Dump lsass using only NTAPI functions by hand-crafting Minidump files (without MiniDumpWriteDump!!!)
-
Updated
May 7, 2025 - C#
#
ntdll-unhooking
Here are 14 public repositories matching this topic...
Dump lsass using only NTAPI functions creating 3 JSON and 1 ZIP file... and generate the MiniDump file later!
-
Updated
May 9, 2025 - C#
Bypass Credential Guard by patching WDigest.dll using only NTAPI functions
-
Updated
Apr 8, 2025 - C++
Inline syscalls made for MSVC supporting x64 and WOW64
microsoft windows syscalls syscall-fuzzer ssdt syscall-table ntdll syscall-hook ssdt-hook syscall-hooking ntdll-unhooking win32u
-
Updated
Jul 10, 2023 - C++
A Dropper POC with a focus on aiding in EDR evasion, NTDLL Unhooking followed by loading ntdll in-memory, which is present as shellcode (using pe2shc by @hasherezade). Payload encryption via SystemFucntion033 NtApi and No new thread via Fiber
malware antivirus evasion bypass fiber dropper bypass-antivirus edr implant process-injection ntdll-unhooking systemfunction033
-
Updated
Feb 10, 2023 - C
Bypass the Event Trace Windows(ETW) and unhook ntdll.
-
Updated
Sep 29, 2023 - C
Remap ntdll.dll using only NTAPI functions with a suspended process
-
Updated
Apr 13, 2025 - C++
Overwrite ntdll.dll's ".text" section to bypass API hooking. Getting the clean dll from disk, Knowndlls folder, a debugged process or a URL
-
Updated
Jul 9, 2024 - C#
Unhooking NTDLL Without Reading It From Disk.
-
Updated
Jul 1, 2025 - C++
Collection of remote shellcode Loaders using Early Bird APC Injection, windows native api, low level utilities and stealth techniques.
queue asynchronous dll-injection shellcode malware-analysis apc shellcode-loader ntdll dll-injector trojan-rat process-injection early-bird shellcode-injection apc-injection ntdll-unhooking
-
Updated
Apr 23, 2026 - C
Overwrite ntdll.dll's ".text" section to bypass API hooking. Getting the clean dll from disk, Knowndlls folder or a debugged process
-
Updated
Jul 9, 2024 - Python
Overwrite ntdll.dll's ".text" section to bypass API hooking. Getting the clean dll from disk, Knowndlls folder or a debugged process
-
Updated
Jul 10, 2024 - Go
A demonstration of secure memory section creation and mapping using Windows native APIs, with integrity checks and safe memory modifications.
-
Updated
Apr 19, 2026 - C++
The project consists of a service that utilizes advanced techniques to inject a Payload into its own process, specifically the Windows RuntimeBroker.exe
c windows system service assembly x64 malware windows-service malware-research malware-development anti-debugging ntdll earlybird anti-debugger ppid-spoofing syswhisper ntdll-unhooking dllblockpolicy
-
Updated
Jul 3, 2024 - C
Improve this page
Add a description, image, and links to the ntdll-unhooking topic page so that developers can more easily learn about it.
Add this topic to your repo
To associate your repository with the ntdll-unhooking topic, visit your repo's landing page and select "manage topics."