Created
February 6, 2024 18:58
-
-
Save rbmm/0a9b675e675175b739a3b45bc9817e71 to your computer and use it in GitHub Desktop.
Revisions
-
rbmm created this gist
Feb 6, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,46 @@ BOOL UnhookNT() { BOOL fOk = FALSE; if (HMODULE hmod = GetModuleHandleW(L"ntdll")) { if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(hmod)) { PVOID BaseAddress = (PBYTE)hmod + pinth->OptionalHeader.BaseOfCode; ULONG SizeOfCode = pinth->OptionalHeader.SizeOfCode; ULONG crc = RtlComputeCrc32(0, BaseAddress, SizeOfCode); if (PWSTR buf = new WCHAR[MINSHORT]) { GetModuleFileNameW(0, buf, MINSHORT); if (NOERROR == GetLastError()) { PROCESS_INFORMATION pi; STARTUPINFOW si = { sizeof(si) }; if (CreateProcessW(buf, 0, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi)) { NtClose(pi.hThread); ULONG op; if (VirtualProtect(BaseAddress, SizeOfCode, PAGE_EXECUTE_READWRITE, &op)) { fOk = ReadProcessMemory(pi.hProcess, BaseAddress, BaseAddress, SizeOfCode, 0); VirtualProtect(BaseAddress, SizeOfCode, op, &op); } TerminateProcess(pi.hProcess, 0); NtClose(pi.hProcess); } } delete [] buf; } if (fOk) { DbgPrint("%08x vs %08x\n", crc, RtlComputeCrc32(0, BaseAddress, SizeOfCode)); } } } return fOk; }