Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Neillife/NtdllUnHookInjector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
NtdllUnHookInjector
NtdllUnHookInjector
 
 
packages
packages
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
NtdllUnHookInjector.sln
NtdllUnHookInjector.sln
 
 
README.md
README.md
 
 
README_cn.md
README_cn.md
 
 

Repository files navigation

Contributors Forks Stargazers Issues MIT License

🧬 NtdllUnHookInjector

中文 | English

🔒 Stealthy DLL & Shellcode Injector via ntdll.dll
Bypasses user-mode hooks for faster, stealthier, and more reliable injection.

📝 Overview

A C# injector that unhooks ntdll.dll and performs code injection via low-level ntdll functions (e.g., NtCreateThreadEx).
This approach improves speed, bypasses user-mode monitoring, and achieves stealthier injection.

This project adopts a modular design of Strategy Pattern and Factory Pattern to ensure that all functions are highly decoupled, easy to expand and maintain.

✨ Features

  • 🧩 Injection Modes:
    • 🔗 attach – inject into a running process
    • ⏸️ suspend – start suspended, inject, then resume
    • wait – wait for target process, then inject
  • 📦 Payloads: DLL / Shellcode (Test payloads are available in TestInjectFile, compiled with C++)
  • ⚙️ Low-level API: calls ntdll (e.g., NtCreateThreadEx) instead of kernel32
  • 🎯 Targeting: by process name or PID
Directory Structure 
NtdllUnHookInjector/
├── Core/
│   ├── Payloads/              # Injection payloads
│   ├── Services/              # Injection services
│   └── Strategies/            # Injection strategies
├── Native/                    # Windows API bindings
└── TestInjectFile/            # Sample Dll and shellcode

🚀 Usage

  • Payload File: If you want to test injection, TestInjectFile already has a popup DLL compiled in C++.
    • DLL: MessageBox32.dll / MessageBox64.dll
    • Shellcode: MessageBox32.bin / MessageBox64.bin
  • Permissions: Since advanced operations are involved, make sure the target process matches the injector architecture (x32 / x64) and that you run as Administrator if required.
NtdllUnHookInjector.exe <mode> <target> <payload_path>

🔹 Parameters

  • <mode> : attach | suspend | wait
  • <target> : process name / PID / exe path (depends on mode)
  • <payload_path> : DLL (.dll) or Shellcode (.bin)

🔹 Examples

# Inject shellcode into Notepad
NtdllUnHookInjector.exe attach notepad TestInjectFile\MessageBox64.bin

# Inject DLL into a suspended Notepad process
NtdllUnHookInjector.exe suspend "C:\Windows\System32\notepad.exe" TestInjectFile\MessageBox64.dll

# Wait for myapp.exe to start, then inject DLL
NtdllUnHookInjector.exe wait myapp.exe TestInjectFile\MessageBox64.dll

🛠️ Build

Open in Visual Studio 2019+

⚠️ Important: Ensure x86 / x64 matches the target process

📜 License

MIT – see LICENSE

⚠️ Disclaimer

This project is intended for educational and research purposes only.
🚫 Do not use it for illegal activities. The author assumes no responsibility for misuse.

About

Ntdll Unhooked Injector – Bypasses User-Mode Monitoring

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages