Forked from rbmm/gist:0a9b675e675175b739a3b45bc9817e71
Created
February 7, 2024 00:24
-
-
Save twhite96/96b3ca31a06dd7f50aadbdafa5e66e50 to your computer and use it in GitHub Desktop.
Revisions
-
rbmm created this gist
Feb 6, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,46 @@ BOOL UnhookNT() { BOOL fOk = FALSE; if (HMODULE hmod = GetModuleHandleW(L"ntdll")) { if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(hmod)) { PVOID BaseAddress = (PBYTE)hmod + pinth->OptionalHeader.BaseOfCode; ULONG SizeOfCode = pinth->OptionalHeader.SizeOfCode; ULONG crc = RtlComputeCrc32(0, BaseAddress, SizeOfCode); if (PWSTR buf = new WCHAR[MINSHORT]) { GetModuleFileNameW(0, buf, MINSHORT); if (NOERROR == GetLastError()) { PROCESS_INFORMATION pi; STARTUPINFOW si = { sizeof(si) }; if (CreateProcessW(buf, 0, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi)) { NtClose(pi.hThread); ULONG op; if (VirtualProtect(BaseAddress, SizeOfCode, PAGE_EXECUTE_READWRITE, &op)) { fOk = ReadProcessMemory(pi.hProcess, BaseAddress, BaseAddress, SizeOfCode, 0); VirtualProtect(BaseAddress, SizeOfCode, op, &op); } TerminateProcess(pi.hProcess, 0); NtClose(pi.hProcess); } } delete [] buf; } if (fOk) { DbgPrint("%08x vs %08x\n", crc, RtlComputeCrc32(0, BaseAddress, SizeOfCode)); } } } return fOk; }