A library and binary (both built via cargo build) for testing unhooking ntdll by identifying hooks via in-memory disassembly.
unhook_exports will walk through the export table of NTDLL and unhook each exported function via in-memory disassembly + patching a jmp to the correct (relocated by EDR) function.
unhook_iat only works for IAT functions (won't unhook runtime discovered functions e.g. via GetProcAddress), note that this doesn't mean we are limited to fixing patched/modified IAT entries, most tested EDRs/AVs don't patch the IAT directly but the actual start of the function in ntdll itself that the IAT points to. We change the IAT pointer to point to the proper (relocated by the AV/EDR) syscall stub.
Tested against Sophos free AV.
Only for a sample of unhooking using a technique other than loading a second ntdll or using direct/inline syscalls.
This repository consists of the following:
unhook_exportsHooked:

Unhooked:

$ claude mcp add iat_unhook_sample \
-- python -m otcore.mcp_server <graph>