Overwrite ntdll.dll's ".text" section using a clean version of the DLL.
It can help to evade security measures that install API hooks such as EDRs.
The unhooked version of the DLL can be obtained from:
- A DLL file already on disk - For example "C:\Windows\System32\ntdll.dll".
- The KnownDlls folder ("\KnownDlls\ntdll.dll").
- A process created in debug mode - Processes created in suspended or debug mode have a clean ntdll.dll.
After installing Git, run the following commands:
go env -w GO111MODULE=off
go get golang.org/x/sys/windows
Get the clean ntdll.dll from disk. You can specify a file path or use the default value "C:\Windows\System32\ntdll.dll":
go run goNtdllOverwrite.go -o disk [-p PATH]
Get the clean ntdll.dll from the KnownDlls folder:
go run goNtdllOverwrite.go -o knowndlls
Get the clean ntdll.dll from a new process created with the DEBUG_PROCESS flag. You can specify a binary to create the process or use the default value "C:\Windows\System32\calc.exe":
go run goNtdllOverwrite.go -o debugproc [-p PATH]
-
.NET implementation: SharpNtdllOverwrite
-
Python implementation: pyNtdllOverwrite