![[Tool] Quick Snip to Detect ntdll.dll](https://cdn.hashnode.com/res/hashnode/image/upload/v1767128393992/4d706808-86ae-40d2-b1fc-cabbcdf0fccb.jpeg?w=1600&h=840&fit=crop&crop=entropy&auto=compress,format&format=webp)
Recently, I’ve been reversing this first-stage that dynamically loads a copy of ntdll.dll in order to hide malicious behavior from Sandboxes and EDRs. This technique has been widely documented in open-source research already, [1][2][3][4][5].
Luckily, ntdll.dll is quite recognizable! I vibe-coded (:D) this small detection to be used by a potential tool for intercepting (in userland) malicious code implementing one of the following behaviors:
dynamically loading side-copies of ntdll.dll, or
restoring hooked APIs from a clean copy of ntdll.dll
It is called “is_ntdll” and here is the code to it. Enjoy!