The article describes the EntryPoint Hijacking technique implemented at the Windows operating system level, where malicious code is injected into a process address space and executed by hijacking DllMain without creating new threads. Modification of a DLL EntryPoint is performed via loader structures (PEB and LDR), allowing the attacker to seamlessly integrate into the process lifecycle and complicate detection.

Implementations using EPI and LdrShuffle tools are discussed, where the EntryPoint of system libraries is replaced, followed by code execution through a managed thread pool and restoration of the original values.

📎 Article: https://ipurple.team/2026/05/13/entrypoint-hijacking/

💬 Discuss

EntryPoint Hijacking: stealth injection into Windows process memory