As we all know, Usage of syscall stub: \x4c\x8b\xd1\xb8
to detect Hooked NtApis creates False Positive results.
So, after knowing those False Positive Hooked functions, we can use this script to jot down the unsigned char array versions (for c/cpp usage) of those Hooks, for further usage of it in our main Implant.
This can be used while performing Dynamic EDR Evasion, we can use this Scipt (seeing the Demo Video before using it, will be useful!)
$ python3 GetFalsePositiveHooks.py <FalsePositiveHooks.txt>
This can be used along with my previous project: CheckHooks-n-load.
bandicam.2023-02-23.15-26-31-332.mp4
Video link: https://drive.google.com/file/d/1s52YLW4DC8b4T8t9z4aEdQQvdtticpTY/view?usp=share_link