Turns out I wasn’t as thorough as I thought in removing vestiges of the hack. Found some more obfuscated PHP in template files, along with some .php files I didn’t have permissions for that shouldn’t have been there.
Removed all that, and admin functionality is back to normal.