EDR hooks and unhooking TL;DR: Userland hooks on ntdll; unhook patterns; direct/indirect syscalls as a more durable alternative. Stub — to be filled in. What it is TODO Preconditions / where it applies TODO Technique TODO Detection and defence TODO References TODO