This is a story about a security analyst’s late-night investigation into a suspicious executable that demonstrates the cat-and-mouse game between malware and modern defense mechanisms. The Discovery
: It read the clean, un-hooked code from the disk into a new section of memory. UnhookingNtdll_disk.exe
Elias flagged the technique as . He updated the team’s detection rules to look for processes accessing the ntdll.dll file on disk with Read permissions—a behavior rarely needed by legitimate software. This is a story about a security analyst’s
: Instead of trying to fight the EDR hooks already present in the memory-loaded version of ntdll.dll , the malware opened the original ntdll.dll file directly from the C:\Windows\System32\ folder on the disk. He updated the team’s detection rules to look
Elias watched the sandbox logs. Without the hooks to stop it, the malware began injecting a ransomware payload into a legitimate system process. To the EDR, the system calls now looked perfectly normal because the "interceptor" had been erased. The Lesson