Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/trickster0/LdrLoadDll-Unhooking

LdrLoadDll Unhooking
https://github.com/trickster0/LdrLoadDll-Unhooking

Last synced: 3 months ago
JSON representation

LdrLoadDll Unhooking

Host: GitHub
URL: https://github.com/trickster0/LdrLoadDll-Unhooking
Owner: trickster0
Created: 2022-01-16T14:16:47.000Z (almost 3 years ago)
Default Branch: main
Last Pushed: 2022-01-16T15:00:12.000Z (almost 3 years ago)
Last Synced: 2023-03-04T05:15:01.678Z (over 1 year ago)
Language: C++
Size: 7.81 KB
Stars: 84
Watchers: 4
Forks: 17
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # LdrLoadDll-Unhooking

This is a proof of concept of bypassing(unhooking) the hook of potential EDRs, in using an unhooked version of LdrLoadDll to load DLLs.  

This is basically a reroute of the initial instruction of LdrLoadDll that will be executed in private memory and then reroute back into the normal code of LdrLoadDll,  

Which is better for OPSEC since, all the calls looks like they are coming directly from the NTDLL anyway.  

Why did I make this? Certain NTDLL export functions do not follow the SYSCALL procedure, hence this specific function like a few others need to be handled in a different manner.