A library and binary for testing unhooking ntdll by identifying hooks via in-memory disassembly

Overview

Summary

A library and binary (both built via cargo build) for testing unhooking ntdll by identifying hooks via in-memory disassembly.

unhook_exports will walk through the export table of NTDLL and unhook each exported function via in-memory disassembly + patching a jmp to the correct (relocated by EDR) function.

unhook_iat only works for IAT functions (won't unhook runtime discovered functions e.g. via GetProcAddress), note that this doesn't mean we are limited to fixing patched/modified IAT entries, most tested EDRs/AVs don't patch the IAT directly but the actual start of the function in ntdll itself that the IAT points to. We change the IAT pointer to point to the proper (relocated by the AV/EDR) syscall stub.

Tested against Sophos free AV.

Only for a sample of unhooking using a technique other than loading a second ntdll or using direct/inline syscalls.

This repository consists of the following:

  • src\bin.rs
    • Test code that's expected to be ran with a debugger attached (as it contains "int3" instructions to be caught by the debugger), point of this is to run it, step through the first NtWriteVirtualMemory call which should be hooked, then step through the second NtWriteVirtualMemory call which should be unhooked
  • src\lib.rs
    • Exposes the functions 'unhook_iat' and unhook_exports
  • src\pe_helper.rs
    • Various helper functions for parsing in-memory PE32+ files
  • src\pe_defs.rs
    • Additional types for PE32+ file parsing

Hooked vs Unhooked Comparison

Hooked: hooked_iat

Unhooked: unhooked_iat

You might also like...
1 library and 2 binary crates to run SSH/SCP commands on a
1 library and 2 binary crates to run SSH/SCP commands on a "mass" of hosts in parallel

massh 1 library and 2 binary crates to run SSH/SCP commands on a "mass" of hosts in parallel. The binary crates are CLI and GUI "frontends" for the li

CLI utility that screencaptures your Linux desktop and streams it to Kodi via UPNP/DLNA and RTSP

desktopcast Desktopcast is a little CLI application that allows you to cast your Linux desktop to any UPNP/DLNA device capable of the AVTransfer servi

Blaze is a Rust script that continuously monitors server resource usage and sends real-time summaries and alerts to a Discord channel via Webhook.
Blaze is a Rust script that continuously monitors server resource usage and sends real-time summaries and alerts to a Discord channel via Webhook.

Blaze Blaze is a Rust script designed to run 24/7 on a server, providing a summary of resource usage every 30 minutes (configurable) to a Discord chan

A library that allows for the arbitrary inspection and manipulation of the memory and code of a process on a Linux system.
A library that allows for the arbitrary inspection and manipulation of the memory and code of a process on a Linux system.

raminspect raminspect is a crate that allows for the inspection and manipulation of the memory and code of a running process on a Linux system. It pro

Cli tool for git productivity written in Rust and packaged for consumption via NPM
Cli tool for git productivity written in Rust and packaged for consumption via NPM

crust 🍞 cli tool for git productivity written in Rust and packaged for consumption via NPM This repo is identical with @skyneticist/golee in terms of

Kubernetes operator for declaratively deploying wasmCloud applications (via wadm) and hosts on Kubernetes.

wasmcloud-operator An operator for managing a set of wasmCloud hosts running on Kubernetes and manage wasmCloud applications using wadm. The goal is t

A library for loading and executing PE (Portable Executable) from memory without ever touching the disk

memexec A library for loading and executing PE (Portable Executable) from memory without ever touching the disk This is my own version for specific pr

Croc-look is a tool to make testing and debuging proc macros easier

croc-look croc-look is a tool to make testing and debuging proc macros easier by these two features Printing the implementation specific generated cod

Visual regression testing of H264 frames and images.

twenty-twenty The twenty-twenty library allows for visual regression testing of H.264 frames and images. It makes it easy to update the contents when

Owner
Signal Labs
Signal Labs
A WIP property-based testing library in Rust, built with generalized targeted-property testing in mind.

Crabcheck A WIP property-based testing library in Rust, built with generalized targeted-property testing in mind. What is property-based testing? TODO

Alperen Keleş 9 Mar 27, 2024
A tool to easily work with timezone lookups via a binary, a library, or a server.

rtz A self-contained geo lookup library / binary / server for Rust / JS (via WASM) (free server) using data from the Natural Earth and OpenStreetMap d

Aaron Roney 139 Aug 1, 2023
botwork is a single-binary, generic and open-source automation framework written in Rust for acceptance testing & RPA

botwork botwork is a single-binary, generic and open-source automation framework written in Rust for acceptance testing, acceptance test driven develo

Nitimis 8 Apr 17, 2023
A Rust CLI tool that helps you enforce Git policies through Git hooks both server and client side

GitPolicyEnforcer This is a command line utility written in Rust, that helps you utilize Git hooks, to enforce various policies. It currently supports

Vagelis Prokopiou 4 Aug 14, 2022
A tiny crate to make it easy to share and apply Git hooks for Rust projects

Shareable git hooks for Rust project. Sloughi is a friend of Husky from North Africa! :algeria:

Walid ZIOUCHE 24 Oct 6, 2022
A Cli to generate React Component and Hooks.

React Cli A cli to create React Components and Hooks. Instructions: Download the binary. To Create A React Component ./react -n <Component Name> T

Gurpal Singh 3 Jun 24, 2022
epNFTs, the first partial program-owned NFT Standard powered by Instruction Introspection and Transfer Hooks!

epNFT Standard: A Comprehensive Guide Introduction to epNFTs Welcome to the epNFT-standard repository, where we explore the first program-owned NFT st

epPlex 6 Mar 1, 2024
Resize observer hooks for Dioxus 🧬

dioxus-resize-observer Resize observer hooks for Dioxus ??. Support 0.1.0 - Dioxus v0.4 ?? git - Dioxus v0.5 Web renderer (WASM) Example use dioxus::p

Dioxus Community 4 Oct 24, 2023
Shared memory - A Rust wrapper around native shared memory for Linux and Windows

shared_memory A crate that allows you to share memory between processes. This crate provides lightweight wrappers around shared memory APIs in an OS a

elast0ny 274 Dec 29, 2022
Rust library that provides helpers for testing resilience of I/O operations.

partial-io Helpers for testing I/O behavior with partial, interrupted and blocking reads and writes. This library provides: PartialRead and PartialWri

null 31 Oct 26, 2022