Usermode api hook removal

By: akcom

#define makeptr( Base, Increment, Typecast ) ((Typecast)( (ULONG)(Base) + (ULONG)(Increment) ))

#define incptr( Base, Increment, Typecast ) ((Typecast)RVAToVA( (ULONG)(Base), (ULONG)(Increment) ))

ULONG RVAToVA( ULONG Base, ULONG Increment );

void Unhook( HMODULE Module, LPSTR Function )

{

char MFileName[MAX_PATH];

GetModuleFileName( Module, MFileName, sizeof(MFileName) );

HANDLE hFile = CreateFile( MFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL );

SetFilePointer( hFile, 0, NULL, FILE_BEGIN );

ULONG dwTemp;

dwTemp = GetFileSize( hFile, NULL );

BYTE *Base = new BYTE[dwTemp];

ReadFile( hFile, Base, dwTemp, &dwTemp, NULL );

CloseHandle( hFile );

PIMAGE_NT_HEADERS Nt = makeptr( Base, ((PIMAGE_DOS_HEADER)Base)->e_lfanew, PIMAGE_NT_HEADERS );

PIMAGE_EXPORT_DIRECTORY Exports =

incptr( Base, Nt->OptionalHeader.DataDirectory[0].VirtualAddress, PIMAGE_EXPORT_DIRECTORY );

PBYTE FuncHooked = (PBYTE)GetProcAddress( Module, Function );

PBYTE FuncOriginal = NULL;

char **Names = incptr( Base, Exports->AddressOfNames, char ** );

ULONG *Functions = incptr( Base, Exports->AddressOfFunctions, ULONG * );

ULONG RVA;

ULONG VA;

for ( ULONG i = 0; i < Exports->NumberOfNames;i++ )

{

if ( _stricmp( incptr( Base, Names[i], char * ), Function ) == 0 )

{

//protection against export table patching

RVA = Functions[i];

VA = (ULONG)GetProcAddress( Module, Function ) - (ULONG)Module;

if ( VA != RVA )

{

ULONG *EATFunc =

makeptr(

Module,

makeptr(

Module,

makeptr( Module, ((PIMAGE_DOS_HEADER)Module)->e_lfanew, PIMAGE_NT_HEADERS )->OptionalHeader.DataDirectory[0].VirtualAddress,

PIMAGE_EXPORT_DIRECTORY )->AddressOfFunctions,

PULONG

);

EATFunc[i] = RVA;

}

FuncOriginal = incptr( Base, Functions[i], PBYTE );

break;

}

}

//protection against extended code overwriting

MEMORY_BASIC_INFORMATION Info;

VirtualQuery( FuncHooked, &Info, sizeof(Info) );

ULONG OldProtection;

VirtualProtect( FuncHooked, Info.RegionSize, PAGE_EXECUTE_READWRITE, &OldProtection );

i = 0;

while ( FuncHooked[i] != FuncOriginal[i] )

{

FuncHooked[i] = FuncOriginal[i];

i++;

}

delete []Base;

VirtualProtect( FuncHooked, Info.RegionSize, OldProtection, NULL );

}

ULONG RVAToVA( ULONG Base, ULONG Increment )

{

PIMAGE_NT_HEADERS Nt = makeptr( Base, ((PIMAGE_DOS_HEADER)Base)->e_lfanew, PIMAGE_NT_HEADERS );

USHORT SCount = Nt->FileHeader.NumberOfSections;

PIMAGE_SECTION_HEADER Sections = makeptr( Nt, sizeof(*Nt), PIMAGE_SECTION_HEADER );

for ( USHORT i = 0; i < SCount; i++ )

{

if ( (Increment >= Sections[i].VirtualAddress ) && (Increment <= (Sections[i].VirtualAddress + Sections[i].SizeOfRawData)) )

{

return ( (Increment - Sections[i].VirtualAddress) + Sections[i].PointerToRawData + Base);

}

}

return Base + Increment;

}