public static void Unhook() { ProcessHacker.Native.Image.MappedImage file = new ProcessHacker.Native.Image.MappedImage(Environment.SystemDirectory + "\\ntdll.dll"); IntPtr ntdll = Loader.GetDllHandle("ntdll.dll"); MemoryProtection oldProtection = ProcessHandle.Current.ProtectMemory( ntdll, file.Size, MemoryProtection.ExecuteReadWrite ); for (int i = 0; i < file.Exports.Count; i++) { var entry = file.Exports.GetEntry(i); if (!entry.Name.StartsWith("Nt", StringComparison.OrdinalIgnoreCase) || entry.Name.StartsWith("Ntdll", StringComparison.OrdinalIgnoreCase)) continue; unsafe { IntPtr function = file.Exports.GetFunction(entry.Ordinal).Function; Win32.RtlMoveMemory( function.Decrement(new IntPtr(file.Memory)).Increment(ntdll), function, (5).ToIntPtr() ); } } ProcessHandle.Current.ProtectMemory( ntdll, file.Size, oldProtection ); file.Dispose(); }
public static void Unhook() { ProcessHacker.Native.Image.MappedImage file = new ProcessHacker.Native.Image.MappedImage(Environment.SystemDirectory + "\\ntdll.dll"); IntPtr ntdll = Win32.GetModuleHandle("ntdll.dll"); MemoryProtection oldProtection; oldProtection = ProcessHandle.GetCurrent().ProtectMemory( ntdll, (int)file.Size, MemoryProtection.ExecuteReadWrite ); for (int i = 0; i < file.Exports.Count; i++) { var entry = file.Exports.GetEntry(i); if (!entry.Name.StartsWith("Nt") || entry.Name.StartsWith("Ntdll")) continue; byte[] fileData = new byte[5]; unsafe { IntPtr function = file.Exports.GetFunction(entry.Ordinal).Function; Win32.RtlMoveMemory( function.Decrement(new IntPtr(file.Memory)).Increment(ntdll), function, (5).ToIntPtr() ); } } ProcessHandle.GetCurrent().ProtectMemory( ntdll, (int)file.Size, oldProtection ); file.Dispose(); }