0. Resources

Before I dive deeper into the topic of EDR evasion, I need a basic understanding of the Windows binary structure and what happens when it gets executed.

#	Topic	Description
1. Portable Executable Structure	Portable Executable Structure	Understanding PE format and how binaries are structured in Windows
2. From PE to Memory	From PE to Memory	How PE files are loaded into memory
3. Flow of System Calls - ntdll.dll, kernel32.dll	Flow of System Calls - ntdll.dll, kernel32.dll	Understanding how system calls work in Windows
4. Win32 API and Windows Native API	Win32 API and Windows Native API	Differentiating between user-mode and native APIs
4a. NTDLL.DLL - Overview and Functionality	NTDLL.DLL - Overview and Functionality	Details on `ntdll.dll` and its role in system calls
5. Syscalls Flow	Syscalls Flow	Overview of how syscalls operate in Windows
5a. Syscalls Deep dive	Syscalls Deep Dive	In-depth analysis of syscalls
5b. From Memory - PEB_TEB	From Memory - PEB_TEB	Understanding Process and Thread Environment Blocks
2. Direct syscalls intro	Direct Syscalls Intro	Bypassing API hooks using direct syscalls
2a. Direct Syscalls cpp	Direct Syscalls in C++	Practical implementation in C++
2b. Indirect Syscalls intro	Indirect Syscalls Intro	Evasion by dynamically resolving syscall addresses
2c. Indirect Syscalls -Tool	Indirect Syscalls - Tool	Using tools for syscall evasion
3. API Hooking	Unhooking	Bypassing monitoring mechanisms like EDR hooks

Resources:
https://doxygen.reactos.org/dir_a7ad942ac829d916497d820c4a26c555.html
http://undocumented.ntinternals.net/

https://metehan-bulut.medium.com/understanding-the-process-environment-block-peb-for-malware-analysis-26315453793f

https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/

https://redops.at/en/blog/exploring-hells-gate

https://fluxsec.red/rust-edr-evasion-hells-gate

https://unprotect.it/media/archive/2023/04/02/HellsGate.pdf