This repo contains information about EDRs that can be useful during red team exercise.
This proof-of-concept is resolving the syscall ID dynamically no need to check the version running on the remote host. To get the information on disk (not tampered) a call to CreateFileMapping and MapViewOfFile Windows APIs is performed. The DLL is then parsed to retrived the data and used to patch the live code.
This proof-of-concept is patch the syscall ID specified in the code. The live version of the DLL is then patched using the hardcoded syscall ID and reverted to the original unpatched state.
This utility is used to retrived the sycall ID associated with a Windows API.
get_syscall64.exe ntdll.dll NtOpenProcess
ntdll.dll!NtOpenProcess at 0x00007FF873F6CAD0
NtOpenProcess syscall ID 0x00000026 (38)
This proof-of-concept detects hooks placed by EDR/AV/Malware in the Import Address Table and replace them with original addresses (coded by xalicex).
EDRs.xlsx formatted by Vincent Yiu
EDRs.md formatted by Vincent Yiu
Want to contribute simply run hook_finder64.exe C:\windows\system32\ntdll.dll and submit the output.
The newer version moved away from UMH and instead rely on kernel callback as shown below:
CheckPoint SandBlast hooks list
Mr.Un1k0d3r RingZer0 Team
And the whole community <3