I will be uploading all the codes which I created with the help of either open-source projects or blogs. This is a step-by-step EDR learning path for me.
Syscall Implementation in Nim: sysplant by x42en
-
SSN Sorting and Patching:
i. Neither, Direct Syscall nor Indirect Syscall, but can be Weaponised to do both with SSN Sorting.
Thanks to @D1rkMtr for his Project: UnhookingPatchii. My Implementation of SSN Sorting and Patching:
(SSN + syscall address Sorting via Halo's Gate + patching + SystemFunction033 Nt Api RC4 encrypted shellcode decryption directly from process memory + EnumThreadWindows) : link -
Direct Dynamic Syscall (Not Hard Coded Stub):
Blog by @VirtualAllocEx:
i. https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls (Concept, as well as Code Snippet : Whole Code,
Exceptionally well Explained!)ii. Hell's Gate: Exploring Hell's Gate :
Mechanism: Lookup syscall by first opcodes
-> ...iii. Halos Gate:
Mechanism: Lookup syscall by first opcodes and search nearby if first instruction is a JMPiv. TartarusGate: Modified Halos Gate Implementation:
Why needed?
Cause: Not all EDRs hook the same way: More here: Blog
Mechanism: Lookup syscall by first opcodes and search nearby if first or third instruction is a JMP
Whole Code: here.v. FreshyCalls:
Mechanism: Lookup syscall by name (start with Nt and not Ntdll), sort addresses to retrieve syscall number
Source Code: here
Blog Post: hereComparative table taken from Cyber bit's blog (link doesn't work: link):
-
Indirect Syscall (.C Version) :
i. Blog: https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls : Source Code -
Indirect Dynamic Syscall:
i. HellHall (.C Version):
Mechanism: Hells Gate + Indirect Syscall https://github.com/Maldev-Academy/HellHallii. D1rkLdr and HadesLdr:
SSN + syscall address Sorting via Halo's Gate + Indirect Syscall + API Hashing + Stageless shellcode by @D1rkMtrThanks to @D1rkMtr for Modified TartarusGate approach!
iii. My Implementation of Indirect Dynamic Syscall (Basic): Here
Mechanism: SSN + syscall address Sorting via Halo's Gate + Checks if the first, third, eighth, tenth, and twelfth instruction is a JMP (Modified TartarusGate) + Indirect Syscalliv. My Implementation of Indirect Dynamic Syscall (Basic + Early Bird + API resolve from TEB + API hashing + EventLog Service Killing): DarkWidow
vi. My Implementation of Indirect Dynamic Syscall (Basic + Early Bird (Modified form) + API resolve from TEB + API hashing): Coming Soon...
-
Ntdlll Unhooking Collection:
1.1. 1 - Unhooking NTDLL from disk: Done by @D1rkMtr.
1.2. 1 - Unhooking NTDLL from disk (Indirect): My Implementation, made private.
2. 2 - Unhooking NTDLL from KnownDlls: Done by @D1rkMtr.
3. 3 - Unhooking NTDLL from Suspended Process: Done by @D1rkMtr.
4.1. 4 - Unhooking NTDLL from remote server (fileless): Done by @D1rkMtr.
4.2. My Implementation of it: POC Version (Not Full weaponisation): ReflectiveNtdll
5. 5 - Unhooking NTDLL on Remote Process (Shellycoat - Baptize Tainted Ntdll): Done by @winterknife. -
Memory Scanning Evasion
-
Advanced Module Stomping
-
Thread/Call Stack Spoofing:
i. behind-the-mask-spoofing-call-stacks-dynamically-with-timers\ -
Custom Call Stack
-
...
- Blinding EventLog + Allowing SeDebugPrivilege: links:
Not A Complete list -> I will be adding rest, while I continue my learning
and Please, they are not listed based on anything!
=> All have made a great contribution to OpenSource Community!
- @SEKTOR7net
- @zodiacon
- @winterknife
- redops - knowledge-base by @VirtualAllocEx
- Evading EDR by @matterpreter
- @0xBoku
- @jack_halon
- @Jean_Maes_1994
- @peterwintrsmith
- @x86matthew
- @domchell
- @FuzzySec
- @modexpblog
- @D1rkMtr
- @ZeroMemoryEx
- @NinjaParanoid
- Windows-Internals and MA by @Chrollo_l33t
- trustedsec by @TrustedSec
- @spotheplanet
- @C5pider
- @0xTriboulet
- @codex_tf2
- @Jackson_T
- @_RastaMouse
- @ShitSecure
- @CaptMeelo
- @0x09AL
- @hasherezade
- @0gtweet
- @phraaaaaaa
- @Flangvik
- @rad9800
- @Octoberfest73
- @eversinc33
- @allevon412
- @0xLegacyy
- @d_tranman