Beacon Object File and Shellcode for full DLL unhooking.
- Get handle to hooked DLL
- Get dynamic Syscalls for
NtOpenSectionandNtMapViewOfSection - Load unhooked DLL from
/KnownDlls/ - Patch hooked functions
- Unload unhooked DLL
Unhook ntdll.dll with shellcode. Only support for x64 atm!
Convert pic exe to shellcode format with for i in $(objdump -d compiled/unhook-pic.exe |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo
Unhook all hooked functions for a specified DLL
- Heavily inspired by Conti Locker
addresshunter.hfrom @ParanoidNinja- @peterwintrsmith for Parallelsyscalls