Detecting Hooked Syscalls
It's possible to enumerate which Windows API calls are hooked by an EDR using inline patcihng technique, where a jmp instruction is inserted at the beginning of the syscall stub to be hooked.
https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!