Home
Projects
Resources
Alternatives
Blog
Sign In
KnownDllUnhook
Save
Replace the .txt section of the current loaded modules from \KnownDlls\ to bypass edrs
Overview
Reviews
Resources
Project README
KnownDllUnhook: Replace the .txt section of the current loaded modules from \KnownDlls\ to do api unhooking
How Does it Work:
first, it loops through the loaded dlls
check if the name of the loaded dll is found in \KnownDlls\ dir
if found, the dll will be mapped to the current process
then, some calculations happen ( to get the address of the .txt section of the current dll & it's size )
change the memory permissions on current dll's .txt to 'PAGE_EXECUTE_WRITECOPY'
replace the .txt section from our \KnownDlls\ dll
fix the memory protection back to what it was
unmap the \KnownDlls\ dll since it is no longer needed
continue the loop until all the current dlls are checked
all the intial syscalls ( the ones that do the unhooking ) are from
Syscallslib
Demo:
Note that this idea isnt mine, its my implementation only ...
Based On:
https://github.com/rad9800/WTSRM
Open Source Agenda is not affiliated with "KnownDllUnhook" Project. README Source:
NUL0x4C/KnownDllUnhook
Stars
281
Open Issues
0
Last Commit
1 year ago
Repository
NUL0x4C/KnownDllUnhook
License
MIT
Tags
Bypass
Edr
Open Source Agenda Badge
Submit Review
Review Your Favorite Project
Submit Resource
Articles, Courses, Videos
Submit Article
Submit a post to our blog
From the blog
Dec 11, 2022
How to Choose Which Programming Language to Learn First?
From the blog
Dec 11, 2022
How to Choose Which Programming Language to Learn First?
Home
Projects
Resources
Alternatives
Blog
Sign In
Sign In to OSA
I agree with
Terms of Service
and
Privacy Policy
Sign In with Github