EDR bypasses and evasion techniques

#995
Title: Bypass AV/EDR real-time protection by just modifying a single byte in the kernel memory
Administrator
08/25/2023 09:07 - 325 days 18 hours 27 minutes
#995
I wanted to point out the weaknesses and blind spots in the most advanced AV and EDR solutions. The aftermath was that the author ended up almost bypassing the entire security (PatchGuard/DSE/Callbacks) in the kernel.

Easy Anti-Cheat (EAC) is one of the oldest, most popular and is considered one of the most advanced kernel anti-cheats out there. EAC is using a custom obfuscation to make the reversal process utterly time consuming. It's in other words an obfuscated rootkit using malware techniques that stands out as an anti-cheat. To mention a few (system thread start address and stack spoofing).

As I write a bypass for this anti-cheat. I also started to be interested in whether it does something else when there are tens if not hundreds of millions of players per month who use it - Please do not get me wrong. This is not a blackmail campaign of mine. Definitely after weeks of constant work on the bypass. I can say that their team knows what they are doing.

The author was able to "pause" EAC's integrity checks and callbacks. In other words bypassed EAC as there was no anti-cheat at all provided the protected game process is suspended (I'll perfect my EAC disabler soon so that I can debug the game as there was no EAC at all). With the same technique the author is able to blind most of AV/EDRs as well. You can consider this post as my CV because the author does not have Bachelor in IT. Even if you don't have a bachelor, that does not mean you are not capable.

Bypassing kernel callbacks allows you to use blacklisted tools (read attach tools such as Cheat Engine to the game process with full access rights) and drivers, making it easier to reverse a protected game. The aforementioned bypass is primarily designed to bypass the kernel anti-cheats, but the author wanted to test whether traditional AVs or EDRs are prepared for when an advanced malware gets into the kernel's memory space.

As of 08/2023, the following AV's did not detected the bypass (kernel callbacks disabled, in other words, the core functionality of all these security solutions disabled) even though their real-time protection was on. Ironically they did not took it seriously and one just said that - A lot of the game is lost if programs are run with administrator user rights.

Windows Defender
F-Secure SAFE
ESET

Note that the author has only tested/bypassed the listed AVs. The author has also contacted a number of EDR "providers" without receiving a reply. The question is, are those quick money grab, so called security solutions even interested in security at all?

The appearance and user interface is shiny in most of quick money grab "solutions" and has been invested in, but when it came down to it, their products didn't seem to have any integrity checks (read any self-defense) against an advanced red teaming techniques that most advanced malwares are using today.

Instead of real protection, most solutions have invested in making extra money, such as by turning the product into a VPN service. It is also very questionable that they take the user's browser history, upload files without permission to their server, citing child protection. Therefore they themselves are the worst abusers of children. Also according to Microsoft: Admin to kernel transition is not a security issue. That's so much for the security then, I guess.


The author of the article tested all the listed AV/EDR products in real life attack scenario. EAC's integrity checks was clearly better (even though the author bypassed it) than in any of the listed security solution. Can't even compare the same day. The author of the article knows how to make at least as good or better protection than what is EAC in terms of integrity checks (I am not only talking about kernel callbacks, also dynamic kernel-level text section protection is implemented in the source code of the bypass), but some of the listed solutions were too "busy" to answer or just overlooked the issue.

I think that those security solutions were just too proud to admit that their solution is more or less useless against an advanced unknown malware using aforementioned techniques.

The undocumented https://github.com/ByteWhite1x1/EDR-bypass-disable-PspNotifyEnableMask struct.


Post a comment

Registered users do not have to enter captcha. A line in the code tag is currently limited to maxium of 160 characters.
Posting guidelines: You may not post any personal information. When you report an issue: Always mention which version and operating system and briefly describe the issue. Any support request post that does not include this information will be removed as spam without a reply.
Title
Tags You may use the following tags: [QUOTE] [/QUOTE] [B] [/B] [URL] [/URL] [CODE] [/CODE]
Captcha Please enter the text you see (case insensitive). The listed characters must be entered clockwise starting from twelve o'clock.
Comments are moderated Y