This repo contains information about EDRs that can be useful during red team exercise.

Related tags

Miscellaneous EDRs
Overview

EDRs

This repo contains information about EDRs that can be useful during red team exercise.

patch_syscall_dynamically64.c

This proof-of-concept is resolving the syscall ID dynamically no need to check the version running on the remote host. To get the information on disk (not tampered) a call to CreateFileMapping and MapViewOfFile Windows APIs is performed. The DLL is then parsed to retrived the data and used to patch the live code.

patch_syscall64.c

This proof-of-concept is patch the syscall ID specified in the code. The live version of the DLL is then patched using the hardcoded syscall ID and reverted to the original unpatched state.

get_syscall64.c

This utility is used to retrived the sycall ID associated with a Windows API.

get_syscall64.exe ntdll.dll NtOpenProcess

ntdll.dll!NtOpenProcess at 0x00007FF873F6CAD0
NtOpenProcess syscall ID 0x00000026 (38)

unhookIAT.c

This proof-of-concept detects hooks placed by EDR/AV/Malware in the Import Address Table and replace them with original addresses (coded by xalicex).

Excel version of the list of hooks

EDRs.xlsx formatted by Vincent Yiu

Markdown version of the list of hooks

EDRs.md formatted by Vincent Yiu

EDRs Hooked APIs

Want to contribute simply run hook_finder64.exe C:\windows\system32\ntdll.dll and submit the output.

CrowdStrike hooked ntdll.dll APIs

CrowdStrike hooks list

SentinelOne hooked ntdll.dll APIs

SentinelOne hooks list

Cylance hooked ntdll.dll APIs (Thanks to Seemant Bisht)

Cylance hooks list

Sophos hooked ntdll.dll APIs

Sophos hooks list

Attivo Deception hooked ntdll.dll APIs

Attivo hooks list

CarbonBlack hooked ntdll.dll APIs (Thanks to Hackndo)

CarbonBlack hooks list

Symantec hooked ntdll.dll APIs (Thanks to CarsonSallis)

Symantec hooks list

DeepInstinct hooked ntdll.dll APIs (Thanks to P0chAcc0)

DeepInstinct hooks list

McAfee hooked ntdll.dll APIs

McAfee hooks list

CheckPoint SandBlast hooked ntdll APIs

CheckPoint SandBlast hooks list

ESET endpoint Security 8.0.2028.0 hooked ntdll APIs

Eset hooks list

TrendMicro 17.7.1130 hooked ntdll APIs

TrendMicro hooks list

Cortex XDR hooked APIs (KERNEL MODE)

⚠️ These hooks are set kernel mode. They can't be unhooked from the user mode

Cortex XDR hooks list

Bitdefender hooked ntdll APIs

Bitdefender hooks list

Credit

Mr.Un1k0d3r RingZer0 Team

And the whole community <3

Comments
  • Update carbonblack.txt

    Update carbonblack.txt

    Ran hook_finder64.exe on carbon black on 02 Feb 2022, updated the list for carbon black

    Raw result below: https://gist.github.com/ScriptIdiot/57886fd8b556b128aa0b70b38bb1f628

    opened by ScriptIdiot 7
  • Detection of hooks in Import Address Table

    Detection of hooks in Import Address Table

    Hello,

    This code detects hooks in the Import Address Table and replace the hooks with the true address of the functions.

    I thought it could be usefull in this repo :)

    opened by xalicex 4
  • Added cast to parameter and modified GetBytesByName type

    Added cast to parameter and modified GetBytesByName type

    I've modified some variable type and function in order to be able to compile and execute the code on my machine. This version is working perfectly. Maybe other people hadthe same issue ?

    For instance "GetBytesByName" was a bool but returned nothing (compilation error). "OffsetNamesTable" variable was a DWORD* leading to a compilation error during the operation base + OffsetNamesTableOffset (compilation error)

    opened by xalicex 2
  • Parser that takes TXT file and puts into CSV format.

    Parser that takes TXT file and puts into CSV format.

    Made a simple parser that takes all the TXT files in current directory, and parses it into a CSV format.

    Usage: Python3 Parse.py > out.csv

    Then you can Excel it, or change to Markdown easier.

    opened by vysecurity 2
  • Create MDE.txt

    Create MDE.txt

    Full output as below:

    Loading C:\windows\system32\ntdll.dll HookFinder Mr.Un1k0d3r RingZer0 Team Listing loaded modules

    C:\Users\lowprivuser\Desktop\hook_finder64.exe is loaded at 0x0000000000400000. C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FFE428B0000. C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FFE41020000. C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FFE3FEF0000. C:\Windows\SYSTEM32\apphelp.dll is loaded at 0x00007FFE3DFB0000. C:\Windows\System32\msvcrt.dll is loaded at 0x00007FFE412A0000. **Listing Nt API only

    NtQuerySystemTime is hooked

    Completed

    opened by ScriptIdiot 1
  • Kaspersky

    Kaspersky

    Hi,

    wanted to share my observation for Kaspersky. Seems like Kaspersky does the real hooking in Kernel mode as well like Cortex or Defender MDE.

    How can those hooks be identified?

    Loading c:\Windows\System32\ntdll.dll
HookFinder Mr.Un1k0d3r RingZer0 Team
Listing loaded modules
------------------------------------------
C:\Users\user\Desktop\hook_finder64.exe is loaded at 0x0000000000400000.
C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FFF0C150000.
C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FFF0BBF0000.
C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FFF09A90000.
C:\Windows\System32\msvcrt.dll is loaded at 0x00007FFF0BDE0000.
***Listing Nt* API only

NtQuerySystemTime is hooked
------------------------------------------
Completed
    opened by 0xShkk 1
  • Update cortex.txt

    Update cortex.txt

    Some functions are hooked from user-mode, but it seems the DLL is not injected in all processes. Some are with a JMP instruction, for example NtAllocateVirtualMemory:

    imagen

    Others are hooked using a PUSH; RET approach, for example NtMapViewOfSection

    imagen

    opened by waawaa 0
  • Update unhookIAT.c

    Update unhookIAT.c

    I've added some comment to clarify the code and replace the 4096 bytes size in virtual protect to 8 bytes. Because well, 4096 was maybe a little overkill...

    opened by xalicex 0
  • Create checkpoint-sandblast.txt

    Create checkpoint-sandblast.txt

    I tried against a few more like Fireeye EDR in windows 7 but you hook detector did not like it. I also tried it against cybereason, F-Secure EDRs but hook detector did not like windows server versions either.

    opened by trickster0 0
  • Windows 10 Home - SO 18363.1440

    Windows 10 Home - SO 18363.1440 

    Loading C:\windows\system32\ntdll.dll
HookFinder Mr.Un1k0d3r RingZer0 Team
------------------------------------------
BASE                    0x00007FF8BC940000      MZÉ
PE                      0x00007FF8BC9400D8      PE
ExportTableOffset       0x00007FF8BCA8C370
OffsetNameTable         0x00007FF8BCA8E8CC
Functions Count         0x94d (2381)
------------------------------------------
RtlInitializeSListHead is hooked
------------------------------------------
Completed
    opened by r00t-3xp10it 0
  • Suggestion

    Suggestion

    You may want to include Tanium advance EDR solution. Being used by big organizations and to address insider threat.

    https://try.tanium.com/?utm_campaign=01-D-PSP-OA-PPC-WW-Google-HFPOC&utm_source=google&utm_medium=cpc&utm_content=tanium&utm_term=%2Btanium&gclid=Cj0KCQjws-OEBhCkARIsAPhOkIad-9DIv8SBZfxq8o_vf7PSq2BOZctqNyFP630UmMY87HZm56n-gVQaAt5fEALw_wcB

    opened by mayben0x 4
  • MDE/ATP

    MDE/ATP

    Wanted to share that Microsoft Defender for Endpoint (MDE) (previously known as Advanced Threat Protection (ATP)) is embedded within the operating system and does not seem to hook anything on ntdll.dll. Perhaps you might want to add that to the list despite the empty output.

    opened by diogo-fernan 8
Owner
Mr.Un1k0d3r
Mostly Red Team tools for penetration testing. My patreon https://patreon.com/MrUn1k0d3r
Mr.Un1k0d3r
GitHub
The goal of this project was to create my own red team campaign that would emulate some of the TTPs from the above campaign analysis

The goal of this project was to create my own red team campaign that would emulate some of the TTPs from the above campaign analysis. During my endeavor I decdied to switch from a complete mimick to a substitute / exclude / improve upon certain tactics that I deemed unnecessary. I will write an accompanying blog post which will be linked here once it is published.

BreadMan 27 Dec 1, 2022
TartarusGate, Bypassing EDRs

Tartarus' Gate - Bypassing EDRs Description Hell's Gate evolved to Halo's Gate to bypass EDRs by unhooking some of them and now it turned to Tartarus'

Thanasis Tserpelis 263 Dec 24, 2022
Contains a sudoku solver - OCR. Project done with classmates during third semester at EPITA.

sudokUwU sudokUwU is a sudoku solver made by 4 students at EPITA. This project is a mandatory work from S3 cycle! The Team Johan Tran Adrian Grillet V

okywu 2 May 5, 2022
ContactGot is an offline desktop app, where clients can leave their info, while an administrator can manage which information they need to gather on certain projects.

ContactGot Contents Description How to use Requirements Engineering Installation Documentation Design Architecture Demonstration 1. Description During

Elizaveta 15 Sep 17, 2022
C++ Premier plus 6th edition book solved exercise.

c-premier-plus-6th-edition-solved-exercise C++ Premier plus 6th edition book exercise solutions. These exercise solved by me when i learning c++, so d

Zaid Rao 2 Nov 6, 2022
A fun exercise to brute for a master lock combination if you forgot it.

Lock Decombinator From NerdLab Projects May 9, 2022 Updated at: May 10, 2022 A fun exercise to brute for a master lock combination if you forgot it. T

Nerd Lab Projects 3 Jul 15, 2022
Lightweight, header-only C++14 metaprogramming library. Pattern matching, compile-time stuffs and algorithms (arrays, type information (CTTI), string manipulation), 'value-or-errorcode' union-like type, type for passing named arguments, useful constexpr functions and many more. (MIT license)

CoMeta Lightweight, header-only C++14 metaprogramming library. Created for KFR framework. Features Pattern matching Compile-time arrays Compile-time t

KFR 56 Nov 28, 2022
This project contains information on the PC-Link hardware interface for some early 2000 Sony HiFi decks

pclink-i2c This project contains information on the PC-Link hardware interface for some early 2000 Sony HiFi decks, such as the CMT-DC500MD (also know

Sir68k 1 Jan 21, 2022
An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages.

An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages. In this way certain vehicle functionality can be triggered by responding to custom steering wheel button events, or use the vehicle virtual cockpit to display OBD-PIDs values instead of relying on an external display to present new information to the user

null 18 Dec 28, 2022
A plugin that can display player information overhead

A plugin that can display player information overhead Config File At plugins/HeadShow/config.json { "updateTick":60,

HuoHua 0 Jun 17, 2022
Flutter app where you can find your information about your Favorite Super Cars ⚡❤

Super Cars App (Flutter) ⚡ Now you can freely discover and browse your Favourite Super Cars ❤ . Speed! ?? Getting Started This project is a starting p

Shehroz Ali 4 Apr 13, 2022
Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

The Remote Hacker Probe is a Threat Emulation and Red Teaming Framework built to be easy to use. The Remote Hacker Probe is Feature Rich! Including, K

QuantumCored 179 Jan 5, 2023
Violent Fungus is a command and control (C2) software suite, providing red teams post-exploitation persistence and other juicy stuff.

Violent Fungus is a command and control (C2) software suite, providing red teams post-exploitation persistence and other juicy stuff.

Chris Humphries 34 Sep 7, 2022
The MLX90614 is an Infra Red thermometer for noncontact temperature measurements.

The MLX90614 is an Infra Red thermometer for noncontact temperature measurements.

Shifeng Li 23 Dec 23, 2022
Remote hacker probe - Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

The Remote Hacker Probe is a Threat Emulation and Red Teaming Framework built to be easy to use. The Remote Hacker Probe is Feature Rich! Including, K

Fahad 180 Dec 27, 2022
This repo contains example software for the Kernelcon 2021 Hack Live! badge - the Hacker HotKey.

Hacker HotKey This repo contains example software for the Kernelcon 2021 Hack Live! badge - the Hacker HotKey. Default Hotkey Mapping Hacker Hotkey is

Kernelcon 14 Jan 24, 2022
Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a handy trick.

Proof-of-Concept Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a h

Alisa Esage 32 Nov 19, 2022
This repo contains solutions to coding questions available online on coding platforms like - Codeforces, Codechef, URI Online Judge, and Hackerrank.

CPP_Soln This repo contains solutions to coding questions available online on coding platforms like - Codeforces, Codechef, URI Online Judge , LeetCod

Rijul Jain 4 Nov 3, 2022
This repo contains solution of 450 DSA sheet by love babbar

450DSA This repo contains solution of 450 DSA sheet by love babbar . Here is the link for that list : https://450dsa.com/ Guidlines to be followed Onl

null 5 Aug 14, 2022