FullDLLUnhooking CSharp Save

Unhook DLL via cleaning the DLL 's .text section

Project README

FullDLLUnhooking_CSharp

Blog link: Not gonna update

  • A project fully unhook a DLL via file mapping to bypass EDR's inline hook.

  • Base on my other projects down below:

    1. MappingInjection
    2. HookDetection
    3. NewNtdllBypassInlineHook

  • Just load a fresh copy of a DLL on disk, and copy the DLL's .text section to unhook.

  • Steps

    1. Load a fresh new copy of ntdll.dll via file mapping.
    2. Get current process's hooked DLL address. (HookNtdll_address in Program.cs)
    3. Load the copy into memory and get a "BaseAddress".(FleshNtdll_address in Program.cs)
    4. Use the "BaseAddress" to find IMAGE_FILE_HEADER's address.
    5. Iterate all section via "IMAGE_FILE_HEADER_instance.NumberOfSections"
    6. If a section contains ".text", replace the whole section from the clean copy base on the section's RVA. :) not my pic~ avatar

  • Tested on Win10/x64 works fine, to works on x86 you may need some modification about finding the IMAGE_SECTION_HEADER address.

  • After unhooking you could do other stuff. enjoy~ :)

Usage

  1. Just launch through a white-list application
  • You could see the APIs have been unhooked
  • Although highly effective at detecting functions hooked with inline patching, this method returns a few false positives when enumerating hooked functions inside ntdll.dll, such as: False Positives 
	NtGetTickCount
	NtQuerySystemTime
	NtdllDefWindowProc_A
	NtdllDefWindowProc_W
	NtdllDialogWndProc_A
	NtdllDialogWndProc_W
	ZwQuerySystemTime

The above functions are not hooked.

TO-DO list

  • To works on x86
  • Maybe even unhook other DLL in userland.

Update history

  • NONE
1. https://blog.csdn.net/qq_42253797/article/details/105090943
2. https://blog.csdn.net/jiangqin115/article/details/79757041
3. https://blog.csdn.net/huninglei3333/article/details/78725725
4. https://idiotc4t.com/defense-evasion/reload-ntdll-.text-section
5. https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++
6. https://makosecblog.com/malware-dev/dll-unhooking-csharp/
7. http://pinvoke.net/default.aspx/Structures.IMAGE_DOS_HEADER
8. https://github.com/MakoSec
9. https://github.com/TheWover/DInvoke
10. https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getmoduleinformation
11. https://blog.csdn.net/qingzai_/article/details/76919402
12. https://blog.csdn.net/tianxiayijia1998/article/details/50119435
13. https://stackoverflow.com/questions/2658380/how-can-i-copy-unmanaged-data-in-c-sharp-and-how-fast-is-it/43589444
Open Source Agenda is not affiliated with "FullDLLUnhooking CSharp" Project. README Source: Kara-4search/FullDLLUnhooking_CSharp
Stars
7
Open Issues
0
Last Commit
2 years ago
Repository
Kara-4search/FullDLLUnhooking_CSharp
Tags
Apiunhook Bypass Bypass Bypass Antivirus Bypass Av Bypassedr Charp Csharp Edr Edr Evasion Ntdll Redteam Unhooking

Open Source Agenda Badge

Open Source Agenda Rating
Submit Review Review Your Favorite Project
Submit Resource Articles, Courses, Videos
Submit Article Submit a post to our blog

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?