EDR-UNHOOKDefense Evasion

EDR Userland Unhook

Restore the original .text section of ntdll / kernel32 from disk to a freshly-loaded module — removes injected JMP hooks.

§ Where this technique fits

EDR-UNHOOK is catalogued under the Defense Evasion tactic of the offensive-security kill-chain. It appears in 0 approved dossiers in the registry, typically.