API Hooking: Analyzing AV/EDR

New to Maldev? Start with our Maldev 101 foundational series before diving in: https://www.rbtsec.com/blog/category/maldev/ In this video, we break down API hooking from the ground up, covering just enough theory to understand what's actually happening at the byte level, then jumping straight into live demos. We start by comparing two models of API hooking, then inspect ntdll.dll directly to contrast hooked vs unhooked functions, spotting trampolines and the E9 JMP instructions EDRs plant to redirect execution into their monitoring engine. From there, we move into hands-on demos: first using x64dbg and WinDbg to watch the E9 JMP with your own eyes in real time, then running hook_finder64.exe directly against ntdll.dll to see raw hook detection output live. We close with a vendor breakdown, examining exactly which functions Bitdefender AV, Sophos, and CrowdStrike each choose to hook, and what that reveals about their detection strategies. Whether you're building implants or defending against them, understanding how EDRs instrument userland APIs is foundational knowledge. Like & Subscribe for more real-world offensive security research from RBT Security. Follow Us: Discord: https://discord.com/invite/UnHBp9FuGK LinkedIn: https://www.linkedin.com/company/rbtsecurity/ Twitter: https://x.com/RBTSecurity Facebook: https://www.facebook.com/RBTSecur1ty/ GitHub: https://github.com/rbtsecurity/ Contact Us: For business inquiries and collaborations, please email us at [email protected] Educational Disclaimer: All content is intended for educational purposes only, to promote ethical hacking and security research. #RedTeam #Maldev #RBTSecurity #APIHooking #WindowsInternals #EDRBypass #ntdll #OffensiveSecurity #CrowdStrike #Sophos #Bitdefender #ImplantDevelopment #AVBypass #UserlandHooking