{"id":49461139,"url":"https://github.com/internetangel/craftunhook","last_synced_at":"2026-04-30T10:07:10.364Z","repository":{"id":289359722,"uuid":"970992938","full_name":"internetangel/CraftUnhook","owner":"internetangel","description":"Unhooking NTDLL Without Reading It From Disk.","archived":false,"fork":false,"pushed_at":"2025-07-01T12:36:33.000Z","size":23,"stargazers_count":8,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-23T04:28:12.176Z","etag":null,"topics":["malware","ntdll","ntdll-unhooking","windows"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/internetangel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-04-22T21:06:49.000Z","updated_at":"2025-11-22T08:17:46.000Z","dependencies_parsed_at":"2025-05-30T20:00:22.540Z","dependency_job_id":"158aa746-c55d-483e-87af-f221be48e6e2","html_url":"https://github.com/internetangel/CraftUnhook","commit_stats":null,"previous_names":["dk0m/craftunhook","internetangel/craftunhook"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/internetangel/CraftUnhook","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/internetangel%2FCraftUnhook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/internetangel%2FCraftUnhook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/internetangel%2FCraftUnhook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/internetangel%2FCraftUnhook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/internetangel","download_url":"https://codeload.github.com/internetangel/CraftUnhook/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/internetangel%2FCraftUnhook/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32460875,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-29T22:27:22.272Z","status":"online","status_checked_at":"2026-04-30T02:00:05.929Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["malware","ntdll","ntdll-unhooking","windows"],"created_at":"2026-04-30T10:07:06.306Z","updated_at":"2026-04-30T10:07:10.355Z","avatar_url":"https://github.com/internetangel.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# CraftUnhook\nUnhooking NTDLL Without Reading It From Disk.\n\n## Explanation\nCraftUnhook works by crafting a clean syscall stub for the desired native function without reading a new copy of NTDLL, By [Resolving System Call Service Numbers Using The Exception Directory](https://www.mdsec.co.uk/2022/04/resolving-system-service-numbers-using-the-exception-directory/) and overwriting the hooked stub with our new clean stub, This makes reading an NTDLL copy obsolete and less preferrable.\n\n## Why Reading NTDLL From Disk Is Useless Now\nReading NTDLL allowed developers to fetch a clean syscall stub of \n\nthe desired function, but now since we can fetch the service call service number (SSN) with the Exception Directory of NTDLL, craft a stub and overwrite the hooked stub with it, We really don't have any reason to read NTDLL from disk, it's also very suspicious behaviour for a process and is monitored by AVs/EDRs.\n\n## Usage\nChecking if a function is hooked:\n```cpp\nif (craftunhook::isHookedByHash(hashes::ZwQueryInformationProcess))\n    printf(\"[!] ZwQueryInformationProcess is Hooked!\\n\");\n```\n\nCalling the function after being unhooked then restoring it to the original hooked state:\n```cpp\n// if you don't care about the NTSTATUS return, you can use the CLEAN_CALL macro.\n// this will unhook the function (if its hooked), proceed with the users call and then restore it (if it was hooked) to its original state.\n\nPROCESS_BASIC_INFORMATION pbi{ 0 };\nCLEAN_CALL(\n    hashes::ZwQueryInformationProcess, // ror13 hash of 'ZwQueryInformationProcess'\n    NtQueryInformationProcess(\n        GetCurrentProcess(),\n        ProcessBasicInformation,\n        \u0026pbi,\n        sizeof(pbi),\n        NULL\n    )\n);\n```\n\n## Todo\n- Add x86 support\n\n## Credits\n[MDSec](https://www.mdsec.co.uk/) - [Resolving System Call Service Numbers Using The Exception Directory](https://www.mdsec.co.uk/2022/04/resolving-system-service-numbers-using-the-exception-directory/), very great article to read that gives you a whole new array of ideas for syscall shenanigans.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finternetangel%2Fcraftunhook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finternetangel%2Fcraftunhook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finternetangel%2Fcraftunhook/lists"}