EDR-Preloading is a technique to bypass Endpoint Detection and Response (EDR) user-mode hooks by executing malicious code before the EDR's DLL loads into a process. By exploiting the AppVerifier layer in ntdll — specifically the AvrfpAPILookupCallbackRoutine pointer — an attacker can register a callback that fires during early process initialization, before EDR DLLs are injected via APC. The technique involves locating the callback pointer in ntdll's .mrdata section, writing an encoded function pointer into a suspended child process, then neutralizing any pre-loaded EDR modules via DLL clobbering, disabling the APC dispatcher, and hooking LdrLoadDll. A proof-of-concept with full source code is provided, tested against two major EDRs on Windows 10 64-bit.
Table of contents
A quick overview of the Windows process loaderOlder bypass techniques and drawbacksFinding something newIntroducing EDR-PreloaderFinal ThoughtsSort: