NiceTryDLL is a PoC of detecting direct syscall methods that reads NTDLL from disk. By hooking NtReadFile, it can detects both file read and file copy. For identifying the DLL, it call NtQueryInformationFile for getting the FileNameInformation of the file handle, and then check if the file path ends with ntdll.dll. Since file read and file copy uses NtReadFile, The only way attacker can evades this is to rename the system's NTDLL to something else or hook NtQueryInformationFile to spoof the filename. Again, this is just a PoC, you can add more checks to validate if the DLL is NTDLL if you want to.
