This is a PoC for cleaning NTDLL syscall stubs from 3 years ago. The idea was to patch the syscall hooks without opening a handle to ntdll. Project as is, have not tested recently.
Cobalt Strike BOF that finds all the Nt* system call stubs within NTDLL and overwrites the memory with clean stubs (user land hook evasion). This way we can use the NTAPIs from our implant code, and if EDR check the call stack it will have originated from NTDLL. It’s pretty much the same as the original unhook by Raph Mudge, but this way there's no need to map ntdll.dll from disk or open handles to remote processes.
- Uses
HellsGate&HalosGateto call direct syscalls forNtOpenProcess,NtWriteVirtualMemory, andNtProtectVirtualMemory. - Has custom
GetModuleHandle&GetProcAddress(getSymbolAddress) written in C and ASM to evade hooks onkernel32. - If patching table of current process, does not use
NtOpenProcess. Just useshProc = (HANDLE)-1;instead.
beacon> patchwerk 6115
[*] Patchwerk (Bobby Cooke|@0xBoku|github.com/boku7}
[+] host called home, sent 4937
[+] received output:
Patching NTDLL System Call Stubs in Process: 6115 (PID)
...
- Run
patchwerkwithout the PID to patch current process
Running patchwerk 311, where 311 is the PID of a remote process, will patch ntdll of the remote process.
- I put the
01 02 03at the end of the stubs just to show that it works