EDR Unhooker is a Windows x64 research tool designed to enhance security research and education. This tool locates ntdll from the PEB, validates PE headers, resolves exports, inspects syscall stubs, and dynamically derives syscall numbers (SSNs). It also applies a minimal PEB anti-debug check. The tool is written in Lwanga and utilizes Linux for building and hosting tests, with Windows x64 as the validation target for the PE binary.

Key Features

• Locates ntdll from the PEB and validates PE headers.

• Resolves exports and inspects syscall stubs.

• Dynamically derives syscall numbers (SSNs).

• Applies a minimal PEB anti-debug check.

• Cross-builds from Ubuntu/WSL using CMake and lld-link.

• Utilizes gcc-mingw-w64-x86-64 and MinGW import libs for PE linking.

This open-source project is available on GitHub, providing a comprehensive platform for developers and researchers to contribute and enhance their security tools.