EDR Parallel-asis through Analysis Recently MDSec / Peter Winter-Smtih researched a new technique and released a blog post EDR Parallel-asis through Analysis - MDSec, that show us how to extract system call numbers for 3 critical Windows API functions called NtOpenFile, NtCreateSection and NtMapViewOfSection. Combining these functions allows us to load a fresh copy of NTDLL.dll from disk into memory. Before we deep dive into this technique, there are a few fundamental concepts about Windows I...
