KnownDllUnhook Save

Replace the .txt section of the current loaded modules from \KnownDlls\ to bypass edrs

Project README

KnownDllUnhook: Replace the .txt section of the current loaded modules from \KnownDlls\ to do api unhooking

How Does it Work:

first, it loops through the loaded dlls
check if the name of the loaded dll is found in \KnownDlls\ dir
if found, the dll will be mapped to the current process
then, some calculations happen ( to get the address of the .txt section of the current dll & it's size )
change the memory permissions on current dll's .txt to 'PAGE_EXECUTE_WRITECOPY'
replace the .txt section from our \KnownDlls\ dll
fix the memory protection back to what it was
unmap the \KnownDlls\ dll since it is no longer needed
continue the loop until all the current dlls are checked
all the intial syscalls ( the ones that do the unhooking ) are from Syscallslib

Demo:

Note that this idea isnt mine, its my implementation only ...

Based On:

https://github.com/rad9800/WTSRM

Open Source Agenda is not affiliated with "KnownDllUnhook" Project. README Source: NUL0x4C/KnownDllUnhook

Stars

281

Open Issues

Last Commit

1 year ago

Repository

NUL0x4C/KnownDllUnhook

License

MIT

Open Source Agenda Badge

<a href="https://www.opensourceagenda.com/projects/knowndllunhook"><img src="https://www.opensourceagenda.com/projects/knowndllunhook/reviews/badge.svg" alt="Open Source Agenda"></a>

Submit Review Review Your Favorite Project

Submit Resource Articles, Courses, Videos

Submit Article Submit a post to our blog

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?

From the blog

Dec 11, 2022