Unhooking EDR by remapping ntdll.dll

By Remapping ntdll from disk

In this blog, we will dive into another technique that can be used to unhook the ntdll.dll. In the moment that your DLL is hooked by an EDR. We are gonna investigate remapping by loading ntdll from disk. We also gonna validate how this can be noticed by an EDR and by yourself. These techniques are not new. But for me, it is important to uncover the inner workings of older techniques and write down the different steps to get the best understanding.

Introduction

As explained in my previous blogs about Direct Syscalls. An EDR can place a hook on some specific Native Windows functions. A prime example is the ntdll.dll whose functions (NtWriteVirtualMemory, NTAllocateVirtualMemory for example) are the gateway to the kernel.

Instead of bypassing the “infected” ntdll.dll hooks by bypassing the dll completely (by performing a direct syscall), It is also possible to remove the EDR hook completely from the loaded module.

This can be accomplished because of the following. The ntdll.dll which is stored on disk isn’t hooked by itself. The ntdll on disk doesn’t contain the code of the EDR. This code is only injected when an application is started and the ntdll is loaded into the memory of that given process.

So if there is a method to overwrite the “infected” ntdll.dll which is loaded into the malware’s memory with the clean one from disk, the hook could be removed. This could…