This is a proof of concept of bypassing(unhooking) the hook of potential EDRs, in using an unhooked version of LdrLoadDll to load DLLs.
This is basically a reroute of the initial instruction of LdrLoadDll that will be executed in private memory and then reroute back into the normal code of LdrLoadDll,
Which is better for OPSEC since, all the calls looks like they are coming directly from the NTDLL anyway.
Why did I make this? Certain NTDLL export functions do not follow the SYSCALL procedure, hence this specific function like a few others need to be handled in a different manner.
-
Notifications
You must be signed in to change notification settings - Fork 22
trickster0/LdrLoadDll-Unhooking
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
About
LdrLoadDll Unhooking
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published