Understanding the basics of user mode EDR hooking, common bypass techniques, and their limitations.

MalwareTech

A deep dive into how Endpoint Detection and Response (EDR) products use user mode hooks in ntdll.dll to monitor process behavior, and how those hooks can be bypassed. Covers the fundamentals of Windows syscalls and the SSDT, explains how EDRs place jmp-based hooks in ntdll after PatchGuard eliminated SSDT hooking, then walks through three main bypass techniques: EDR unhooking (restoring original bytes), manually mapping a clean ntdll, and direct/indirect syscalls. Direct syscalls are flagged because legitimate Windows software never bypasses ntdll, while indirect syscalls reuse ntdll's own syscall instruction to produce a more convincing call stack. The post also touches on call stack inspection as an EDR countermeasure and previews call stack spoofing as a future topic.

An Introduction to Bypassing User Mode EDR Hooks