EDR bypasses and evasion techniques

The concept of EDR solutions and and their implementation is pretty much the same as in traditional AV's. EDRs have just added behavioral detection patterns and centralized management. The core functionality of every AV and Endpoint Detection and Response (EDR) security solution relies heavily on kernel callbacks.

There is a non exported variable in the kernel, namely nt!PspNotifyEnableMask, just one byte in which mask is used to determine which callbacks are enabled or disabled. The blind spot of every cybersecurity solution is the notify mask itself.

[!] Is your EDR solution prepared for when an advanced malware gains a RING 0 and tries to disable?
[!] Is your EDR even aware of that unknown malware has tampered with the undocumented PspNotifyEnableMask?
[!] Does your EDR have integrity check to prevent malware from disabling it?
[!] Does your EDR detect if the PatchGuard has been disabled at runtime?

If your answer is NO to any of the questions, I recommend buying the source code of the bypass that is able to blind most of AV/EDR including every kernel anti-cheat. The source code is intended for those who have previous experience in coding kernel drivers. You can use the bypass to test whether your AV or EDR solution is up to date or not. The price includes the concept of implementing a reasonable integrity check.

The source code of the driver (C/C++) that disables kernel callbacks at runtime is available for $4,999 USD via PayPal ("Software work"). The project is a VS2019+ project.

Depending on your needs, the EDR bypass comes either with a manually mapped driver or with a driver that has nt!_DRIVER_OBJECT. If you need a driver with a driver object. Then the bypass comes with the source codes of two drivers and one is manually mapped one and the other has nt!_DRIVER_OBJECT.

You can use the KDU project https://github.com/hfiref0x/KDU to load the manually mapped driver that in turn loads unsigned driver with nt!_DRIVER_OBJECT.

[+] Windows 10/11 compatible (22H2)
[+] DSE bypass at runtime which enables you to load unsigned kernel driver without the need to purchase an EV or enable test signing
[+] Kernel callback disabler
[+] A tailor made solution to harden AV/EDR solutions against tampering, specifically to prevent or at least try detect that was the PspNotifyEnableMask modified

The bypass is able to walk the undocumented kernel callback table and also verify has callbacks tampered in any way. Your AV or EDR is more or less than useless without any integrity checks in place, especially when an advanced previously unknown ransomware starts disabling your cybersecurity solution. It is not worth relying on the kernel's protections alone because the author of the article was also able to bypass PatchGuard at runtime. https://overlayhack.com/patchguard-bypass

The author bypassed the kernel patch protection at runtime to back up the quality of the solution provided. Just so people would understand that the solution offered in the article is not a quick money grab.

The source codes are also good course material for universities, colleges and for any online course site and represents today's red-team attack techniques and are not intended to be misused in any malware.

As far as the author tested. Modifying the PspNotifyEnableMask is not subject to a PatchGuard bug check.

Think about a situation where someone manages to inject malware locally onto an employee's computer and AV/EDR you use won't even notice that it's core functionality has been disabled and the malware streams a load of other fileless malware that would may otherwise be detected. By modifying just one byte in the kernel memory, you can get the kernel core protection disabled on which all secure solutions or kernel anti-cheats are based on.

The structure below is undocumented and reversing is required for different version of windows. In the PspNotifyEnableMask, the bits define the callbacks to be executed as follows:

1280:441


By default all callbacks are enabled. By flipping the bit the callback gets disabled. If you disable the PspCallProcessNotifyRoutines callback, also the internet connection is lost.

If you work as a malware analyst. These source codes are definitely for you. If the author was to write a malware or bypass kernel anti-cheat. The first thing do is to blind an AV/EDR by modifying the mask so security solution is no longer aware of which processes are created or kernel drivers loaded. And to extend the attack to the maximum level, an advanced malware may also need to disable kernel patch protection if necessary, namely PatchGuard (PG).

EDR bypasses

If an application needs to read another process memory. The usual flow is ReadProcessMemory->NtReadVirtualMemory->Syscall->Kernel. If EDR has hooked NtReadVirtualMemory. It's possible to bypass EDR using a direct syscall method as shown in below screenshot:

359:371

extern "C" NTSTATUS ZwReadVirtualMemory(HANDLE hProcess, void* lpBaseAddress, void* lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesRead = NULL);

Before you can read process memory. You must open the handle to a process with the appropriate permissions.
1.
2.
3.
4.
5.
BYTE ch = 0;
void* lpBaseAddress = (void*)0x0;
SIZE_T lpNumberOfBytesRead = 0;

NTSTATUS status = ZwReadVirtualMemory(Overlay::hProcess, lpBaseAddress, &ch, sizeof(BYTE), &lpNumberOfBytesRead);

The only problem is that the syscall number is not necessarily the same in all versions of Windows.

There is also in the kernel so called object callbacks, namely nt!ObRegisterCallbacks that controls which process can open handles with the OpenProcess API to another processes. The author is able to also bypass those callbacks just by flipping the value of one byte or using the old style handle elevation DKOM that is undetected (UD) in every kernel anti-cheat. MS has implemented Protected Process Light (PPL) technology for Windows. The author is also able to bypass PPL but that is not covered in the article.

EDR evasion

If EDR has hooked on something from the ntdll.dll, evasion is straightforward. You can overwrite the hooks by restoring a clean copy from disk if there is no integrity checks. The author has implemented dynamic kernel-level text section protection that comes with the source code. For a reason, the author has not publicly released the source code of this EDR evasion technique.

About author

The author of the article is a hobbyist security researcher and lead developer of the HEX DEREF software. https://hexderef.com/

I am currently working on the features mentioned in the article (porting my C kernel driver to C++) in my software. When I get the user interface coded, even ordinary users will be able to wonder what's going on in the kernel. I am also working on an anti-malware driver for my tool and I've a lot improvements coming vs Process Hacker 2 (PH2) in terms of dynamic malware analysis.

Terms for the source code:

The origin of the source code must not be misrepresented. The original author of the source code is White Byte at overlayhack.com

The source code is sold unconditionally for private or internal company use. In no event you or the company who bought the source code may not distribute or resell the source code in any form or distribute information obtained from the source code to third parties. You may only distribute the code in a compiled form (e.g your anti-malware driver).

For individuals, Bitcoin (BTC) is the only payment method for the source code. PayPal payments are only accepted from a verified business accounts

The HEX DEREF software played a key role in this bypass as well and significantly reduced the time spent because the software can draw the kernel memory as it changes in real time. The software is also able to perform full kernel memory scans (page table walk) and detect changes in the kernel memory as well. At the time of this post. AFAIK. There is no equivalent software available considering the software also has IDA PRO like multi-threaded disassembler for the kernel.

Leave a comment with your needs and I'll contact you (Telegram/Discord/Email). Thanks.

The lab was performed on Windows 10 Pro 22H2 Build: 19045
#995
Title: Bypass AV/EDR real-time protection by just modifying a single byte in the kernel memory
Administrator
08/25/2023 09:07 - 454 days 0 hours 31 minutes
#995
I wanted to point out the weaknesses and blind spots in the most advanced AV and EDR solutions. The aftermath was that the author ended up almost bypassing the entire security (PatchGuard/DSE/Callbacks) in the kernel.

Easy Anti-Cheat (EAC) is one of the oldest, most popular and is considered one of the most advanced kernel anti-cheats out there. EAC is using a custom obfuscation to make the reversal process utterly time consuming. It's in other words an obfuscated rootkit using malware techniques that stands out as an anti-cheat. To mention a few (system thread start address and stack spoofing).

As I write a bypass for this anti-cheat. I also started to be interested in whether it does something else when there are tens if not hundreds of millions of players per month who use it - Please do not get me wrong. This is not a blackmail campaign of mine. Definitely after weeks of constant work on the bypass. I can say that their team knows what they are doing.

The author was able to "pause" EAC's integrity checks and callbacks. In other words bypassed EAC as there was no anti-cheat at all provided the protected game process is suspended (I'll perfect my EAC disabler soon so that I can debug the game as there was no EAC at all). With the same technique the author is able to blind most of AV/EDRs as well. You can consider this post as my CV because the author does not have Bachelor in IT. Even if you don't have a bachelor, that does not mean you are not capable.

Bypassing kernel callbacks allows you to use blacklisted tools (read attach tools such as Cheat Engine to the game process with full access rights) and drivers, making it easier to reverse a protected game. The aforementioned bypass is primarily designed to bypass the kernel anti-cheats, but the author wanted to test whether traditional AVs or EDRs are prepared for when an advanced malware gets into the kernel's memory space.

As of 08/2023, the following AV's did not detected the bypass (kernel callbacks disabled, in other words, the core functionality of all these security solutions disabled) even though their real-time protection was on. Ironically they did not took it seriously and one just said that - A lot of the game is lost if programs are run with administrator user rights.

Windows Defender
F-Secure SAFE
ESET

Note that the author has only tested/bypassed the listed AVs. The author has also contacted a number of EDR "providers" without receiving a reply. The question is, are those quick money grab, so called security solutions even interested in security at all?

The appearance and user interface is shiny in most of quick money grab "solutions" and has been invested in, but when it came down to it, their products didn't seem to have any integrity checks (read any self-defense) against an advanced red teaming techniques that most advanced malwares are using today.

Instead of real protection, most solutions have invested in making extra money, such as by turning the product into a VPN service. It is also very questionable that they take the user's browser history, upload files without permission to their server, citing child protection. Therefore they themselves are the worst abusers of children. Also according to Microsoft: Admin to kernel transition is not a security issue. That's so much for the security then, I guess.


The author of the article tested all the listed AV/EDR products in real life attack scenario. EAC's integrity checks was clearly better (even though the author bypassed it) than in any of the listed security solution. Can't even compare the same day. The author of the article knows how to make at least as good or better protection than what is EAC in terms of integrity checks (I am not only talking about kernel callbacks, also dynamic kernel-level text section protection is implemented in the source code of the bypass), but some of the listed solutions were too "busy" to answer or just overlooked the issue.

I think that those security solutions were just too proud to admit that their solution is more or less useless against an advanced unknown malware using aforementioned techniques.

The undocumented https://github.com/ByteWhite1x1/EDR-bypass-disable-PspNotifyEnableMask struct.


Post a comment

Registered users do not have to enter captcha. A line in the code tag is currently limited to maxium of 160 characters.
Posting guidelines: You may not post any personal information. When you report an issue: Always mention which version and operating system and briefly describe the issue. Any support request post that does not include this information will be removed as spam without a reply.
Title
Tags You may use the following tags: [QUOTE] [/QUOTE] [B] [/B] [URL] [/URL] [CODE] [/CODE]
Captcha Please enter the text you see (case insensitive). The listed characters must be entered clockwise starting from twelve o'clock.
Comments are moderated Y