EDR/AV Evasion Notes & References :

• ‣

Detecting the Hooks

• Blogs

  • https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions

• Tools

  • HookDetector : https://github.com/matterpreter/OffensiveCSharp/tree/master/HookDetector
  • InjDrv (Windows Driver for injecting DLL into user-mode processes using APC ) : https://github.com/wbenny/injdrv

• We can detect hooks by looking at the first 4 bytes of an API instruction.

• Generally they are in sequence of 0x4c, 0x8b, 0xd1, 0xb8

• If we don’t find this sequence then this indicates that API may be hooked.

• We can use HookDetector to find all Hooked API calls. HookDetector can be executed using execute-assembly in cobalt strike.

Bypassing the EDR Hooks / Syscalls

• Blogs

  • VX-UnderGround : https://vx-underground.org/Papers/Windows/Evasion - Systems Call and Memory Evasion
  • Intro to Syscalls for WIndows Malware : https://youtu.be/elA_eiqWefw?si=RomboiseZTMEbPzp
  • Understanding Syscalls - Direct, Indirect, and Cobalt Strike Implementation : https://d01a.github.io/syscalls/
  • https://sabotagesec.com/breakpoints-heavens-gate-and-stack/
  • LayeredSyscall – Abusing VEH to Bypass EDRs : https://whiteknightlabs.com/2024/07/31/layeredsyscall-abusing-veh-to-bypass-edrs/
  • (Indirect Syscall) Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams : https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
  • Direct vs Indirect Syscalls : https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls
  • https://medium.com/@sam.rothlisberger/manual-indirect-syscalls-and-obfuscation-for-shellcode-execution-bb589148e56f
  • https://malwaretech.com/2023/12/an-introduction-to-bypassing-user-mode-edr-hooks.html
    • https://malwaretech.com/2023/12/silly-edr-bypasses-and-where-to-find-them.html
  • https://www.crow.rip/crows-nest/mal/dev/inject/syscalls
  • https://pre.empt.blog/2022/implementing-syscall-detection-into-fennec
  • https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/#direct-syscall-you-say-
  • Windows Syscalls Tabls - https://j00ru.vexillium.org/syscalls/nt/64/
  • https://cyberwarfare.live/bypassing-av-edr-hooks-via-vectored-syscall-poc/
  • https://redops.at/en/blog/syscalls-via-vectored-exception-handling

• Manual Mapping / Unhooking Techniques (same applies for kernel32.dll and others) - (Can be detected as the memory space changes from RX to RWX or there are multiple copies of NTDLL.dll in memory of process)

  • NTDLL Unhooking - from Disk
    • SharpUnhooker (C# based Unhooker) : https://github.com/GetRektBoy724/SharpUnhooker
  • NTDLL Unhooking - from KnownDLLs directory
  • NTDLL Unhooking - from a Suspended Process (Peruns Fart)
  • NTDLL Unhooking - from Remote Server

• Direct Syscall Techniques - ( Can be detected as Syscall happens from process directly and not from ntdll.dll - read this , Also Call Stack/Sequence would be different )

  • SysWhisper1
  • Syswhispers2
  • Hells Gate - https://github.com/am0nsec/HellsGate
  • Halo’s Gate
  • TartaruGate - https://github.com/trickster0/TartarusGate
  • Tools :
    • Halos Gate-based NTAPI Unhooker : https://github.com/GetRektBoy724/HalosUnhooker

• **Indirect Syscall Techniques (**Ensures all systemcalls go through ntdll.dll or relevant syscall dll)

  • SysWhisper3 - https://github.com/klezVirus/SysWhispers3
  • RecycledGate - Hellsgate + Halosgate/Tartarosgate : https://github.com/thefLink/RecycledGate
  • HellHall - https://github.com/Maldev-Academy/HellHall
  • NtGate - https://github.com/hiatus/NtGate
  • PigSyscall - https://github.com/evilashz/PigSyscall
  • SyscallMayBe - https://github.com/oldboy21/SyscallMeMaybe
  • HWSyscalls - (execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP) : https://github.com/Dec0ne/HWSyscalls
  • LayeredSyscall ( Generates legitimate call stack frame along with indirect syscalls by abusing Vectored Exception Handling (VEH) to bypass User-Land EDR hooks in Windows ) : https://github.com/WKL-Sec/LayeredSyscall
    • https://whiteknightlabs.com/2024/07/31/layeredsyscall-abusing-veh-to-bypass-edrs/
  • https://medium.com/@sam.rothlisberger/manual-indirect-syscalls-and-obfuscation-for-shellcode-execution-bb589148e56f

• Syscall Tempering Techniques

  • SyscallTempering : https://github.com/Allevon412/SyscallTempering
  • Syscall Tempering : https://github.com/rad9800/TamperingSyscalls

• Other Techniques

  • Approaches Utilizing Hardware BreakPoint
    • https://github.com/Dec0ne/HWSyscalls
    • https://github.com/rad9800/TamperingSyscalls
    • https://github.com/RedTeamOperations/VEH-PoC
  • MutationGate - Using hardware breakpoint to dynamically change SSN in run-time : https://github.com/senzee1984/MutationGate
  • EDRCeption - Abusing exception handlers to hook and bypass user mode EDR hooks : https://github.com/MalwareTech/EDRception
  • Ruy-Lopez - Prevent EDR from injecting its DLL to a process to avoid adding hooks on API calls : https://github.com/S3cur3Th1sSh1t/Ruy-Lopez
  • HookChain - Works by leveraging IAT Hooking, dynamic SSN resolution, and indirect syscalls to hijack execution flow within Windows subsystems, avoiding Ntdll.dll hooks and maintaining stealth without altering application or malware binaries : https://github.com/helviojunior/hookchain
    • Research Paper - HookChain: A new perspective for Bypassing EDR Solutions : https://github.com/helviojunior/hookchain/blob/main/HookChain_en_v1.5.pdf

Process Mitigation Policy (BlockDLLs, ACG)

Using ACG(Arbitrary Code Guard)/BlockDll (CIG) mitigation policy

• Blogs
  • Protecting Your Malware with blockdlls and ACG : https://blog.xpnsec.com/protecting-your-malware/
  • VXUnderground - Manual Implementation of BlockDLLs and ACG : https://samples.vx-underground.org/Papers/Windows/Evasion - Systems Call and Memory Evasion/2022-08-08 - Manual Implementation of BlockDLLs and ACG.cpp