Skip to content

Latest commit

 

History

History
134 lines (108 loc) · 9.05 KB

README.md

File metadata and controls

134 lines (108 loc) · 9.05 KB

Learning-EDR-and-EDR_Evasion

I will be uploading all the codes which I created with the help of either open-source projects or blogs. This is a step-by-step EDR learning path for me.


NOTE:

Syscall Implementation in Nim: sysplant by x42en


Learning Curve:

Schematic WorkFlow:

  1. SSN Sorting and Patching:
    i. Neither, Direct Syscall nor Indirect Syscall, but can be Weaponised to do both with SSN Sorting.
    Thanks to @D1rkMtr for his Project: UnhookingPatch

    ii. My Implementation of SSN Sorting and Patching:
    (SSN + syscall address Sorting via Halo's Gate + patching + SystemFunction033 Nt Api RC4 encrypted shellcode decryption directly from process memory + EnumThreadWindows) : link

  2. Direct Dynamic Syscall (Not Hard Coded Stub):
    Blog by @VirtualAllocEx:
    i. https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls (Concept, as well as Code Snippet : Whole Code,
    Exceptionally well Explained!)

    ii. Hell's Gate: Exploring Hell's Gate :
    Mechanism: Lookup syscall by first opcodes
    -> ...

    iii. Halos Gate:
    Mechanism: Lookup syscall by first opcodes and search nearby if first instruction is a JMP

    iv. TartarusGate: Modified Halos Gate Implementation:
    Why needed?
    Cause: Not all EDRs hook the same way: More here: Blog
    Mechanism: Lookup syscall by first opcodes and search nearby if first or third instruction is a JMP
    Whole Code: here.

    v. FreshyCalls:
    Mechanism: Lookup syscall by name (start with Nt and not Ntdll), sort addresses to retrieve syscall number
    Source Code: here
    Blog Post: here

    Comparative table taken from Cyber bit's blog (link doesn't work: link):

image

  1. Indirect Syscall (.C Version) :
    i. Blog: https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls : Source Code

  2. Indirect Dynamic Syscall:
    i. HellHall (.C Version):
    Mechanism: Hells Gate + Indirect Syscall https://github.com/Maldev-Academy/HellHall

    ii. D1rkLdr and HadesLdr:
    SSN + syscall address Sorting via Halo's Gate + Indirect Syscall + API Hashing + Stageless shellcode by @D1rkMtr

    Thanks to @D1rkMtr for Modified TartarusGate approach!

    iii. My Implementation of Indirect Dynamic Syscall (Basic): Here
    Mechanism: SSN + syscall address Sorting via Halo's Gate + Checks if the first, third, eighth, tenth, and twelfth instruction is a JMP (Modified TartarusGate) + Indirect Syscall

    iv. My Implementation of Indirect Dynamic Syscall (Basic + Early Bird + API resolve from TEB + API hashing + EventLog Service Killing): DarkWidow

    vi. My Implementation of Indirect Dynamic Syscall (Basic + Early Bird (Modified form) + API resolve from TEB + API hashing): Coming Soon...

  3. Ntdlll Unhooking Collection:
    1.1. 1 - Unhooking NTDLL from disk: Done by @D1rkMtr.
    1.2. 1 - Unhooking NTDLL from disk (Indirect): My Implementation, made private.
    2. 2 - Unhooking NTDLL from KnownDlls: Done by @D1rkMtr.
    3. 3 - Unhooking NTDLL from Suspended Process: Done by @D1rkMtr.
    4.1. 4 - Unhooking NTDLL from remote server (fileless): Done by @D1rkMtr.
    4.2. My Implementation of it: POC Version (Not Full weaponisation): ReflectiveNtdll
    5. 5 - Unhooking NTDLL on Remote Process (Shellycoat - Baptize Tainted Ntdll): Done by @winterknife.

  4. Memory Scanning Evasion

  5. Advanced Module Stomping

  6. Thread/Call Stack Spoofing:
    i. behind-the-mask-spoofing-call-stacks-dynamically-with-timers\

  7. Custom Call Stack

  8. ...

Admin Priv (PostExp):

  1. Blinding EventLog + Allowing SeDebugPrivilege: links:

Curtesy To:

Not A Complete list -> I will be adding rest, while I continue my learning
and Please, they are not listed based on anything!
=> All have made a great contribution to OpenSource Community!

  1. @SEKTOR7net
  2. @zodiacon
  3. @winterknife
  4. redops - knowledge-base by @VirtualAllocEx
  5. Evading EDR by @matterpreter
  6. @0xBoku
  7. @jack_halon
  8. @Jean_Maes_1994
  9. @peterwintrsmith
  10. @x86matthew
  11. @domchell
  12. @FuzzySec
  13. @modexpblog
  14. @D1rkMtr
  15. @ZeroMemoryEx
  16. @NinjaParanoid
  17. Windows-Internals and MA by @Chrollo_l33t
  18. trustedsec by @TrustedSec
  19. @spotheplanet
  20. @C5pider
  21. @0xTriboulet
  22. @codex_tf2
  23. @Jackson_T
  24. @_RastaMouse
  25. @ShitSecure
  26. @CaptMeelo
  27. @0x09AL
  28. @hasherezade
  29. @0gtweet
  30. @phraaaaaaa
  31. @Flangvik
  32. @rad9800
  33. @Octoberfest73
  34. @eversinc33
  35. @allevon412
  36. @0xLegacyy
  37. @d_tranman