A C# application that unhooks Bit Defender from ntdll.dll to help run malicious code undetected.
The code is quite long (particularly the native Win32 structs), and I'm sure it could be optimised.
This C# code is based upon one of the techniques demonstrated in the RED TEAM Operator: Windows Evasion Course from Sektor7, the original is written in C/C++. I would recommend any of the malware development courses, there is a lot of great stuff to learn about creating malware in C/C++.
When Windows creates a new process Bit Defender injects the atcuf64.dll DLL into the process and hooks many of the ntdll.dll syscalls. If, for example, NtCreateProcess is called by malicious code Bit Defender is able to intercept the call, do it's anti-malware magic, then return execution to the thread (or kill the process if it is malicious).
The code maps another version of ntdll.dll in memory, finds the .text section, and copies it over the hoooked version.
The following image shows the ZwCreateProcess function when Bit Defender is not present:
The following image shows the ZwCreateProcess function when Bit Defender has hooked into ntdll.dll. We can see the jmp instruction (this is the hook):
And finally, this image shows the ZwCreateProcess function after being unhooked (the jmp instruction has been reverted back to the normal syscall):
Execution of the code is shown below:
[+] Mapping Ntdll...
[+] Original Ntdll address is 0x7FFE23450000
[+] Mapped Ntdll address is 0x2C17E3B0000
[+] Mapped Ntdll is a valid image.
[+] e_lfanew equals 0xE8
[+] NT_HEADERS address is 0x2C17E3B00E8
[+] Mapped Ntdll NT Headers is valid.
[+] Sections to enumerate is 10
[+] First section is .text
[+] First section is at 0x2C17E3B01F0
[+] Analysing section .text
[+] .text section is at 0x2C17E3B01F0
[+] VirtualProtect Ntdll to PAGE_EXECUTE_READWRITE...
[+] Unhooking Ntdll by copying mapped data...
[+] VirtualProtect Ntdll to PAGE_EXECUTE_WRITECOPY...
[+] Unmapping view of Ntdll...
[+] Done! Have a nice day!
I haven't tested the code with anything malicious yet to see if it bypasses Bit Defender. I will post my findings when I do.
I tested this against Bit Defender with a very basic Virtualalloc, RtlMoveMemory, VirtualProtect, CreateThread classic combo (with an encrypted payload). Bit Defender didn't detect anything malicious on disk (with scanning) but did kill the process when CreateThread was called.