Detecting Hooked Syscalls
It's possible to enumerate which Windows API calls are hooked by an EDR using inline patcihng technique, where a jmp instruction is inserted at the beginning of the syscall stub to be hooked.
https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
