public static void Unhook()
{
ProcessHacker.Native.Image.MappedImage file =
new ProcessHacker.Native.Image.MappedImage(Environment.SystemDirectory + "\\ntdll.dll");
IntPtr ntdll = Loader.GetDllHandle("ntdll.dll");
MemoryProtection oldProtection = ProcessHandle.Current.ProtectMemory(
ntdll,
file.Size,
MemoryProtection.ExecuteReadWrite
);
for (int i = 0; i < file.Exports.Count; i++)
{
var entry = file.Exports.GetEntry(i);
if (!entry.Name.StartsWith("Nt", StringComparison.OrdinalIgnoreCase) || entry.Name.StartsWith("Ntdll", StringComparison.OrdinalIgnoreCase))
continue;
unsafe
{
IntPtr function = file.Exports.GetFunction(entry.Ordinal).Function;
Win32.RtlMoveMemory(
function.Decrement(new IntPtr(file.Memory)).Increment(ntdll),
function,
(5).ToIntPtr()
);
}
}
ProcessHandle.Current.ProtectMemory(
ntdll,
file.Size,
oldProtection
);
file.Dispose();
}
public static void Unhook()
{
ProcessHacker.Native.Image.MappedImage file =
new ProcessHacker.Native.Image.MappedImage(Environment.SystemDirectory + "\\ntdll.dll");
IntPtr ntdll = Win32.GetModuleHandle("ntdll.dll");
MemoryProtection oldProtection;
oldProtection = ProcessHandle.GetCurrent().ProtectMemory(
ntdll,
(int)file.Size,
MemoryProtection.ExecuteReadWrite
);
for (int i = 0; i < file.Exports.Count; i++)
{
var entry = file.Exports.GetEntry(i);
if (!entry.Name.StartsWith("Nt") || entry.Name.StartsWith("Ntdll"))
continue;
byte[] fileData = new byte[5];
unsafe
{
IntPtr function = file.Exports.GetFunction(entry.Ordinal).Function;
Win32.RtlMoveMemory(
function.Decrement(new IntPtr(file.Memory)).Increment(ntdll),
function,
(5).ToIntPtr()
);
}
}
ProcessHandle.GetCurrent().ProtectMemory(
ntdll,
(int)file.Size,
oldProtection
);
file.Dispose();
}
