")) {
  26.             DWORD oldProtection = 0;
  27.             bool isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &oldProtection);
  28.             memcpy((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), (LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize);
  29.             isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, oldProtection, &oldProtection);
  30.         }
  31.     }
  32.    
  33.     CloseHandle(process);
  34.     CloseHandle(ntdllFile);
  35.     CloseHandle(ntdllMapping);
  36.     FreeLibrary(ntdllModule);
  37.    
  38.     return 0;
  39. }
Add Comment
Please, Sign In to add comment