A deep dive into how Endpoint Detection and Response (EDR) products use user mode hooks in ntdll.dll to monitor process behavior, and how those hooks can be bypassed. Covers the fundamentals of Windows syscalls and the SSDT, explains how EDRs place jmp-based hooks in ntdll after PatchGuard eliminated SSDT hooking, then walks through three main bypass techniques: EDR unhooking (restoring original bytes), manually mapping a clean ntdll, and direct/indirect syscalls. Direct syscalls are flagged because legitimate Windows software never bypasses ntdll, while indirect syscalls reuse ntdll's own syscall instruction to produce a more convincing call stack. The post also touches on call stack inspection as an EDR countermeasure and previews call stack spoofing as a future topic.
Table of contents
A Trip Back In TimeWhat Is a SyscallEDRs and User Mode HookingBypassing EDR HooksThat’s All, For NowSort: