Description: First,the driver code acquires the RVA of APIs the export table of ntoskrnl.exe.Second,program acquires the base address of ntoskrnl.exe loaded into memory to compute the real memory addresses of APIs. Third, program gets rid of hooks by comparing real addresses with items in SSDT table.
To Search:
File list (Check if you may need any files):
SDT_UnHook_Code\EmptyDriver2\buildchk_wlh_x86.log
...............\............\buildchk_wlh_x86.wrn
...............\............\buildchk_wxp_x86.log
...............\............\buildfre_wxp_x86.log
...............\............\BuildLog.htm
...............\............\ddkbldenv.cmd
...............\............\ddkpostbld.cmd
...............\............\ddkprebld.cmd
...............\............\EmptyDriver2.vsprops
...............\............\EmptyDriver2.WLH.vcproj
...............\............\EmptyDriver2.WLH.vcproj.20110611-1053.sfx.user
...............\............\EmptyDriver2.WLH.vcproj.PC-201004210949.sfx.user
...............\............\EmptyDriver2.WLH.vcproj.sfx-PC.sfx.user
...............\............\makefile
...............\............\pe.h
...............\............\RESSDT.c
...............\............\sources
...............\EmptyDriver2.ncb
...............\EmptyDriver2.sln
...............\EmptyDriver2.suo
...............\makefile
...............\sources
...............\EmptyDriver2\objchk_wxp_x86\i386
...............\............\objchk_wxp_x86
...............\EmptyDriver2
SDT_UnHook_Code
Download