Securing your malware from being hooked
By only allowing Microsoft signed DLL's
Published in
10 min readDec 23, 2023
A running application can be hooked by an EDR. So it can validate the actions performed. Most of the time this happens on the ntdll.dll or kernel32.dll. If it detects something fishy, it can try and stop those unwanted activities. Before real damage can take place.
One method to limit the EDR’s possibility to hook the process is by only allowing DLLs that are signed by Microsoft. This can be accomplished by setting a mitigation on the executable. Per default all…