Nyx Unhooker is a tool designed to facilitate DLL unhooking, focusing on critical system DLLs to allow evasion of Endpoint Detection and Response (EDR) mechanisms. By restoring original DLL code sections, Nyx Unhooker aims to counteract monitoring and detection by security tools, offering a method for software to operate stealthily on compromised systems.

• Simple to use.
• DLL Unhooking: Enables the restoration of original code sections for the following DLLs:
  • kernel32.dll
  • kernelbase.dll
  • ntdll.dll
  • user32.dll
  • apphelp.dll
  • msvcrt.dll

Endpoint Detection and Response (EDR) tools rely on hooking mechanisms to monitor and intercept system-level function calls within DLLs. This technique allows for real-time monitoring of program behavior, helping to identify and mitigate potential security threats. However, malware and certain software applications can utilize DLL unhooking to evade detection. Unhooking involves reverting the modifications made by EDR tools, thereby allowing malicious code to execute undetected.

Nyx Unhooker facilitates the unhooking process by restoring the original functionality of specified DLLs. This allows software utilizing Nyx Unhooker to operate without triggering alerts from EDR tools that rely on hooking mechanisms.

In a scenario where a software application needs to avoid detection by EDR tools, Nyx Unhooker can be used to restore the original DLL code sections, thus enabling the application to operate stealthily.

• Legal and Ethical Use: Ensure Nyx Unhooker is used in compliance with legal and ethical standards. Unauthorized use or deployment may violate terms of service or regulatory requirements.

Contributions to Nyx Unhooker are welcome. Please follow the established contribution guidelines and code of conduct.

This project is licensed under the [MIT]. See the LICENSE file for details.

• https://github.com/timwhitez

• Automatically unhooks DLLs based on the user's system architecture. This function detects whether the system is running on amd64 or i386 architecture and patches the DLLs accordingly.

• Unhooks DLLs specifically for systems running on the amd64 architecture. This function is commented out in the main example but can be used if you know your system architecture in advance.

• Unhooks DLLs specifically for systems running on the i386 architecture. This function is commented out in the main example but can be used if you know your system architecture in advance.

package main

import (
	"github.com/EvilBytecode/Nyx-Full-Dll-Unhook/pkg/nyx"
)

func main() {
	Nyx.AutoUnhook()   // Unhooks based on users Arch, (Automatically Gets it) and patches Dlls.
	// Nyx.Unhook64() Unhooks on Amd64 Archs
	// Nyx.Unhook386()  Unhooks on I386 Archs
}