Skip to content

mgeeky/unhook-bof

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

This is a Beacon Object File to refresh DLLs and remove their hooks. The code is from Cylance's Universal Unhooking research:

https://blogs.blackberry.com/en/2017/02/universal-unhooking-blinding-security-software

To use:

Load unhook.cna into Cobalt Strike via Cobalt Strike -> Script Manager

Run 'unhook' from Beacon

To build:

x86: Open Visual Studio x86 Native Tools Command Prompt and type 'make'
x64: Open Visual Studio x64 Croos Tools Command Prompt and type 'make'

This project derived from:

Reflective DLL Injection
BSD 3-Clause License
Copyright (c) 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
https://github.com/stephenfewer/ReflectiveDLLInjection

ReflectiveDLLRefresher
BSD 3-Clause License
Copyright (c) 2017, Cylance Inc.
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher

Unhook Meterpreter Extension
BSD-3-Clause License
2006-2018, Rapid7, Inc.
https://github.com/rapid7/metasploit-payloads/commits/master/c/meterpreter/source/extensions/unhook

About

Remove API hooks from a Beacon process.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Sponsor this project

 

Packages

No packages published

Languages

  • C 98.9%
  • Batchfile 1.1%