Reading Time: < 1 minute

A very small little post, of a little experiment I did in my lab.

I’ve used the nice and interesting code of Ausurusrex ( https://github.com/asaurusrex/Probatorum-EDR-Userland-Hook-Checker ) which is a C++ code that will show you all the functions that are hooked by your EDR.

Then I modified it a little bit, to accept loading a DLL.

Then I used @Slaeryan AQUARMOURY shellycoat unhooking dll ( https://github.com/slaeryan/AQUARMOURY )

Here is my result under a SentinelOne.

Test 1 : 42 Functions are hooked in ntdll.dll by SentinelOne (49 but 7 are already detected even do they are not see README of Hook_Checker)

Test 2 : All functions have been unhooked in ntdll.dll by loading the disposable shellycoat dll ! Nice 🙂

Next ?

I’m still wondering why on some other EDR the program doesn’t detect any hooking. Example Palo Alto EDR.

References :

https://github.com/asaurusrex/Probatorum-EDR-Userland-Hook-Checker by Asaurusrex and shared by netbiosX

my modified version here : https://github.com/k4nfr3/Probatorum-EDR-Userland-Hook-Checker/

https://github.com/slaeryan/AQUARMOURY from @Slaeryan

0