Unhook ntdll.dll EDR hooks via remapping

/static/assets/windows-logo.svg
Many EDR tools inject custom DLLs into Windows processes to "hook" system calls for analysis. One method an attacker can use to bypass those hooks is through remapping the .text section of the in-memory ntdll.dll module with the on-disk .text section. This essentially removes all of the EDR's hooks by replacing them with the correct versions of the original system call stubs. This approach is fairly common in C++, so this version uses P/invoke to load the unmanaged code for unhooking. Thanks to @makosec and @spotheplant for excellent resources (see attached metadata for references).
locked
View Command

To view this TTPs command, you must be logged in with a professional or enterprise license.

Login

Test this TTP

Download Operator (1.7.0)
Test this TTP using one of our Operator chains
Netsh Helper DLL

2021-08-10

/static/assets/windows-logo.svg
Create a Netsh helper DLL persistence.