This is a story about a security analyst’s late-night investigation into a suspicious executable that demonstrates the cat-and-mouse game between malware and modern defense mechanisms. The Discovery
Most modern EDR (Endpoint Detection and Response) tools work by placing "hooks" in ntdll.dll . This DLL is the lowest-level gateway to the Windows kernel. When a program wants to open a file or connect to the internet, it calls a function in ntdll.dll . The EDR’s hooks intercept that call, check if it’s malicious, and then let it pass—or kill it. UnhookingNtdll_disk.exe
Elias realized that UnhookingNtdll_disk.exe was designed to break those hooks. The Methodology: Cleaning the DLL This is a story about a security analyst’s
: It then identified the .text section (the executable code) of the "dirty" ntdll.dll already running in its process memory and overwrote it with the "clean" code from the disk. The Result: Silent Execution When a program wants to open a file