If you plan on adding this functionality to your own shellcode loaders / toolings be sure to **AVOID** unhooking `kernel32.dll`.
151
+
An attempt to unhook `kernel32` will restore original `Sleep` functionality preventing our callback from being called.
152
+
If our callback is not called, the thread will be unable to spoof its own call stack by itself.
153
+
154
+
If that's what you want to have, than you might need to run another, watchdog thread, making sure that the Beacons thread will get spoofed whenever it sleeps.
155
+
156
+
If you're using Cobalt Strike and a BOF `unhook-bof` by Raphael's Mudge, be sure to check out my [Pull Request](https://github.com/rsmudge/unhook-bof/pull/2) that adds optional parameter to the BOF specifying libraries that should not be unhooked.
157
+
158
+
This way you can maintain your hooks in kernel32:
159
+
160
+
```
161
+
beacon> unhook kernel32
162
+
[*] Running unhook.
163
+
Will skip these modules: wmp.dll, kernel32.dll
164
+
[+] host called home, sent: 9475 bytes
165
+
[+] received output:
166
+
ntdll.dll <.text>
167
+
Unhook is done.
168
+
```
169
+
170
+
[Modified `unhook-bof` with option to ignore specified modules](https://github.com/mgeeky/unhook-bof)
Mariusz B. / mgeeky
committed
3 years ago
1 parent 41746391