Created
February 6, 2024 18:58
-
-
Save rbmm/0a9b675e675175b739a3b45bc9817e71 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| BOOL UnhookNT() | |
| { | |
| BOOL fOk = FALSE; | |
| if (HMODULE hmod = GetModuleHandleW(L"ntdll")) | |
| { | |
| if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(hmod)) | |
| { | |
| PVOID BaseAddress = (PBYTE)hmod + pinth->OptionalHeader.BaseOfCode; | |
| ULONG SizeOfCode = pinth->OptionalHeader.SizeOfCode; | |
| ULONG crc = RtlComputeCrc32(0, BaseAddress, SizeOfCode); | |
| if (PWSTR buf = new WCHAR[MINSHORT]) | |
| { | |
| GetModuleFileNameW(0, buf, MINSHORT); | |
| if (NOERROR == GetLastError()) | |
| { | |
| PROCESS_INFORMATION pi; | |
| STARTUPINFOW si = { sizeof(si) }; | |
| if (CreateProcessW(buf, 0, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi)) | |
| { | |
| NtClose(pi.hThread); | |
| ULONG op; | |
| if (VirtualProtect(BaseAddress, SizeOfCode, PAGE_EXECUTE_READWRITE, &op)) | |
| { | |
| fOk = ReadProcessMemory(pi.hProcess, BaseAddress, BaseAddress, SizeOfCode, 0); | |
| VirtualProtect(BaseAddress, SizeOfCode, op, &op); | |
| } | |
| TerminateProcess(pi.hProcess, 0); | |
| NtClose(pi.hProcess); | |
| } | |
| } | |
| delete [] buf; | |
| } | |
| if (fOk) | |
| { | |
| DbgPrint("%08x vs %08x\n", crc, RtlComputeCrc32(0, BaseAddress, SizeOfCode)); | |
| } | |
| } | |
| } | |
| return fOk; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment