Project to check which Nt/Zw functions your local EDR is hooking

Overview

Probatorum EDR Userland Hook Checker

Probatorum will check which Nt/Zw functions your local EDR is hooking. Most credit for this code goes to SolomonSklash, who has great blogs on a variety of security topics (https://www.solomonsklash.io). He wrote most of this code; I just cleaned it up a bit.

Disclaimer

DO NOT use this project for purposes other than legitimate red teaming/pentesting jobs, or research. DO NOT use this for illegal activity of any kind, and know that this project is intended for research purposes and to help advance the missions of both red and blue teams.

Purpose

EDR_Userland_Hook_Checker is designed to provide a list of Nt/Zw functions which are hooked by your local EDR. You can either compile the included project yourself, or you can run the pre-compiled binary in /EDR_Userland_Hook_Checker/Hook_Checker/x64/Debug/Hook_Checker.exe. I recommend you compile yourself as a Release build.

Once compiled, simply run the resulting .exe on your local Windows endpoint which is being monitored by EDR.

NOTE: Some specific functions (at least on Windows 10) will appear to be hooked but not actually be hooked - they are simply redirects (so the function does not exist inside ntdll directly). You can confirm this with WinDbg.

These 7 functions on Windows 10 are:

ZwQuerySystemTime
NtdllDialogWndProc_W
NtdllDiaglogWndProc_A
NtdllDefWindowProc_W
NtdllDefWindowProc_A
NtQuerySystemTime
NtGetTickCount

Requirements

I built this tool with 2019 Visual Studio.

Methodology

Normally functions will begin with four bytes: 0x4c, 0x8B, 0xD1, 0xB8. When these bytes are NOT at the beginning of an Nt/Zw function, it means the function has been hooked (these bytes have been replaced by a jmp instruction or some other bytes) OR the function is redirected elsewhere and does not actually live inside ntdll. If a hooked function is found, the first few bytes of the function will be printed.

Output for a Clean (no EDR) Windows 10 VM looks like:

[*] pMappedDllAddress 0x000001FFD3E20000
[*] pLocalDllAddress  0x00007FFCFFD50000
        [*]NtAcceptConnectPort has NOT been hooked!
        [*]NtAccessCheck has NOT been hooked!
        [*]NtAccessCheckAndAuditAlarm has NOT been hooked!
        [*]NtAccessCheckByType has NOT been hooked!
        [*]NtAccessCheckByTypeAndAuditAlarm has NOT been hooked!
        [*]NtAccessCheckByTypeResultList has NOT been hooked!
        [*]NtAccessCheckByTypeResultListAndAuditAlarm has NOT been hooked!
        [*]NtAccessCheckByTypeResultListAndAuditAlarmByHandle has NOT been hooked!
        [*]NtAcquireProcessActivityReference has NOT been hooked!
        [*]NtAddAtom has NOT been hooked!
        [*]NtAddAtomEx has NOT been hooked!
        [*]NtAddBootEntry has NOT been hooked!
        [*]NtAddDriverEntry has NOT been hooked!
        [*]NtAdjustGroupsToken has NOT been hooked!
        [*]NtAdjustPrivilegesToken has NOT been hooked!
        [*]NtAdjustTokenClaimsAndDeviceGroups has NOT been hooked!
        [*]NtAlertResumeThread has NOT been hooked!
        [*]NtAlertThread has NOT been hooked!
        [*]NtAlertThreadByThreadId has NOT been hooked!
        [*]NtAllocateLocallyUniqueId has NOT been hooked!
        [*]NtAllocateReserveObject has NOT been hooked!
        [*]NtAllocateUserPhysicalPages has NOT been hooked!
        [*]NtAllocateUuids has NOT been hooked!
        [*]NtAllocateVirtualMemory has NOT been hooked!
        [*]NtAllocateVirtualMemoryEx has NOT been hooked!
        [*]NtAlpcAcceptConnectPort has NOT been hooked!
        [*]NtAlpcCancelMessage has NOT been hooked!
        [*]NtAlpcConnectPort has NOT been hooked!
        [*]NtAlpcConnectPortEx has NOT been hooked!
        [*]NtAlpcCreatePort has NOT been hooked!
        [*]NtAlpcCreatePortSection has NOT been hooked!
        [*]NtAlpcCreateResourceReserve has NOT been hooked!
        [*]NtAlpcCreateSectionView has NOT been hooked!
        [*]NtAlpcCreateSecurityContext has NOT been hooked!
        [*]NtAlpcDeletePortSection has NOT been hooked!
        [*]NtAlpcDeleteResourceReserve has NOT been hooked!
        [*]NtAlpcDeleteSectionView has NOT been hooked!
        [*]NtAlpcDeleteSecurityContext has NOT been hooked!
        [*]NtAlpcDisconnectPort has NOT been hooked!
        [*]NtAlpcImpersonateClientContainerOfPort has NOT been hooked!
        [*]NtAlpcImpersonateClientOfPort has NOT been hooked!
        [*]NtAlpcOpenSenderProcess has NOT been hooked!
        [*]NtAlpcOpenSenderThread has NOT been hooked!
        [*]NtAlpcQueryInformation has NOT been hooked!
        [*]NtAlpcQueryInformationMessage has NOT been hooked!
        [*]NtAlpcRevokeSecurityContext has NOT been hooked!
        [*]NtAlpcSendWaitReceivePort has NOT been hooked!
        [*]NtAlpcSetInformation has NOT been hooked!
        [*]NtApphelpCacheControl has NOT been hooked!
        [*]NtAreMappedFilesTheSame has NOT been hooked!
        [*]NtAssignProcessToJobObject has NOT been hooked!
        [*]NtAssociateWaitCompletionPacket has NOT been hooked!
        [*]NtCallEnclave has NOT been hooked!
        [*]NtCallbackReturn has NOT been hooked!
        [*]NtCancelIoFile has NOT been hooked!
        [*]NtCancelIoFileEx has NOT been hooked!
        [*]NtCancelSynchronousIoFile has NOT been hooked!
        [*]NtCancelTimer has NOT been hooked!
        [*]NtCancelTimer2 has NOT been hooked!
        [*]NtCancelWaitCompletionPacket has NOT been hooked!
        [*]NtClearEvent has NOT been hooked!
        [*]NtClose has NOT been hooked!
        [*]NtCloseObjectAuditAlarm has NOT been hooked!
        [*]NtCommitComplete has NOT been hooked!
        [*]NtCommitEnlistment has NOT been hooked!
        [*]NtCommitRegistryTransaction has NOT been hooked!
        [*]NtCommitTransaction has NOT been hooked!
        [*]NtCompactKeys has NOT been hooked!
        [*]NtCompareObjects has NOT been hooked!
        [*]NtCompareSigningLevels has NOT been hooked!
        [*]NtCompareTokens has NOT been hooked!
        [*]NtCompleteConnectPort has NOT been hooked!
        [*]NtCompressKey has NOT been hooked!
        [*]NtConnectPort has NOT been hooked!
        [*]NtContinue has NOT been hooked!
        [*]NtConvertBetweenAuxiliaryCounterAndPerformanceCounter has NOT been hooked!
        [*]NtCreateDebugObject has NOT been hooked!
        [*]NtCreateDirectoryObject has NOT been hooked!
        [*]NtCreateDirectoryObjectEx has NOT been hooked!
        [*]NtCreateEnclave has NOT been hooked!
        [*]NtCreateEnlistment has NOT been hooked!
        [*]NtCreateEvent has NOT been hooked!
        [*]NtCreateEventPair has NOT been hooked!
        [*]NtCreateFile has NOT been hooked!
        [*]NtCreateIRTimer has NOT been hooked!
        [*]NtCreateIoCompletion has NOT been hooked!
        [*]NtCreateJobObject has NOT been hooked!
        [*]NtCreateJobSet has NOT been hooked!
        [*]NtCreateKey has NOT been hooked!
        [*]NtCreateKeyTransacted has NOT been hooked!
        [*]NtCreateKeyedEvent has NOT been hooked!
        [*]NtCreateLowBoxToken has NOT been hooked!
        [*]NtCreateMailslotFile has NOT been hooked!
        [*]NtCreateMutant has NOT been hooked!
        [*]NtCreateNamedPipeFile has NOT been hooked!
        [*]NtCreatePagingFile has NOT been hooked!
        [*]NtCreatePartition has NOT been hooked!
        [*]NtCreatePort has NOT been hooked!
        [*]NtCreatePrivateNamespace has NOT been hooked!
        [*]NtCreateProcess has NOT been hooked!
        [*]NtCreateProcessEx has NOT been hooked!
        [*]NtCreateProfile has NOT been hooked!
        [*]NtCreateProfileEx has NOT been hooked!
        [*]NtCreateRegistryTransaction has NOT been hooked!
        [*]NtCreateResourceManager has NOT been hooked!
        [*]NtCreateSection has NOT been hooked!
        [*]NtCreateSectionEx has NOT been hooked!
        [*]NtCreateSemaphore has NOT been hooked!
        [*]NtCreateSymbolicLinkObject has NOT been hooked!
        [*]NtCreateThread has NOT been hooked!
        [*]NtCreateThreadEx has NOT been hooked!
        [*]NtCreateTimer has NOT been hooked!
        [*]NtCreateTimer2 has NOT been hooked!
        [*]NtCreateToken has NOT been hooked!
        [*]NtCreateTokenEx has NOT been hooked!
        [*]NtCreateTransaction has NOT been hooked!
        [*]NtCreateTransactionManager has NOT been hooked!
        [*]NtCreateUserProcess has NOT been hooked!
        [*]NtCreateWaitCompletionPacket has NOT been hooked!
        [*]NtCreateWaitablePort has NOT been hooked!
        [*]NtCreateWnfStateName has NOT been hooked!
        [*]NtCreateWorkerFactory has NOT been hooked!
        [*]NtDebugActiveProcess has NOT been hooked!
        [*]NtDebugContinue has NOT been hooked!
        [*]NtDelayExecution has NOT been hooked!
        [*]NtDeleteAtom has NOT been hooked!
        [*]NtDeleteBootEntry has NOT been hooked!
        [*]NtDeleteDriverEntry has NOT been hooked!
        [*]NtDeleteFile has NOT been hooked!
        [*]NtDeleteKey has NOT been hooked!
        [*]NtDeleteObjectAuditAlarm has NOT been hooked!
        [*]NtDeletePrivateNamespace has NOT been hooked!
        [*]NtDeleteValueKey has NOT been hooked!
        [*]NtDeleteWnfStateData has NOT been hooked!
        [*]NtDeleteWnfStateName has NOT been hooked!
        [*]NtDeviceIoControlFile has NOT been hooked!
        [*]NtDisableLastKnownGood has NOT been hooked!
        [*]NtDisplayString has NOT been hooked!
        [*]NtDrawText has NOT been hooked!
        [*]NtDuplicateObject has NOT been hooked!
        [*]NtDuplicateToken has NOT been hooked!
        [*]NtEnableLastKnownGood has NOT been hooked!
        [*]NtEnumerateBootEntries has NOT been hooked!
        [*]NtEnumerateDriverEntries has NOT been hooked!
        [*]NtEnumerateKey has NOT been hooked!
        [*]NtEnumerateSystemEnvironmentValuesEx has NOT been hooked!
        [*]NtEnumerateTransactionObject has NOT been hooked!
        [*]NtEnumerateValueKey has NOT been hooked!
        [*]NtExtendSection has NOT been hooked!
        [*]NtFilterBootOption has NOT been hooked!
        [*]NtFilterToken has NOT been hooked!
        [*]NtFilterTokenEx has NOT been hooked!
        [*]NtFindAtom has NOT been hooked!
        [*]NtFlushBuffersFile has NOT been hooked!
        [*]NtFlushBuffersFileEx has NOT been hooked!
        [*]NtFlushInstallUILanguage has NOT been hooked!
        [*]NtFlushInstructionCache has NOT been hooked!
        [*]NtFlushKey has NOT been hooked!
        [*]NtFlushProcessWriteBuffers has NOT been hooked!
        [*]NtFlushVirtualMemory has NOT been hooked!
        [*]NtFlushWriteBuffer has NOT been hooked!
        [*]NtFreeUserPhysicalPages has NOT been hooked!
        [*]NtFreeVirtualMemory has NOT been hooked!
        [*]NtFreezeRegistry has NOT been hooked!
        [*]NtFreezeTransactions has NOT been hooked!
        [*]NtFsControlFile has NOT been hooked!
        [*]NtGetCachedSigningLevel has NOT been hooked!
        [*]NtGetCompleteWnfStateSubscription has NOT been hooked!
        [*]NtGetContextThread has NOT been hooked!
        [*]NtGetCurrentProcessorNumber has NOT been hooked!
        [*]NtGetCurrentProcessorNumberEx has NOT been hooked!
        [*]NtGetDevicePowerState has NOT been hooked!
        [*]NtGetMUIRegistryInfo has NOT been hooked!
        [*]NtGetNextProcess has NOT been hooked!
        [*]NtGetNextThread has NOT been hooked!
        [*]NtGetNlsSectionPtr has NOT been hooked!
        [*]NtGetNotificationResourceManager has NOT been hooked!
        [*] NtGetTickCount HAS been hooked!
                B9 20 03 FE 7F 48 8B 09 8B 04 25 04 00 FE 7F 48 0F AF C1 48 C1 E8 18 C3 CC
        [*]NtGetWriteWatch has NOT been hooked!
        [*]NtImpersonateAnonymousToken has NOT been hooked!
        [*]NtImpersonateClientOfPort has NOT been hooked!
        [*]NtImpersonateThread has NOT been hooked!
        [*]NtInitializeEnclave has NOT been hooked!
        [*]NtInitializeNlsFiles has NOT been hooked!
        [*]NtInitializeRegistry has NOT been hooked!
        [*]NtInitiatePowerAction has NOT been hooked!
        [*]NtIsProcessInJob has NOT been hooked!
        [*]NtIsSystemResumeAutomatic has NOT been hooked!
        [*]NtIsUILanguageComitted has NOT been hooked!
        [*]NtListenPort has NOT been hooked!
        [*]NtLoadDriver has NOT been hooked!
        [*]NtLoadEnclaveData has NOT been hooked!
        [*]NtLoadKey has NOT been hooked!
        [*]NtLoadKey2 has NOT been hooked!
        [*]NtLoadKey3 has NOT been hooked!
        [*]NtLoadKeyEx has NOT been hooked!
        [*]NtLockFile has NOT been hooked!
        [*]NtLockProductActivationKeys has NOT been hooked!
        [*]NtLockRegistryKey has NOT been hooked!
        [*]NtLockVirtualMemory has NOT been hooked!
        [*]NtMakePermanentObject has NOT been hooked!
        [*]NtMakeTemporaryObject has NOT been hooked!
        [*]NtManageHotPatch has NOT been hooked!
        [*]NtManagePartition has NOT been hooked!
        [*]NtMapCMFModule has NOT been hooked!
        [*]NtMapUserPhysicalPages has NOT been hooked!
        [*]NtMapUserPhysicalPagesScatter has NOT been hooked!
        [*]NtMapViewOfSection has NOT been hooked!
        [*]NtMapViewOfSectionEx has NOT been hooked!
        [*]NtModifyBootEntry has NOT been hooked!
        [*]NtModifyDriverEntry has NOT been hooked!
        [*]NtNotifyChangeDirectoryFile has NOT been hooked!
        [*]NtNotifyChangeDirectoryFileEx has NOT been hooked!
        [*]NtNotifyChangeKey has NOT been hooked!
        [*]NtNotifyChangeMultipleKeys has NOT been hooked!
        [*]NtNotifyChangeSession has NOT been hooked!
        [*]NtOpenDirectoryObject has NOT been hooked!
        [*]NtOpenEnlistment has NOT been hooked!
        [*]NtOpenEvent has NOT been hooked!
        [*]NtOpenEventPair has NOT been hooked!
        [*]NtOpenFile has NOT been hooked!
        [*]NtOpenIoCompletion has NOT been hooked!
        [*]NtOpenJobObject has NOT been hooked!
        [*]NtOpenKey has NOT been hooked!
        [*]NtOpenKeyEx has NOT been hooked!
        [*]NtOpenKeyTransacted has NOT been hooked!
        [*]NtOpenKeyTransactedEx has NOT been hooked!
        [*]NtOpenKeyedEvent has NOT been hooked!
        [*]NtOpenMutant has NOT been hooked!
        [*]NtOpenObjectAuditAlarm has NOT been hooked!
        [*]NtOpenPartition has NOT been hooked!
        [*]NtOpenPrivateNamespace has NOT been hooked!
        [*]NtOpenProcess has NOT been hooked!
        [*]NtOpenProcessToken has NOT been hooked!
        [*]NtOpenProcessTokenEx has NOT been hooked!
        [*]NtOpenRegistryTransaction has NOT been hooked!
        [*]NtOpenResourceManager has NOT been hooked!
        [*]NtOpenSection has NOT been hooked!
        [*]NtOpenSemaphore has NOT been hooked!
        [*]NtOpenSession has NOT been hooked!
        [*]NtOpenSymbolicLinkObject has NOT been hooked!
        [*]NtOpenThread has NOT been hooked!
        [*]NtOpenThreadToken has NOT been hooked!
        [*]NtOpenThreadTokenEx has NOT been hooked!
        [*]NtOpenTimer has NOT been hooked!
        [*]NtOpenTransaction has NOT been hooked!
        [*]NtOpenTransactionManager has NOT been hooked!
        [*]NtPlugPlayControl has NOT been hooked!
        [*]NtPowerInformation has NOT been hooked!
        [*]NtPrePrepareComplete has NOT been hooked!
        [*]NtPrePrepareEnlistment has NOT been hooked!
        [*]NtPrepareComplete has NOT been hooked!
        [*]NtPrepareEnlistment has NOT been hooked!
        [*]NtPrivilegeCheck has NOT been hooked!
        [*]NtPrivilegeObjectAuditAlarm has NOT been hooked!
        [*]NtPrivilegedServiceAuditAlarm has NOT been hooked!
        [*]NtPropagationComplete has NOT been hooked!
        [*]NtPropagationFailed has NOT been hooked!
        [*]NtProtectVirtualMemory has NOT been hooked!
        [*]NtPulseEvent has NOT been hooked!
        [*]NtQueryAttributesFile has NOT been hooked!
        [*]NtQueryAuxiliaryCounterFrequency has NOT been hooked!
        [*]NtQueryBootEntryOrder has NOT been hooked!
        [*]NtQueryBootOptions has NOT been hooked!
        [*]NtQueryDebugFilterState has NOT been hooked!
        [*]NtQueryDefaultLocale has NOT been hooked!
        [*]NtQueryDefaultUILanguage has NOT been hooked!
        [*]NtQueryDirectoryFile has NOT been hooked!
        [*]NtQueryDirectoryFileEx has NOT been hooked!
        [*]NtQueryDirectoryObject has NOT been hooked!
        [*]NtQueryDriverEntryOrder has NOT been hooked!
        [*]NtQueryEaFile has NOT been hooked!
        [*]NtQueryEvent has NOT been hooked!
        [*]NtQueryFullAttributesFile has NOT been hooked!
        [*]NtQueryInformationAtom has NOT been hooked!
        [*]NtQueryInformationByName has NOT been hooked!
        [*]NtQueryInformationEnlistment has NOT been hooked!
        [*]NtQueryInformationFile has NOT been hooked!
        [*]NtQueryInformationJobObject has NOT been hooked!
        [*]NtQueryInformationPort has NOT been hooked!
        [*]NtQueryInformationProcess has NOT been hooked!
        [*]NtQueryInformationResourceManager has NOT been hooked!
        [*]NtQueryInformationThread has NOT been hooked!
        [*]NtQueryInformationToken has NOT been hooked!
        [*]NtQueryInformationTransaction has NOT been hooked!
        [*]NtQueryInformationTransactionManager has NOT been hooked!
        [*]NtQueryInformationWorkerFactory has NOT been hooked!
        [*]NtQueryInstallUILanguage has NOT been hooked!
        [*]NtQueryIntervalProfile has NOT been hooked!
        [*]NtQueryIoCompletion has NOT been hooked!
        [*]NtQueryKey has NOT been hooked!
        [*]NtQueryLicenseValue has NOT been hooked!
        [*]NtQueryMultipleValueKey has NOT been hooked!
        [*]NtQueryMutant has NOT been hooked!
        [*]NtQueryObject has NOT been hooked!
        [*]NtQueryOpenSubKeys has NOT been hooked!
        [*]NtQueryOpenSubKeysEx has NOT been hooked!
        [*]NtQueryPerformanceCounter has NOT been hooked!
        [*]NtQueryPortInformationProcess has NOT been hooked!
        [*]NtQueryQuotaInformationFile has NOT been hooked!
        [*]NtQuerySection has NOT been hooked!
        [*]NtQuerySecurityAttributesToken has NOT been hooked!
        [*]NtQuerySecurityObject has NOT been hooked!
        [*]NtQuerySecurityPolicy has NOT been hooked!
        [*]NtQuerySemaphore has NOT been hooked!
        [*]NtQuerySymbolicLinkObject has NOT been hooked!
        [*]NtQuerySystemEnvironmentValue has NOT been hooked!
        [*]NtQuerySystemEnvironmentValueEx has NOT been hooked!
        [*]NtQuerySystemInformation has NOT been hooked!
        [*]NtQuerySystemInformationEx has NOT been hooked!
        [*] NtQuerySystemTime HAS been hooked!
                E9 CB B3 FD FF 66 66 66 0F 1F 84 00 00 00 00 00 4C 8B D1 B8 5B 00 00 00 F6
        [*]NtQueryTimer has NOT been hooked!
        [*]NtQueryTimerResolution has NOT been hooked!
        [*]NtQueryValueKey has NOT been hooked!
        [*]NtQueryVirtualMemory has NOT been hooked!
        [*]NtQueryVolumeInformationFile has NOT been hooked!
        [*]NtQueryWnfStateData has NOT been hooked!
        [*]NtQueryWnfStateNameInformation has NOT been hooked!
        [*]NtQueueApcThread has NOT been hooked!
        [*]NtQueueApcThreadEx has NOT been hooked!
        [*]NtRaiseException has NOT been hooked!
        [*]NtRaiseHardError has NOT been hooked!
        [*]NtReadFile has NOT been hooked!
        [*]NtReadFileScatter has NOT been hooked!
        [*]NtReadOnlyEnlistment has NOT been hooked!
        [*]NtReadRequestData has NOT been hooked!
        [*]NtReadVirtualMemory has NOT been hooked!
        [*]NtRecoverEnlistment has NOT been hooked!
        [*]NtRecoverResourceManager has NOT been hooked!
        [*]NtRecoverTransactionManager has NOT been hooked!
        [*]NtRegisterProtocolAddressInformation has NOT been hooked!
        [*]NtRegisterThreadTerminatePort has NOT been hooked!
        [*]NtReleaseKeyedEvent has NOT been hooked!
        [*]NtReleaseMutant has NOT been hooked!
        [*]NtReleaseSemaphore has NOT been hooked!
        [*]NtReleaseWorkerFactoryWorker has NOT been hooked!
        [*]NtRemoveIoCompletion has NOT been hooked!
        [*]NtRemoveIoCompletionEx has NOT been hooked!
        [*]NtRemoveProcessDebug has NOT been hooked!
        [*]NtRenameKey has NOT been hooked!
        [*]NtRenameTransactionManager has NOT been hooked!
        [*]NtReplaceKey has NOT been hooked!
        [*]NtReplacePartitionUnit has NOT been hooked!
        [*]NtReplyPort has NOT been hooked!
        [*]NtReplyWaitReceivePort has NOT been hooked!
        [*]NtReplyWaitReceivePortEx has NOT been hooked!
        [*]NtReplyWaitReplyPort has NOT been hooked!
        [*]NtRequestPort has NOT been hooked!
        [*]NtRequestWaitReplyPort has NOT been hooked!
        [*]NtResetEvent has NOT been hooked!
        [*]NtResetWriteWatch has NOT been hooked!
        [*]NtRestoreKey has NOT been hooked!
        [*]NtResumeProcess has NOT been hooked!
        [*]NtResumeThread has NOT been hooked!
        [*]NtRevertContainerImpersonation has NOT been hooked!
        [*]NtRollbackComplete has NOT been hooked!
        [*]NtRollbackEnlistment has NOT been hooked!
        [*]NtRollbackRegistryTransaction has NOT been hooked!
        [*]NtRollbackTransaction has NOT been hooked!
        [*]NtRollforwardTransactionManager has NOT been hooked!
        [*]NtSaveKey has NOT been hooked!
        [*]NtSaveKeyEx has NOT been hooked!
        [*]NtSaveMergedKeys has NOT been hooked!
        [*]NtSecureConnectPort has NOT been hooked!
        [*]NtSerializeBoot has NOT been hooked!
        [*]NtSetBootEntryOrder has NOT been hooked!
        [*]NtSetBootOptions has NOT been hooked!
        [*]NtSetCachedSigningLevel has NOT been hooked!
        [*]NtSetCachedSigningLevel2 has NOT been hooked!
        [*]NtSetContextThread has NOT been hooked!
        [*]NtSetDebugFilterState has NOT been hooked!
        [*]NtSetDefaultHardErrorPort has NOT been hooked!
        [*]NtSetDefaultLocale has NOT been hooked!
        [*]NtSetDefaultUILanguage has NOT been hooked!
        [*]NtSetDriverEntryOrder has NOT been hooked!
        [*]NtSetEaFile has NOT been hooked!
        [*]NtSetEvent has NOT been hooked!
        [*]NtSetEventBoostPriority has NOT been hooked!
        [*]NtSetHighEventPair has NOT been hooked!
        [*]NtSetHighWaitLowEventPair has NOT been hooked!
        [*]NtSetIRTimer has NOT been hooked!
        [*]NtSetInformationDebugObject has NOT been hooked!
        [*]NtSetInformationEnlistment has NOT been hooked!
        [*]NtSetInformationFile has NOT been hooked!
        [*]NtSetInformationJobObject has NOT been hooked!
        [*]NtSetInformationKey has NOT been hooked!
        [*]NtSetInformationObject has NOT been hooked!
        [*]NtSetInformationProcess has NOT been hooked!
        [*]NtSetInformationResourceManager has NOT been hooked!
        [*]NtSetInformationSymbolicLink has NOT been hooked!
        [*]NtSetInformationThread has NOT been hooked!
        [*]NtSetInformationToken has NOT been hooked!
        [*]NtSetInformationTransaction has NOT been hooked!
        [*]NtSetInformationTransactionManager has NOT been hooked!
        [*]NtSetInformationVirtualMemory has NOT been hooked!
        [*]NtSetInformationWorkerFactory has NOT been hooked!
        [*]NtSetIntervalProfile has NOT been hooked!
        [*]NtSetIoCompletion has NOT been hooked!
        [*]NtSetIoCompletionEx has NOT been hooked!
        [*]NtSetLdtEntries has NOT been hooked!
        [*]NtSetLowEventPair has NOT been hooked!
        [*]NtSetLowWaitHighEventPair has NOT been hooked!
        [*]NtSetQuotaInformationFile has NOT been hooked!
        [*]NtSetSecurityObject has NOT been hooked!
        [*]NtSetSystemEnvironmentValue has NOT been hooked!
        [*]NtSetSystemEnvironmentValueEx has NOT been hooked!
        [*]NtSetSystemInformation has NOT been hooked!
        [*]NtSetSystemPowerState has NOT been hooked!
        [*]NtSetSystemTime has NOT been hooked!
        [*]NtSetThreadExecutionState has NOT been hooked!
        [*]NtSetTimer has NOT been hooked!
        [*]NtSetTimer2 has NOT been hooked!
        [*]NtSetTimerEx has NOT been hooked!
        [*]NtSetTimerResolution has NOT been hooked!
        [*]NtSetUuidSeed has NOT been hooked!
        [*]NtSetValueKey has NOT been hooked!
        [*]NtSetVolumeInformationFile has NOT been hooked!
        [*]NtSetWnfProcessNotificationEvent has NOT been hooked!
        [*]NtShutdownSystem has NOT been hooked!
        [*]NtShutdownWorkerFactory has NOT been hooked!
        [*]NtSignalAndWaitForSingleObject has NOT been hooked!
        [*]NtSinglePhaseReject has NOT been hooked!
        [*]NtStartProfile has NOT been hooked!
        [*]NtStopProfile has NOT been hooked!
        [*]NtSubscribeWnfStateChange has NOT been hooked!
        [*]NtSuspendProcess has NOT been hooked!
        [*]NtSuspendThread has NOT been hooked!
        [*]NtSystemDebugControl has NOT been hooked!
        [*]NtTerminateEnclave has NOT been hooked!
        [*]NtTerminateJobObject has NOT been hooked!
        [*]NtTerminateProcess has NOT been hooked!
        [*]NtTerminateThread has NOT been hooked!
        [*]NtTestAlert has NOT been hooked!
        [*]NtThawRegistry has NOT been hooked!
        [*]NtThawTransactions has NOT been hooked!
        [*]NtTraceControl has NOT been hooked!
        [*]NtTraceEvent has NOT been hooked!
        [*]NtTranslateFilePath has NOT been hooked!
        [*]NtUmsThreadYield has NOT been hooked!
        [*]NtUnloadDriver has NOT been hooked!
        [*]NtUnloadKey has NOT been hooked!
        [*]NtUnloadKey2 has NOT been hooked!
        [*]NtUnloadKeyEx has NOT been hooked!
        [*]NtUnlockFile has NOT been hooked!
        [*]NtUnlockVirtualMemory has NOT been hooked!
        [*]NtUnmapViewOfSection has NOT been hooked!
        [*]NtUnmapViewOfSectionEx has NOT been hooked!
        [*]NtUnsubscribeWnfStateChange has NOT been hooked!
        [*]NtUpdateWnfStateData has NOT been hooked!
        [*]NtVdmControl has NOT been hooked!
        [*]NtWaitForAlertByThreadId has NOT been hooked!
        [*]NtWaitForDebugEvent has NOT been hooked!
        [*]NtWaitForKeyedEvent has NOT been hooked!
        [*]NtWaitForMultipleObjects has NOT been hooked!
        [*]NtWaitForMultipleObjects32 has NOT been hooked!
        [*]NtWaitForSingleObject has NOT been hooked!
        [*]NtWaitForWorkViaWorkerFactory has NOT been hooked!
        [*]NtWaitHighEventPair has NOT been hooked!
        [*]NtWaitLowEventPair has NOT been hooked!
        [*]NtWorkerFactoryWorkerReady has NOT been hooked!
        [*]NtWriteFile has NOT been hooked!
        [*]NtWriteFileGather has NOT been hooked!
        [*]NtWriteRequestData has NOT been hooked!
        [*]NtWriteVirtualMemory has NOT been hooked!
        [*]NtYieldExecution has NOT been hooked!
        [*] NtdllDefWindowProc_A HAS been hooked!
                FF 25 DA 91 0D 00 66 66 0F 1F 84 00 00 00 00 00 FF 25 8A 92 0D 00 66 66 0F
        [*] NtdllDefWindowProc_W HAS been hooked!
                FF 25 8A 92 0D 00 66 66 0F 1F 84 00 00 00 00 00 FF 25 C2 91 0D 00 66 66 0F
        [*] NtdllDialogWndProc_A HAS been hooked!
                FF 25 4A 91 0D 00 66 66 0F 1F 84 00 00 00 00 00 FF 25 FA 91 0D 00 66 66 0F
        [*] NtdllDialogWndProc_W HAS been hooked!
                FF 25 FA 91 0D 00 66 66 0F 1F 84 00 00 00 00 00 FF 25 32 91 0D 00 66 66 0F
        [*]ZwAcceptConnectPort has NOT been hooked!
        [*]ZwAccessCheck has NOT been hooked!
        [*]ZwAccessCheckAndAuditAlarm has NOT been hooked!
        [*]ZwAccessCheckByType has NOT been hooked!
        [*]ZwAccessCheckByTypeAndAuditAlarm has NOT been hooked!
        [*]ZwAccessCheckByTypeResultList has NOT been hooked!
        [*]ZwAccessCheckByTypeResultListAndAuditAlarm has NOT been hooked!
        [*]ZwAccessCheckByTypeResultListAndAuditAlarmByHandle has NOT been hooked!
        [*]ZwAcquireProcessActivityReference has NOT been hooked!
        [*]ZwAddAtom has NOT been hooked!
        [*]ZwAddAtomEx has NOT been hooked!
        [*]ZwAddBootEntry has NOT been hooked!
        [*]ZwAddDriverEntry has NOT been hooked!
        [*]ZwAdjustGroupsToken has NOT been hooked!
        [*]ZwAdjustPrivilegesToken has NOT been hooked!
        [*]ZwAdjustTokenClaimsAndDeviceGroups has NOT been hooked!
        [*]ZwAlertResumeThread has NOT been hooked!
        [*]ZwAlertThread has NOT been hooked!
        [*]ZwAlertThreadByThreadId has NOT been hooked!
        [*]ZwAllocateLocallyUniqueId has NOT been hooked!
        [*]ZwAllocateReserveObject has NOT been hooked!
        [*]ZwAllocateUserPhysicalPages has NOT been hooked!
        [*]ZwAllocateUuids has NOT been hooked!
        [*]ZwAllocateVirtualMemory has NOT been hooked!
        [*]ZwAllocateVirtualMemoryEx has NOT been hooked!
        [*]ZwAlpcAcceptConnectPort has NOT been hooked!
        [*]ZwAlpcCancelMessage has NOT been hooked!
        [*]ZwAlpcConnectPort has NOT been hooked!
        [*]ZwAlpcConnectPortEx has NOT been hooked!
        [*]ZwAlpcCreatePort has NOT been hooked!
        [*]ZwAlpcCreatePortSection has NOT been hooked!
        [*]ZwAlpcCreateResourceReserve has NOT been hooked!
        [*]ZwAlpcCreateSectionView has NOT been hooked!
        [*]ZwAlpcCreateSecurityContext has NOT been hooked!
        [*]ZwAlpcDeletePortSection has NOT been hooked!
        [*]ZwAlpcDeleteResourceReserve has NOT been hooked!
        [*]ZwAlpcDeleteSectionView has NOT been hooked!
        [*]ZwAlpcDeleteSecurityContext has NOT been hooked!
        [*]ZwAlpcDisconnectPort has NOT been hooked!
        [*]ZwAlpcImpersonateClientContainerOfPort has NOT been hooked!
        [*]ZwAlpcImpersonateClientOfPort has NOT been hooked!
        [*]ZwAlpcOpenSenderProcess has NOT been hooked!
        [*]ZwAlpcOpenSenderThread has NOT been hooked!
        [*]ZwAlpcQueryInformation has NOT been hooked!
        [*]ZwAlpcQueryInformationMessage has NOT been hooked!
        [*]ZwAlpcRevokeSecurityContext has NOT been hooked!
        [*]ZwAlpcSendWaitReceivePort has NOT been hooked!
        [*]ZwAlpcSetInformation has NOT been hooked!
        [*]ZwApphelpCacheControl has NOT been hooked!
        [*]ZwAreMappedFilesTheSame has NOT been hooked!
        [*]ZwAssignProcessToJobObject has NOT been hooked!
        [*]ZwAssociateWaitCompletionPacket has NOT been hooked!
        [*]ZwCallEnclave has NOT been hooked!
        [*]ZwCallbackReturn has NOT been hooked!
        [*]ZwCancelIoFile has NOT been hooked!
        [*]ZwCancelIoFileEx has NOT been hooked!
        [*]ZwCancelSynchronousIoFile has NOT been hooked!
        [*]ZwCancelTimer has NOT been hooked!
        [*]ZwCancelTimer2 has NOT been hooked!
        [*]ZwCancelWaitCompletionPacket has NOT been hooked!
        [*]ZwClearEvent has NOT been hooked!
        [*]ZwClose has NOT been hooked!
        [*]ZwCloseObjectAuditAlarm has NOT been hooked!
        [*]ZwCommitComplete has NOT been hooked!
        [*]ZwCommitEnlistment has NOT been hooked!
        [*]ZwCommitRegistryTransaction has NOT been hooked!
        [*]ZwCommitTransaction has NOT been hooked!
        [*]ZwCompactKeys has NOT been hooked!
        [*]ZwCompareObjects has NOT been hooked!
        [*]ZwCompareSigningLevels has NOT been hooked!
        [*]ZwCompareTokens has NOT been hooked!
        [*]ZwCompleteConnectPort has NOT been hooked!
        [*]ZwCompressKey has NOT been hooked!
        [*]ZwConnectPort has NOT been hooked!
        [*]ZwContinue has NOT been hooked!
        [*]ZwConvertBetweenAuxiliaryCounterAndPerformanceCounter has NOT been hooked!
        [*]ZwCreateDebugObject has NOT been hooked!
        [*]ZwCreateDirectoryObject has NOT been hooked!
        [*]ZwCreateDirectoryObjectEx has NOT been hooked!
        [*]ZwCreateEnclave has NOT been hooked!
        [*]ZwCreateEnlistment has NOT been hooked!
        [*]ZwCreateEvent has NOT been hooked!
        [*]ZwCreateEventPair has NOT been hooked!
        [*]ZwCreateFile has NOT been hooked!
        [*]ZwCreateIRTimer has NOT been hooked!
        [*]ZwCreateIoCompletion has NOT been hooked!
        [*]ZwCreateJobObject has NOT been hooked!
        [*]ZwCreateJobSet has NOT been hooked!
        [*]ZwCreateKey has NOT been hooked!
        [*]ZwCreateKeyTransacted has NOT been hooked!
        [*]ZwCreateKeyedEvent has NOT been hooked!
        [*]ZwCreateLowBoxToken has NOT been hooked!
        [*]ZwCreateMailslotFile has NOT been hooked!
        [*]ZwCreateMutant has NOT been hooked!
        [*]ZwCreateNamedPipeFile has NOT been hooked!
        [*]ZwCreatePagingFile has NOT been hooked!
        [*]ZwCreatePartition has NOT been hooked!
        [*]ZwCreatePort has NOT been hooked!
        [*]ZwCreatePrivateNamespace has NOT been hooked!
        [*]ZwCreateProcess has NOT been hooked!
        [*]ZwCreateProcessEx has NOT been hooked!
        [*]ZwCreateProfile has NOT been hooked!
        [*]ZwCreateProfileEx has NOT been hooked!
        [*]ZwCreateRegistryTransaction has NOT been hooked!
        [*]ZwCreateResourceManager has NOT been hooked!
        [*]ZwCreateSection has NOT been hooked!
        [*]ZwCreateSectionEx has NOT been hooked!
        [*]ZwCreateSemaphore has NOT been hooked!
        [*]ZwCreateSymbolicLinkObject has NOT been hooked!
        [*]ZwCreateThread has NOT been hooked!
        [*]ZwCreateThreadEx has NOT been hooked!
        [*]ZwCreateTimer has NOT been hooked!
        [*]ZwCreateTimer2 has NOT been hooked!
        [*]ZwCreateToken has NOT been hooked!
        [*]ZwCreateTokenEx has NOT been hooked!
        [*]ZwCreateTransaction has NOT been hooked!
        [*]ZwCreateTransactionManager has NOT been hooked!
        [*]ZwCreateUserProcess has NOT been hooked!
        [*]ZwCreateWaitCompletionPacket has NOT been hooked!
        [*]ZwCreateWaitablePort has NOT been hooked!
        [*]ZwCreateWnfStateName has NOT been hooked!
        [*]ZwCreateWorkerFactory has NOT been hooked!
        [*]ZwDebugActiveProcess has NOT been hooked!
        [*]ZwDebugContinue has NOT been hooked!
        [*]ZwDelayExecution has NOT been hooked!
        [*]ZwDeleteAtom has NOT been hooked!
        [*]ZwDeleteBootEntry has NOT been hooked!
        [*]ZwDeleteDriverEntry has NOT been hooked!
        [*]ZwDeleteFile has NOT been hooked!
        [*]ZwDeleteKey has NOT been hooked!
        [*]ZwDeleteObjectAuditAlarm has NOT been hooked!
        [*]ZwDeletePrivateNamespace has NOT been hooked!
        [*]ZwDeleteValueKey has NOT been hooked!
        [*]ZwDeleteWnfStateData has NOT been hooked!
        [*]ZwDeleteWnfStateName has NOT been hooked!
        [*]ZwDeviceIoControlFile has NOT been hooked!
        [*]ZwDisableLastKnownGood has NOT been hooked!
        [*]ZwDisplayString has NOT been hooked!
        [*]ZwDrawText has NOT been hooked!
        [*]ZwDuplicateObject has NOT been hooked!
        [*]ZwDuplicateToken has NOT been hooked!
        [*]ZwEnableLastKnownGood has NOT been hooked!
        [*]ZwEnumerateBootEntries has NOT been hooked!
        [*]ZwEnumerateDriverEntries has NOT been hooked!
        [*]ZwEnumerateKey has NOT been hooked!
        [*]ZwEnumerateSystemEnvironmentValuesEx has NOT been hooked!
        [*]ZwEnumerateTransactionObject has NOT been hooked!
        [*]ZwEnumerateValueKey has NOT been hooked!
        [*]ZwExtendSection has NOT been hooked!
        [*]ZwFilterBootOption has NOT been hooked!
        [*]ZwFilterToken has NOT been hooked!
        [*]ZwFilterTokenEx has NOT been hooked!
        [*]ZwFindAtom has NOT been hooked!
        [*]ZwFlushBuffersFile has NOT been hooked!
        [*]ZwFlushBuffersFileEx has NOT been hooked!
        [*]ZwFlushInstallUILanguage has NOT been hooked!
        [*]ZwFlushInstructionCache has NOT been hooked!
        [*]ZwFlushKey has NOT been hooked!
        [*]ZwFlushProcessWriteBuffers has NOT been hooked!
        [*]ZwFlushVirtualMemory has NOT been hooked!
        [*]ZwFlushWriteBuffer has NOT been hooked!
        [*]ZwFreeUserPhysicalPages has NOT been hooked!
        [*]ZwFreeVirtualMemory has NOT been hooked!
        [*]ZwFreezeRegistry has NOT been hooked!
        [*]ZwFreezeTransactions has NOT been hooked!
        [*]ZwFsControlFile has NOT been hooked!
        [*]ZwGetCachedSigningLevel has NOT been hooked!
        [*]ZwGetCompleteWnfStateSubscription has NOT been hooked!
        [*]ZwGetContextThread has NOT been hooked!
        [*]ZwGetCurrentProcessorNumber has NOT been hooked!
        [*]ZwGetCurrentProcessorNumberEx has NOT been hooked!
        [*]ZwGetDevicePowerState has NOT been hooked!
        [*]ZwGetMUIRegistryInfo has NOT been hooked!
        [*]ZwGetNextProcess has NOT been hooked!
        [*]ZwGetNextThread has NOT been hooked!
        [*]ZwGetNlsSectionPtr has NOT been hooked!
        [*]ZwGetNotificationResourceManager has NOT been hooked!
        [*]ZwGetWriteWatch has NOT been hooked!
        [*]ZwImpersonateAnonymousToken has NOT been hooked!
        [*]ZwImpersonateClientOfPort has NOT been hooked!
        [*]ZwImpersonateThread has NOT been hooked!
        [*]ZwInitializeEnclave has NOT been hooked!
        [*]ZwInitializeNlsFiles has NOT been hooked!
        [*]ZwInitializeRegistry has NOT been hooked!
        [*]ZwInitiatePowerAction has NOT been hooked!
        [*]ZwIsProcessInJob has NOT been hooked!
        [*]ZwIsSystemResumeAutomatic has NOT been hooked!
        [*]ZwIsUILanguageComitted has NOT been hooked!
        [*]ZwListenPort has NOT been hooked!
        [*]ZwLoadDriver has NOT been hooked!
        [*]ZwLoadEnclaveData has NOT been hooked!
        [*]ZwLoadKey has NOT been hooked!
        [*]ZwLoadKey2 has NOT been hooked!
        [*]ZwLoadKey3 has NOT been hooked!
        [*]ZwLoadKeyEx has NOT been hooked!
        [*]ZwLockFile has NOT been hooked!
        [*]ZwLockProductActivationKeys has NOT been hooked!
        [*]ZwLockRegistryKey has NOT been hooked!
        [*]ZwLockVirtualMemory has NOT been hooked!
        [*]ZwMakePermanentObject has NOT been hooked!
        [*]ZwMakeTemporaryObject has NOT been hooked!
        [*]ZwManageHotPatch has NOT been hooked!
        [*]ZwManagePartition has NOT been hooked!
        [*]ZwMapCMFModule has NOT been hooked!
        [*]ZwMapUserPhysicalPages has NOT been hooked!
        [*]ZwMapUserPhysicalPagesScatter has NOT been hooked!
        [*]ZwMapViewOfSection has NOT been hooked!
        [*]ZwMapViewOfSectionEx has NOT been hooked!
        [*]ZwModifyBootEntry has NOT been hooked!
        [*]ZwModifyDriverEntry has NOT been hooked!
        [*]ZwNotifyChangeDirectoryFile has NOT been hooked!
        [*]ZwNotifyChangeDirectoryFileEx has NOT been hooked!
        [*]ZwNotifyChangeKey has NOT been hooked!
        [*]ZwNotifyChangeMultipleKeys has NOT been hooked!
        [*]ZwNotifyChangeSession has NOT been hooked!
        [*]ZwOpenDirectoryObject has NOT been hooked!
        [*]ZwOpenEnlistment has NOT been hooked!
        [*]ZwOpenEvent has NOT been hooked!
        [*]ZwOpenEventPair has NOT been hooked!
        [*]ZwOpenFile has NOT been hooked!
        [*]ZwOpenIoCompletion has NOT been hooked!
        [*]ZwOpenJobObject has NOT been hooked!
        [*]ZwOpenKey has NOT been hooked!
        [*]ZwOpenKeyEx has NOT been hooked!
        [*]ZwOpenKeyTransacted has NOT been hooked!
        [*]ZwOpenKeyTransactedEx has NOT been hooked!
        [*]ZwOpenKeyedEvent has NOT been hooked!
        [*]ZwOpenMutant has NOT been hooked!
        [*]ZwOpenObjectAuditAlarm has NOT been hooked!
        [*]ZwOpenPartition has NOT been hooked!
        [*]ZwOpenPrivateNamespace has NOT been hooked!
        [*]ZwOpenProcess has NOT been hooked!
        [*]ZwOpenProcessToken has NOT been hooked!
        [*]ZwOpenProcessTokenEx has NOT been hooked!
        [*]ZwOpenRegistryTransaction has NOT been hooked!
        [*]ZwOpenResourceManager has NOT been hooked!
        [*]ZwOpenSection has NOT been hooked!
        [*]ZwOpenSemaphore has NOT been hooked!
        [*]ZwOpenSession has NOT been hooked!
        [*]ZwOpenSymbolicLinkObject has NOT been hooked!
        [*]ZwOpenThread has NOT been hooked!
        [*]ZwOpenThreadToken has NOT been hooked!
        [*]ZwOpenThreadTokenEx has NOT been hooked!
        [*]ZwOpenTimer has NOT been hooked!
        [*]ZwOpenTransaction has NOT been hooked!
        [*]ZwOpenTransactionManager has NOT been hooked!
        [*]ZwPlugPlayControl has NOT been hooked!
        [*]ZwPowerInformation has NOT been hooked!
        [*]ZwPrePrepareComplete has NOT been hooked!
        [*]ZwPrePrepareEnlistment has NOT been hooked!
        [*]ZwPrepareComplete has NOT been hooked!
        [*]ZwPrepareEnlistment has NOT been hooked!
        [*]ZwPrivilegeCheck has NOT been hooked!
        [*]ZwPrivilegeObjectAuditAlarm has NOT been hooked!
        [*]ZwPrivilegedServiceAuditAlarm has NOT been hooked!
        [*]ZwPropagationComplete has NOT been hooked!
        [*]ZwPropagationFailed has NOT been hooked!
        [*]ZwProtectVirtualMemory has NOT been hooked!
        [*]ZwPulseEvent has NOT been hooked!
        [*]ZwQueryAttributesFile has NOT been hooked!
        [*]ZwQueryAuxiliaryCounterFrequency has NOT been hooked!
        [*]ZwQueryBootEntryOrder has NOT been hooked!
        [*]ZwQueryBootOptions has NOT been hooked!
        [*]ZwQueryDebugFilterState has NOT been hooked!
        [*]ZwQueryDefaultLocale has NOT been hooked!
        [*]ZwQueryDefaultUILanguage has NOT been hooked!
        [*]ZwQueryDirectoryFile has NOT been hooked!
        [*]ZwQueryDirectoryFileEx has NOT been hooked!
        [*]ZwQueryDirectoryObject has NOT been hooked!
        [*]ZwQueryDriverEntryOrder has NOT been hooked!
        [*]ZwQueryEaFile has NOT been hooked!
        [*]ZwQueryEvent has NOT been hooked!
        [*]ZwQueryFullAttributesFile has NOT been hooked!
        [*]ZwQueryInformationAtom has NOT been hooked!
        [*]ZwQueryInformationByName has NOT been hooked!
        [*]ZwQueryInformationEnlistment has NOT been hooked!
        [*]ZwQueryInformationFile has NOT been hooked!
        [*]ZwQueryInformationJobObject has NOT been hooked!
        [*]ZwQueryInformationPort has NOT been hooked!
        [*]ZwQueryInformationProcess has NOT been hooked!
        [*]ZwQueryInformationResourceManager has NOT been hooked!
        [*]ZwQueryInformationThread has NOT been hooked!
        [*]ZwQueryInformationToken has NOT been hooked!
        [*]ZwQueryInformationTransaction has NOT been hooked!
        [*]ZwQueryInformationTransactionManager has NOT been hooked!
        [*]ZwQueryInformationWorkerFactory has NOT been hooked!
        [*]ZwQueryInstallUILanguage has NOT been hooked!
        [*]ZwQueryIntervalProfile has NOT been hooked!
        [*]ZwQueryIoCompletion has NOT been hooked!
        [*]ZwQueryKey has NOT been hooked!
        [*]ZwQueryLicenseValue has NOT been hooked!
        [*]ZwQueryMultipleValueKey has NOT been hooked!
        [*]ZwQueryMutant has NOT been hooked!
        [*]ZwQueryObject has NOT been hooked!
        [*]ZwQueryOpenSubKeys has NOT been hooked!
        [*]ZwQueryOpenSubKeysEx has NOT been hooked!
        [*]ZwQueryPerformanceCounter has NOT been hooked!
        [*]ZwQueryPortInformationProcess has NOT been hooked!
        [*]ZwQueryQuotaInformationFile has NOT been hooked!
        [*]ZwQuerySection has NOT been hooked!
        [*]ZwQuerySecurityAttributesToken has NOT been hooked!
        [*]ZwQuerySecurityObject has NOT been hooked!
        [*]ZwQuerySecurityPolicy has NOT been hooked!
        [*]ZwQuerySemaphore has NOT been hooked!
        [*]ZwQuerySymbolicLinkObject has NOT been hooked!
        [*]ZwQuerySystemEnvironmentValue has NOT been hooked!
        [*]ZwQuerySystemEnvironmentValueEx has NOT been hooked!
        [*]ZwQuerySystemInformation has NOT been hooked!
        [*]ZwQuerySystemInformationEx has NOT been hooked!
        [*] ZwQuerySystemTime HAS been hooked!
                E9 CB B3 FD FF 66 66 66 0F 1F 84 00 00 00 00 00 4C 8B D1 B8 5B 00 00 00 F6
        [*]ZwQueryTimer has NOT been hooked!
        [*]ZwQueryTimerResolution has NOT been hooked!
        [*]ZwQueryValueKey has NOT been hooked!
        [*]ZwQueryVirtualMemory has NOT been hooked!
        [*]ZwQueryVolumeInformationFile has NOT been hooked!
        [*]ZwQueryWnfStateData has NOT been hooked!
        [*]ZwQueryWnfStateNameInformation has NOT been hooked!
        [*]ZwQueueApcThread has NOT been hooked!
        [*]ZwQueueApcThreadEx has NOT been hooked!
        [*]ZwRaiseException has NOT been hooked!
        [*]ZwRaiseHardError has NOT been hooked!
        [*]ZwReadFile has NOT been hooked!
        [*]ZwReadFileScatter has NOT been hooked!
        [*]ZwReadOnlyEnlistment has NOT been hooked!
        [*]ZwReadRequestData has NOT been hooked!
        [*]ZwReadVirtualMemory has NOT been hooked!
        [*]ZwRecoverEnlistment has NOT been hooked!
        [*]ZwRecoverResourceManager has NOT been hooked!
        [*]ZwRecoverTransactionManager has NOT been hooked!
        [*]ZwRegisterProtocolAddressInformation has NOT been hooked!
        [*]ZwRegisterThreadTerminatePort has NOT been hooked!
        [*]ZwReleaseKeyedEvent has NOT been hooked!
        [*]ZwReleaseMutant has NOT been hooked!
        [*]ZwReleaseSemaphore has NOT been hooked!
        [*]ZwReleaseWorkerFactoryWorker has NOT been hooked!
        [*]ZwRemoveIoCompletion has NOT been hooked!
        [*]ZwRemoveIoCompletionEx has NOT been hooked!
        [*]ZwRemoveProcessDebug has NOT been hooked!
        [*]ZwRenameKey has NOT been hooked!
        [*]ZwRenameTransactionManager has NOT been hooked!
        [*]ZwReplaceKey has NOT been hooked!
        [*]ZwReplacePartitionUnit has NOT been hooked!
        [*]ZwReplyPort has NOT been hooked!
        [*]ZwReplyWaitReceivePort has NOT been hooked!
        [*]ZwReplyWaitReceivePortEx has NOT been hooked!
        [*]ZwReplyWaitReplyPort has NOT been hooked!
        [*]ZwRequestPort has NOT been hooked!
        [*]ZwRequestWaitReplyPort has NOT been hooked!
        [*]ZwResetEvent has NOT been hooked!
        [*]ZwResetWriteWatch has NOT been hooked!
        [*]ZwRestoreKey has NOT been hooked!
        [*]ZwResumeProcess has NOT been hooked!
        [*]ZwResumeThread has NOT been hooked!
        [*]ZwRevertContainerImpersonation has NOT been hooked!
        [*]ZwRollbackComplete has NOT been hooked!
        [*]ZwRollbackEnlistment has NOT been hooked!
        [*]ZwRollbackRegistryTransaction has NOT been hooked!
        [*]ZwRollbackTransaction has NOT been hooked!
        [*]ZwRollforwardTransactionManager has NOT been hooked!
        [*]ZwSaveKey has NOT been hooked!
        [*]ZwSaveKeyEx has NOT been hooked!
        [*]ZwSaveMergedKeys has NOT been hooked!
        [*]ZwSecureConnectPort has NOT been hooked!
        [*]ZwSerializeBoot has NOT been hooked!
        [*]ZwSetBootEntryOrder has NOT been hooked!
        [*]ZwSetBootOptions has NOT been hooked!
        [*]ZwSetCachedSigningLevel has NOT been hooked!
        [*]ZwSetCachedSigningLevel2 has NOT been hooked!
        [*]ZwSetContextThread has NOT been hooked!
        [*]ZwSetDebugFilterState has NOT been hooked!
        [*]ZwSetDefaultHardErrorPort has NOT been hooked!
        [*]ZwSetDefaultLocale has NOT been hooked!
        [*]ZwSetDefaultUILanguage has NOT been hooked!
        [*]ZwSetDriverEntryOrder has NOT been hooked!
        [*]ZwSetEaFile has NOT been hooked!
        [*]ZwSetEvent has NOT been hooked!
        [*]ZwSetEventBoostPriority has NOT been hooked!
        [*]ZwSetHighEventPair has NOT been hooked!
        [*]ZwSetHighWaitLowEventPair has NOT been hooked!
        [*]ZwSetIRTimer has NOT been hooked!
        [*]ZwSetInformationDebugObject has NOT been hooked!
        [*]ZwSetInformationEnlistment has NOT been hooked!
        [*]ZwSetInformationFile has NOT been hooked!
        [*]ZwSetInformationJobObject has NOT been hooked!
        [*]ZwSetInformationKey has NOT been hooked!
        [*]ZwSetInformationObject has NOT been hooked!
        [*]ZwSetInformationProcess has NOT been hooked!
        [*]ZwSetInformationResourceManager has NOT been hooked!
        [*]ZwSetInformationSymbolicLink has NOT been hooked!
        [*]ZwSetInformationThread has NOT been hooked!
        [*]ZwSetInformationToken has NOT been hooked!
        [*]ZwSetInformationTransaction has NOT been hooked!
        [*]ZwSetInformationTransactionManager has NOT been hooked!
        [*]ZwSetInformationVirtualMemory has NOT been hooked!
        [*]ZwSetInformationWorkerFactory has NOT been hooked!
        [*]ZwSetIntervalProfile has NOT been hooked!
        [*]ZwSetIoCompletion has NOT been hooked!
        [*]ZwSetIoCompletionEx has NOT been hooked!
        [*]ZwSetLdtEntries has NOT been hooked!
        [*]ZwSetLowEventPair has NOT been hooked!
        [*]ZwSetLowWaitHighEventPair has NOT been hooked!
        [*]ZwSetQuotaInformationFile has NOT been hooked!
        [*]ZwSetSecurityObject has NOT been hooked!
        [*]ZwSetSystemEnvironmentValue has NOT been hooked!
        [*]ZwSetSystemEnvironmentValueEx has NOT been hooked!
        [*]ZwSetSystemInformation has NOT been hooked!
        [*]ZwSetSystemPowerState has NOT been hooked!
        [*]ZwSetSystemTime has NOT been hooked!
        [*]ZwSetThreadExecutionState has NOT been hooked!
        [*]ZwSetTimer has NOT been hooked!
        [*]ZwSetTimer2 has NOT been hooked!
        [*]ZwSetTimerEx has NOT been hooked!
        [*]ZwSetTimerResolution has NOT been hooked!
        [*]ZwSetUuidSeed has NOT been hooked!
        [*]ZwSetValueKey has NOT been hooked!
        [*]ZwSetVolumeInformationFile has NOT been hooked!
        [*]ZwSetWnfProcessNotificationEvent has NOT been hooked!
        [*]ZwShutdownSystem has NOT been hooked!
        [*]ZwShutdownWorkerFactory has NOT been hooked!
        [*]ZwSignalAndWaitForSingleObject has NOT been hooked!
        [*]ZwSinglePhaseReject has NOT been hooked!
        [*]ZwStartProfile has NOT been hooked!
        [*]ZwStopProfile has NOT been hooked!
        [*]ZwSubscribeWnfStateChange has NOT been hooked!
        [*]ZwSuspendProcess has NOT been hooked!
        [*]ZwSuspendThread has NOT been hooked!
        [*]ZwSystemDebugControl has NOT been hooked!
        [*]ZwTerminateEnclave has NOT been hooked!
        [*]ZwTerminateJobObject has NOT been hooked!
        [*]ZwTerminateProcess has NOT been hooked!
        [*]ZwTerminateThread has NOT been hooked!
        [*]ZwTestAlert has NOT been hooked!
        [*]ZwThawRegistry has NOT been hooked!
        [*]ZwThawTransactions has NOT been hooked!
        [*]ZwTraceControl has NOT been hooked!
        [*]ZwTraceEvent has NOT been hooked!
        [*]ZwTranslateFilePath has NOT been hooked!
        [*]ZwUmsThreadYield has NOT been hooked!
        [*]ZwUnloadDriver has NOT been hooked!
        [*]ZwUnloadKey has NOT been hooked!
        [*]ZwUnloadKey2 has NOT been hooked!
        [*]ZwUnloadKeyEx has NOT been hooked!
        [*]ZwUnlockFile has NOT been hooked!
        [*]ZwUnlockVirtualMemory has NOT been hooked!
        [*]ZwUnmapViewOfSection has NOT been hooked!
        [*]ZwUnmapViewOfSectionEx has NOT been hooked!
        [*]ZwUnsubscribeWnfStateChange has NOT been hooked!
        [*]ZwUpdateWnfStateData has NOT been hooked!
        [*]ZwVdmControl has NOT been hooked!
        [*]ZwWaitForAlertByThreadId has NOT been hooked!
        [*]ZwWaitForDebugEvent has NOT been hooked!
        [*]ZwWaitForKeyedEvent has NOT been hooked!
        [*]ZwWaitForMultipleObjects has NOT been hooked!
        [*]ZwWaitForMultipleObjects32 has NOT been hooked!
        [*]ZwWaitForSingleObject has NOT been hooked!
        [*]ZwWaitForWorkViaWorkerFactory has NOT been hooked!
        [*]ZwWaitHighEventPair has NOT been hooked!
        [*]ZwWaitLowEventPair has NOT been hooked!
        [*]ZwWorkerFactoryWorkerReady has NOT been hooked!
        [*]ZwWriteFile has NOT been hooked!
        [*]ZwWriteFileGather has NOT been hooked!
        [*]ZwWriteRequestData has NOT been hooked!
        [*]ZwWriteVirtualMemory has NOT been hooked!
        [*]ZwYieldExecution has NOT been hooked!
[*] 7 hooked functions found.
[*] 926 clean functions found.

Contributions/Comments/Criticisms

I am very open to receiving comments and to collaboration! Hopefully this helps generate useful discussion around the topic of EDR userland hooks, or provides researchers some new insights.

You might also like...
POC Hooking PG3D v16.6.1

PG3D-Hook POC Hooking PG3D v16.6.1 Info This code was written by me for PG3D v16.6.1 back in 2019. My main code is in jbro.cpp You can compare the off

First open source android modding library for Geometry Dash Based on Hooking-and-Patching-android-template

Android-ML First open source android modding library for Geometry Dash Based on Hooking-and-Patching-android-template Installation Download this githu

hooking the execve syscall, to randomly sabotage typed bash commands.

Syscall hooks A small project of hooking the execve() syscall, to randomly sabotage typed bash commands. This project was tested on 5.11.0-38-generic.

Octowolve/Hooking-Template-With-Mod-Menu
Octowolve/Hooking-Template-With-Mod-Menu

Hooking-Template-With-Mod-Menu This is a simple template for the usage of Cydia Substrate and And64InlineHook with a Mod Menu written in Java. Impleme

very basic and minimalistic hooking "library" for windows (x64 support soon)

IceHook very basic and minimalistic hooking "library" for windows (x64 support soon) Example how to use: typedef void(__stdcall* twglSwapBuffers)(HDC

SafetyHook - simple procedure hooking library for Windows x86 and x86_64 systems

SafetyHook SafetyHook is simple procedure hooking library for Windows x86 and x86_64 systems. It aims to make runtime procedure hooking as safe as pos

A Windows API hooking library

Mhook - a Windows API hooking library Introduction How to use License Version history Acknowledgements Introduction This library was created as a free

Extracting clear-text passwords from VeraCrypt.exe using API Hooking
Extracting clear-text passwords from VeraCrypt.exe using API Hooking

VeraCryptThief VeraCryptThief by itself is a standalone DLL that when injected in the VeraCrypt.exe process, will perform API hooking via Detours, ext

It's a static library that's provide a way to do hooking (intercepting software components) in native shared object from some Android Packages
It's a static library that's provide a way to do hooking (intercepting software components) in native shared object from some Android Packages

ARM_hook It's a static library that's provide a way to do hooking (intercepting software components) in native shared object from some Android Package

Comments
  • Adding options

    Adding options

    Hi, I don't know your twitter handle. not sure you would like to accept my PR, but this might be of interest for you. Wrote mini article on your project : https://www.bussink.net/edr-userland-hooking-detection-unhooking-test/ Where i am adding the unhooking part too

    Regards k4nfr3 P.S: Would you have an idea why my PaloAlto EDR hooks are not shown ?

    opened by k4nfr3 1
Owner
null
A C++ implemented set of 8,16,32,64 bit cyclic redundancy check (CRC) functions conforming to the CRC spec given by AUTOSAR

A C++ implemented set of 8,16,32,64 bit cyclic redundancy check (CRC) functions conforming to the CRC spec given by AUTOSAR. Written in C++ and compiled as a 'C++ addon' for use in JavaScript. Available on NPM.

Richard Haar 3 Jul 13, 2022
Samir Teymurov 1 Oct 6, 2021
Libft is an individual project at 42 that requires us to re-create some standard C library functions including some additional ones that can be used later to build a library of useful functions for the rest of the program.

Libft is an individual project at 42 that requires us to re-create some standard C library functions including some additional ones that can be used later to build a library of useful functions for the rest of the program.

Paulo Rafael Ramalho 0 Apr 5, 2022
Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

anthemtotheego 121 Aug 27, 2022
Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel.

Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted.

Sheng-Hao Ma 404 Sep 21, 2022
Shellcode loader written in rust. Strives to evade modern EDR solutions.

Pestilence What is pestilence? Pestilence is a shellcode loader written in rust. It strives to evade modern EDR solutions. How does it work? It loads

Daniil Nababkin 25 Sep 15, 2022
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust 709 Sep 16, 2022
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks,

Halil Dalabasmaz 382 Sep 19, 2022
Control Heidelberg Wallbox Energy Control over WiFi using ESP8266 and configure your own local load management

< scroll down for English version and additional information > wbec WLAN-Anbindung der Heidelberg WallBox Energy Control ├╝ber ESP8266 Die Heidelberg W

null 78 Sep 13, 2022
PS4 kernel hooking library / payload.

PS4 KHook PS4 KHook is a minimalist kernel hooking payload. It targets 5.05 but it can be used with any firmware (or even non-PS4 systems) with modifi

Specter 44 Aug 9, 2022