Celeborn is a Userland API Unhooker that I developed for learning Windows APIs and Syscall implementations

Overview

Celeborn

Celeborn is a Userland API Unhooker that I developed for learning Windows APIs and Syscall implementations. It mainly detects and patches hooking instructions in NTDLL.dll file. All PRs are welcome!

How It Works?

Celeborn takes the hooked NTDLL.dll module from the in-memory module list that exists in PEB structure (specifically, LoaderData member), parses its export directory to detect hooked functions. To do that, it traverses all Nt related functions, and check their first four bytes. If they are not 0x4C,0x8B,0xD1,0xB8, the tool itself qualifies them as hooked and started to patch them.

To get a fresh and unhooked NTDLL.dll file, Celeborn loads the file as a section and maps as an image. While patching a function, it copies the first 24 bytes of the clear function address (after parsing the export directory again), and overwrites the hooked one.

Before unhooking the functions, I defined predefined syscalls in the assembly format because I realized that functions that are used for unhooking process might be also hooked. During patching and detecting, Celeborn is using these predefined arbitrary syscall functions.

TO-DO List

  • Generic Predefined Syscall Numbers
  • More silent techniques (especially for newly created section)
  • Refactor

References

I used different techniques from the following tools for both silence and learning.

You might also like...
This repository gives an idea about how to use UART/SPI/I2C communication using HAL APIs

STM32-UART-SPI-I2C communication with Arduino board using HAL APIs This repository gives an idea about how to use UART/SPI/I2C communication using HAL

Macro magic for declaring/calling Objective-C APIs from C11 or C++. Preloads selectors, chooses the correct objc_msgSend to call per method/platform.

OC - Easily Declare/Invoke Objective-C APIs from C11 or C++11 Usage // Call class and instance methods: NSWindow* const nswindow = oc_cls(NSWindow,new

An REFramework plugin that adds Direct2D scripting APIs

REFramework Direct 2D This is an REFramework plugin that adds a Direct2D scripting API. Building Currently suggest building in RelWithDebInfo so that

Competitive Programming Implementations, Resources, Solutions, and Tools

In competitive programming contests, one must write computer programs capable of solving clear-cut problems under the given contraints and limits. Most competitive programmers use C++, Java, or Python.

the implementations of 'A Flexible New Technique for Camera Calibration' and Bouguet's method

StereoCameraCalibration MonocularCameraCalibration/StereoCameraCalibration/StereoCameraRectification 1、Class "MonocularCameraCalibration" provides the

A repository containing our learnings and implementations for the project "Anchor: The Docker Clone" under IEEE-NITK

Anchor: The Docker Clone A repository containing our learnings and implementations for the project "Anchor: The Docker Clone" under IEEE-NITK Currentl

Implements a Windows service (in a DLL) that removes the rounded corners for windows in Windows 11

ep_dwm Implements a Windows service that removes the rounded corners for windows in Windows 11. Tested on Windows 11 build 22000.434. Pre-compiled bin

A collection of different Cellular Automata implementations for recreational purposes
A collection of different Cellular Automata implementations for recreational purposes

A collection of different Cellular Automata implementations for recreational purposes

Comparing the performance of Wave Digital Filter implementations

WDF Bakeoff Comparing performance between Wave Digital Filters implemented in C++ and Faust. Building First clone the repository and submodules: git c

Owner
Furkan Göksel
Security Enthusiast and Developer
Furkan Göksel
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Kento Oki 155 Nov 19, 2022
Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

anthemtotheego 120 Nov 19, 2022
Reference Implementations of P0267, the proposed 2D graphics API for ISO C++

P0267 Reference Implementation Please read the LICENSE before cloning or forking the code as there is important information there! Please see the wiki

cpp-io2d 305 Nov 12, 2022
Demonstrates implementation of the Windows 10 Acrylic Effect on C++ Win32 Apps using DWM Private APIs and Direct Composition

Win32 Acrylic Effect A Demonstration of Acrylic Effect on C++ Win32 applications using Direct Composition and DWM private APIs. Table of Contents Over

Selastin 125 Nov 30, 2022
ebpf syscall recording demo project

ebpf syscall recording demo project

Sascha Grunert 9 Jun 7, 2022
hooking the execve syscall, to randomly sabotage typed bash commands.

Syscall hooks A small project of hooking the execve() syscall, to randomly sabotage typed bash commands. This project was tested on 5.11.0-38-generic.

ilevi 4 Aug 2, 2022
raincoat is a shellcode injector that uses direct syscall invoking.

raincoat is a shellcode injector that uses direct syscall invoking. by liz @realhaxorleet & ellyysium @ellyysium opening the code may cause brain dama

null 5 Jan 29, 2022
List & Read the processes memory using Windows APIs (PSAPI/ToolHelpAPI/WTSAPI)

Dumper List & Read the processes memory using Windows APIs PSAPI ToolHelp WTSAPI Usage The Dumper tool list the running procceses and provide the abil

ムハンマド 5 Oct 12, 2022
This is the Arduino® compatible port of the AIfES machine learning framework, developed and maintained by Fraunhofer Institute for Microelectronic Circuits and Systems.

AIfES for Arduino® AIfES (Artificial Intelligence for Embedded Systems) is a platform-independent and standalone AI software framework optimized for e

null 157 Nov 24, 2022
An efficient, small mobile key-value storage framework developed by WeChat. Works on Android, iOS, macOS, Windows, and POSIX.

中文版本请参看这里 MMKV is an efficient, small, easy-to-use mobile key-value storage framework used in the WeChat application. It's currently available on Andr

Tencent 15.3k Nov 25, 2022