This repo contains information about EDRs that can be useful during red team exercise.
This proof-of-concept is resolving the syscall ID dynamically no need to check the version running on the remote host. To get the information on disk (not tampered) a call to
MapViewOfFile Windows APIs is performed. The DLL is then parsed to retrived the data and used to patch the live code.
This proof-of-concept is patch the syscall ID specified in the code. The live version of the DLL is then patched using the hardcoded syscall ID and reverted to the original unpatched state.
This utility is used to retrived the sycall ID associated with a Windows API.
get_syscall64.exe ntdll.dll NtOpenProcess ntdll.dll!NtOpenProcess at 0x00007FF873F6CAD0 NtOpenProcess syscall ID 0x00000026 (38)
This proof-of-concept detects hooks placed by EDR/AV/Malware in the Import Address Table and replace them with original addresses (coded by xalicex).
Excel version of the list of hooks
Markdown version of the list of hooks
EDRs Hooked APIs
Want to contribute simply run
hook_finder64.exe C:\windows\system32\ntdll.dll and submit the output.
CrowdStrike hooked ntdll.dll APIs
SentinelOne hooked ntdll.dll APIs
Cylance hooked ntdll.dll APIs (Thanks to Seemant Bisht)
Sophos hooked ntdll.dll APIs
Attivo Deception hooked ntdll.dll APIs
CarbonBlack hooked ntdll.dll APIs (Thanks to Hackndo)
Symantec hooked ntdll.dll APIs (Thanks to CarsonSallis)
DeepInstinct hooked ntdll.dll APIs (Thanks to P0chAcc0)
McAfee hooked ntdll.dll APIs
CheckPoint SandBlast hooked ntdll APIs
ESET endpoint Security 8.0.2028.0 hooked ntdll APIs
TrendMicro 17.7.1130 hooked ntdll APIs
Cortex XDR hooked APIs (KERNEL MODE)
Bitdefender hooked ntdll APIs
Mr.Un1k0d3r RingZer0 Team
And the whole community <3