Skip to content
/ birdnet-poc Public
forked from inb1ts/birdnet-poc

Experimental PoC for unhooking API functions using in-memory patching, without VirtualProtect, for one specific EDR.

14 stars 9 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

lleon1435/birdnet-poc

1 Branch0 Tags
This branch is up to date with inb1ts/birdnet-poc:main.

Folders and files

NameName
Last commit message
Last commit date

Latest commit

inb1tsinb1ts
Create README.md
Jul 9, 2023
4ac6b2d · Jul 9, 2023

History

5 Commits
README.md
README.md
Jul 9, 2023
birdnet.c
birdnet.c
Jul 9, 2023
compile.bat
compile.bat
Jul 6, 2023
structs.h
structs.h
Jul 7, 2023

Repository files navigation

birdnet-poc

Experimental PoC for unhooking API functions using in-memory patching, without VirtualProtect, for one specific EDR.

Accompanying blog post: https://inbits-sec.com/posts/in-memory-unhooking/

Brief Overview

The PoC covers an approach to unhooking Crowdstrike Falcon hooks in NTDLL. It does this by finding the relocated syscall stub, and then finding a specific heap location through in-memory disassembly in order to patch a jump and bypass the hook.

About

Experimental PoC for unhooking API functions using in-memory patching, without VirtualProtect, for one specific EDR.

Resources

Readme
Activity

Stars

14 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 99.0%
  • Batchfile 1.0%