πŸ”’
There are new articles available, click to refresh the page.
Yesterday β€” 27 May 2022Pentest/Red Team

How and Why to Unhook the Import Address Table

27 May 2022 at 09:33
By: Author
One day, I was trying to bypass an EDR and I noticed something interesting. The EDR I was trying to bypass wasn’t hooking the DLL in their code with jmp instruction like other EDRs in user-land. In this case, it was hooking directly the Import Address Table. This technique makes the usual move like live-patching, or erasing the loaded DLL with one freshly loaded from disk useless. I had to unhook the Import Address Table of my process.
  • There are no more articles
❌