Security researcher TwoSevenOneT, renowned for their work on EDR evasion tools like EDR-Freeze and EDR-Redir, has unveiled a new tool called EDRStartupHinder. This tool, demonstrated on Windows Defender in Windows 11 25H2, disrupts antivirus and endpoint detection and response (EDR) services by manipulating critical System32 DLLs at startup using Windows Bindlink.
EDR and Antivirus Services on Windows
Antivirus and EDR services are essential components of Windows security, operating with SYSTEM privileges and using kernel drivers for added protection. These services auto-start on boot and utilize Protected Process Light (PPL) to prevent tampering. Any attempts to modify or interfere with these processes in user mode typically fail unless advanced techniques, such as EDR-Freeze, are used.
Bindlink Startup Disruption
Earlier evasion techniques, such as EDR-Redir, redirected EDR folders after startup. However, security vendors enhanced their defenses against such tactics. EDRStartupHinder, on the other hand, targets System32, which is critical for all processes, including EDR and antivirus services, making it a more effective strategy.
How the EDRStartupHinder Tool Works
The tool creates a higher-priority service, Bindlinking a core DLL to a fake, unsigned copy. It then uses PPL to crash the EDR service upon failure to load the manipulated DLL. Post-termination, the tool cleans up the modifications.
Key steps include:
- Creating a higher-priority service based on research from BYOVD (Bring Your Own Vulnerable Driver) studies.
- Bindlinking the System32 DLL to an unsigned, “corrupted” copy stored in a specified location.
- Monitoring EDR processes and dynamically applying/removing the Bindlink.
- Corrupting the PE header signature on the fake DLL to trigger failures when the EDR attempts to load it.
The tool is available on GitHub, with customizable parameters for OriginalLib (System32 DLL), FakeLib (the fake DLL location), ServiceName/Group (for service priority), and EDRProcess (such as MsMpEng.exe, which is the Defender engine).
Example Command
For a Windows 11 25H2 system, targeting MsMpEng.exe (Defender engine) and msvcp_win.dll (which loads at startup), the command could be:
EDRStartupHinder.exe msvcp_win.dll C:\TMP\FakeLib DusmSVC-01 TDI MsMpEng.exe
After rebooting, the service activates first, redirects the DLL, and the PPL-protected MsMpEng.exe rejects the unsigned DLL and terminates itself.
Mitigation and Defense Recommendations
System administrators should monitor for suspicious activity in bindlink.dll usage, services running in high-priority groups, and anomalies in System32. Security defenses should include KnownDLL expansions, signature enforcement audits, and minifilter logging. Vendors are advised to strengthen DLL dependencies and adjust the startup sequencing of critical security processes.
While this technique highlights the complexity of Windows security mechanisms, it also demonstrates how security measures can be exploited by red teams. EDRStartupHinder has proven effective against Windows Defender and some commercial EDR/AV products in laboratory environments, underscoring the need for constant vigilance and improvements in security software.






