Challenge 22: DLL Proxy Call

Medium API Hook Evasion Target: Rule 7

Objective

Execute hooked ntdll APIs by placing the call inside a loaded DLL rather than the main executable.

Scanner Behavior

Rule 7 parses the PE imports of the main executable only:

proc ruleHookedApiImports(info: ProcessInfo, profile: HookProfile): seq[Detection] =
  let imports = readPeImports(info.imagePath)  # only the .exe!

It does not scan DLLs loaded by the process.

Rules

  • The EDR must be running with a hook profile loaded
  • Your main .exe must NOT import any hooked APIs directly
  • A DLL loaded by your .exe must call the hooked API successfully

Hints

Hint 1 The scanner checks `info.imagePath` — the path to the .exe file. What about DLLs?
Hint 2 Create a DLL that imports `NtWriteVirtualMemory` and have your .exe load it with `LoadLibrary`.
Hint 3 The DLL's IAT is never scanned because `readPeImports` is only called on the main executable path.