gistfile1.txt

BOOL UnhookNT()
{
	BOOL fOk = FALSE;

	if (HMODULE hmod = GetModuleHandleW(L"ntdll"))
	{
		if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(hmod))
		{

			PVOID BaseAddress = (PBYTE)hmod + pinth->OptionalHeader.BaseOfCode;
			ULONG SizeOfCode = pinth->OptionalHeader.SizeOfCode;

			ULONG crc = RtlComputeCrc32(0, BaseAddress, SizeOfCode);

			if (PWSTR buf = new WCHAR[MINSHORT])
			{
				GetModuleFileNameW(0, buf, MINSHORT);
				if (NOERROR == GetLastError())
				{
					PROCESS_INFORMATION pi;
					STARTUPINFOW si = { sizeof(si) };
					if (CreateProcessW(buf, 0, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi))
					{
						NtClose(pi.hThread);
						ULONG op;
						if (VirtualProtect(BaseAddress, SizeOfCode, PAGE_EXECUTE_READWRITE, &op))
						{
							fOk = ReadProcessMemory(pi.hProcess, BaseAddress, BaseAddress, SizeOfCode, 0);
							VirtualProtect(BaseAddress, SizeOfCode, op, &op);
						}
						TerminateProcess(pi.hProcess, 0);
						NtClose(pi.hProcess);
					}
				}
				delete [] buf;
			}

			if (fOk)
			{
				DbgPrint("%08x vs %08x\n", crc, RtlComputeCrc32(0, BaseAddress, SizeOfCode));
			}
		}
	}

	return fOk;
}