Skip to content

Instantly share code, notes, and snippets.

@rbmm
Created February 6, 2024 18:58
Show Gist options
  • Save rbmm/0a9b675e675175b739a3b45bc9817e71 to your computer and use it in GitHub Desktop.
Save rbmm/0a9b675e675175b739a3b45bc9817e71 to your computer and use it in GitHub Desktop.
BOOL UnhookNT()
{
BOOL fOk = FALSE;
if (HMODULE hmod = GetModuleHandleW(L"ntdll"))
{
if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(hmod))
{
PVOID BaseAddress = (PBYTE)hmod + pinth->OptionalHeader.BaseOfCode;
ULONG SizeOfCode = pinth->OptionalHeader.SizeOfCode;
ULONG crc = RtlComputeCrc32(0, BaseAddress, SizeOfCode);
if (PWSTR buf = new WCHAR[MINSHORT])
{
GetModuleFileNameW(0, buf, MINSHORT);
if (NOERROR == GetLastError())
{
PROCESS_INFORMATION pi;
STARTUPINFOW si = { sizeof(si) };
if (CreateProcessW(buf, 0, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi))
{
NtClose(pi.hThread);
ULONG op;
if (VirtualProtect(BaseAddress, SizeOfCode, PAGE_EXECUTE_READWRITE, &op))
{
fOk = ReadProcessMemory(pi.hProcess, BaseAddress, BaseAddress, SizeOfCode, 0);
VirtualProtect(BaseAddress, SizeOfCode, op, &op);
}
TerminateProcess(pi.hProcess, 0);
NtClose(pi.hProcess);
}
}
delete [] buf;
}
if (fOk)
{
DbgPrint("%08x vs %08x\n", crc, RtlComputeCrc32(0, BaseAddress, SizeOfCode));
}
}
}
return fOk;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment