question

Open jxttah opened this issue 7 months ago • 1 comments

can NtUnloadKey hook be restored in runtime?

May 12 '25 18:05 jxttah

hi, as we are hooking the os kernel by patching .text section we cannot restore it unfortunately :*( the kernel patch guard will catch us if u want to find something that can be unhooked in runtime u can take a look into the .data ptr hooks u can find some calls of .data pointer in the ntoskrnl too then u just need to overwrite this pointer value to the address of your function after that to unhook u simply need to restore the pointer value stored in this variable // thats basically in short how the .data ptr hooks work

May 12 '25 22:05 3a1