A simple PoC to locate hooked functions within ntdll.dll to further EDR evasion research.
This PoC uses the same checks that TartarusGate uses in order to find hooked system calls. Breaking it down further, the first and third bytes of a function are checked for the bytes matching a JMP instruction. If either are a match, this is a good indicator that the function is hooked.
The below screenshot is a demo running the program against an endpoint with EDR.
On July 15, 2023 I created my GitHub Sponsors sponsorship tiers. Be sure to check them out to find out what kind of perks you could be getting!
Code heavily borrowed from TartarusGate.