This repo contains information about EDRs that can be useful during red team exercise.

EDRs

This repo contains information about EDRs that can be useful during red team exercise.

patch_syscall_dynamically64.c

This proof-of-concept is resolving the syscall ID dynamically no need to check the version running on the remote host. To get the information on disk (not tampered) a call to CreateFileMapping and MapViewOfFile Windows APIs is performed. The DLL is then parsed to retrived the data and used to patch the live code.

patch_syscall64.c

This proof-of-concept is patch the syscall ID specified in the code. The live version of the DLL is then patched using the hardcoded syscall ID and reverted to the original unpatched state.

get_syscall64.c

This utility is used to retrived the sycall ID associated with a Windows API.

get_syscall64.exe ntdll.dll NtOpenProcess

ntdll.dll!NtOpenProcess at 0x00007FF873F6CAD0
NtOpenProcess syscall ID 0x00000026 (38)

unhookIAT.c

This proof-of-concept detects hooks placed by EDR/AV/Malware in the Import Address Table and replace them with original addresses (coded by xalicex).

Excel version of the list of hooks

EDRs.xlsx formatted by Vincent Yiu

Markdown version of the list of hooks

EDRs.md formatted by Vincent Yiu

EDRs Hooked APIs

Want to contribute simply run hook_finder64.exe C:\windows\system32\ntdll.dll and submit the output.

CrowdStrike hooked ntdll.dll APIs

CrowdStrike hooks list

SentinelOne hooked ntdll.dll APIs

SentinelOne hooks list

Cylance hooked ntdll.dll APIs (Thanks to Seemant Bisht)

Cylance hooks list

Sophos hooked ntdll.dll APIs

Sophos hooks list

Attivo Deception hooked ntdll.dll APIs

Attivo hooks list

CarbonBlack hooked ntdll.dll APIs (Thanks to Hackndo)

CarbonBlack hooks list

Symantec hooked ntdll.dll APIs (Thanks to CarsonSallis)

Symantec hooks list

DeepInstinct hooked ntdll.dll APIs (Thanks to P0chAcc0)

DeepInstinct hooks list

McAfee hooked ntdll.dll APIs

McAfee hooks list

CheckPoint SandBlast hooked ntdll APIs

CheckPoint SandBlast hooks list

ESET endpoint Security 8.0.2028.0 hooked ntdll APIs

Eset hooks list

TrendMicro 17.7.1130 hooked ntdll APIs

TrendMicro hooks list

Cortex XDR hooked APIs (KERNEL MODE)

⚠️ These hooks are set kernel mode. They can't be unhooked from the user mode

Cortex XDR hooks list

Bitdefender hooked ntdll APIs

Bitdefender hooks list

Credit

Mr.Un1k0d3r RingZer0 Team

And the whole community <3

Owner
Mr.Un1k0d3r
Mostly Red Team tools for penetration testing. My patreon https://patreon.com/MrUn1k0d3r
Mr.Un1k0d3r
Comments
  • Update carbonblack.txt

    Update carbonblack.txt

    Ran hook_finder64.exe on carbon black on 02 Feb 2022, updated the list for carbon black

    Raw result below: https://gist.github.com/ScriptIdiot/57886fd8b556b128aa0b70b38bb1f628

  • Detection of hooks in Import Address Table

    Detection of hooks in Import Address Table

    Hello,

    This code detects hooks in the Import Address Table and replace the hooks with the true address of the functions.

    I thought it could be usefull in this repo :)

  • Added cast to parameter and modified GetBytesByName type

    Added cast to parameter and modified GetBytesByName type

    I've modified some variable type and function in order to be able to compile and execute the code on my machine. This version is working perfectly. Maybe other people hadthe same issue ?

    For instance "GetBytesByName" was a bool but returned nothing (compilation error). "OffsetNamesTable" variable was a DWORD* leading to a compilation error during the operation base + OffsetNamesTableOffset (compilation error)

  • Parser that takes TXT file and puts into CSV format.

    Parser that takes TXT file and puts into CSV format.

    Made a simple parser that takes all the TXT files in current directory, and parses it into a CSV format.

    Usage: Python3 Parse.py > out.csv

    Then you can Excel it, or change to Markdown easier.

  • Create MDE.txt

    Create MDE.txt

    Full output as below:

    Loading C:\windows\system32\ntdll.dll HookFinder Mr.Un1k0d3r RingZer0 Team Listing loaded modules

    C:\Users\lowprivuser\Desktop\hook_finder64.exe is loaded at 0x0000000000400000. C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FFE428B0000. C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FFE41020000. C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FFE3FEF0000. C:\Windows\SYSTEM32\apphelp.dll is loaded at 0x00007FFE3DFB0000. C:\Windows\System32\msvcrt.dll is loaded at 0x00007FFE412A0000. **Listing Nt API only

    NtQuerySystemTime is hooked

    Completed

  • Kaspersky

    Kaspersky

    Hi,

    wanted to share my observation for Kaspersky. Seems like Kaspersky does the real hooking in Kernel mode as well like Cortex or Defender MDE.

    How can those hooks be identified?

    Loading c:\Windows\System32\ntdll.dll
    HookFinder Mr.Un1k0d3r RingZer0 Team
    Listing loaded modules
    ------------------------------------------
    C:\Users\user\Desktop\hook_finder64.exe is loaded at 0x0000000000400000.
    C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FFF0C150000.
    C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FFF0BBF0000.
    C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FFF09A90000.
    C:\Windows\System32\msvcrt.dll is loaded at 0x00007FFF0BDE0000.
    ***Listing Nt* API only
    
    NtQuerySystemTime is hooked
    ------------------------------------------
    Completed
    
  • Update unhookIAT.c

    Update unhookIAT.c

    I've added some comment to clarify the code and replace the 4096 bytes size in virtual protect to 8 bytes. Because well, 4096 was maybe a little overkill...

  • Create checkpoint-sandblast.txt

    Create checkpoint-sandblast.txt

    I tried against a few more like Fireeye EDR in windows 7 but you hook detector did not like it. I also tried it against cybereason, F-Secure EDRs but hook detector did not like windows server versions either.

  • Windows 10 Home - SO 18363.1440

    Windows 10 Home - SO 18363.1440

    Loading C:\windows\system32\ntdll.dll
    HookFinder Mr.Un1k0d3r RingZer0 Team
    ------------------------------------------
    BASE                    0x00007FF8BC940000      MZÉ
    PE                      0x00007FF8BC9400D8      PE
    ExportTableOffset       0x00007FF8BCA8C370
    OffsetNameTable         0x00007FF8BCA8E8CC
    Functions Count         0x94d (2381)
    ------------------------------------------
    RtlInitializeSListHead is hooked
    ------------------------------------------
    Completed
    
  • Suggestion

    Suggestion

    You may want to include Tanium advance EDR solution. Being used by big organizations and to address insider threat.

    https://try.tanium.com/?utm_campaign=01-D-PSP-OA-PPC-WW-Google-HFPOC&utm_source=google&utm_medium=cpc&utm_content=tanium&utm_term=%2Btanium&gclid=Cj0KCQjws-OEBhCkARIsAPhOkIad-9DIv8SBZfxq8o_vf7PSq2BOZctqNyFP630UmMY87HZm56n-gVQaAt5fEALw_wcB

  • MDE/ATP

    MDE/ATP

    Wanted to share that Microsoft Defender for Endpoint (MDE) (previously known as Advanced Threat Protection (ATP)) is embedded within the operating system and does not seem to hook anything on ntdll.dll. Perhaps you might want to add that to the list despite the empty output.

Related tags
The goal of this project was to create my own red team campaign that would emulate some of the TTPs from the above campaign analysis

The goal of this project was to create my own red team campaign that would emulate some of the TTPs from the above campaign analysis. During my endeavor I decdied to switch from a complete mimick to a substitute / exclude / improve upon certain tactics that I deemed unnecessary. I will write an accompanying blog post which will be linked here once it is published.

Apr 15, 2022
TartarusGate, Bypassing EDRs

Tartarus' Gate - Bypassing EDRs Description Hell's Gate evolved to Halo's Gate to bypass EDRs by unhooking some of them and now it turned to Tartarus'

Jun 15, 2022
Contains a sudoku solver - OCR. Project done with classmates during third semester at EPITA.

sudokUwU sudokUwU is a sudoku solver made by 4 students at EPITA. This project is a mandatory work from S3 cycle! The Team Johan Tran Adrian Grillet V

May 5, 2022
ContactGot is an offline desktop app, where clients can leave their info, while an administrator can manage which information they need to gather on certain projects.
ContactGot is an offline desktop app, where clients can leave their info, while an administrator can manage which information they need to gather on certain projects.

ContactGot Contents Description How to use Requirements Engineering Installation Documentation Design Architecture Demonstration 1. Description During

Dec 17, 2021
C++ Premier plus 6th edition book solved exercise.

c-premier-plus-6th-edition-solved-exercise C++ Premier plus 6th edition book exercise solutions. These exercise solved by me when i learning c++, so d

Oct 31, 2021
A fun exercise to brute for a master lock combination if you forgot it.
A fun exercise to brute for a master lock combination if you forgot it.

Lock Decombinator From NerdLab Projects May 9, 2022 Updated at: May 10, 2022 A fun exercise to brute for a master lock combination if you forgot it. T

May 20, 2022
This project contains information on the PC-Link hardware interface for some early 2000 Sony HiFi decks
This project contains information on the PC-Link hardware interface for some early 2000 Sony HiFi decks

pclink-i2c This project contains information on the PC-Link hardware interface for some early 2000 Sony HiFi decks, such as the CMT-DC500MD (also know

Jan 21, 2022
An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages.
An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages.

An embedded CAN bus sniffer which is able to monitor any of the vehicle internal CAN bus and perform some action by triggering new CAN messages. In this way certain vehicle functionality can be triggered by responding to custom steering wheel button events, or use the vehicle virtual cockpit to display OBD-PIDs values instead of relying on an external display to present new information to the user

May 21, 2022
Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.
Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

The Remote Hacker Probe is a Threat Emulation and Red Teaming Framework built to be easy to use. The Remote Hacker Probe is Feature Rich! Including, K

Jun 12, 2022
Violent Fungus is a command and control (C2) software suite, providing red teams post-exploitation persistence and other juicy stuff.

Violent Fungus is a command and control (C2) software suite, providing red teams post-exploitation persistence and other juicy stuff.

May 31, 2022
The MLX90614 is an Infra Red thermometer for noncontact temperature measurements.
The MLX90614 is an Infra Red thermometer for noncontact temperature measurements.

The MLX90614 is an Infra Red thermometer for noncontact temperature measurements.

May 25, 2022
Remote hacker probe - Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.
Remote hacker probe - Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

The Remote Hacker Probe is a Threat Emulation and Red Teaming Framework built to be easy to use. The Remote Hacker Probe is Feature Rich! Including, K

Jun 12, 2022
A plugin that can display player information overhead
 A plugin that can display player information overhead

A plugin that can display player information overhead Config File At plugins/HeadShow/config.json { "updateTick":60,

May 4, 2022
Flutter app where you can find your information about your Favorite Super Cars ⚡❤

Super Cars App (Flutter) ⚡ Now you can freely discover and browse your Favourite Super Cars ❤ . Speed! ?? Getting Started This project is a starting p

Apr 13, 2022
This repo contains example software for the Kernelcon 2021 Hack Live! badge - the Hacker HotKey.
This repo contains example software for the Kernelcon 2021 Hack Live! badge - the Hacker HotKey.

Hacker HotKey This repo contains example software for the Kernelcon 2021 Hack Live! badge - the Hacker HotKey. Default Hotkey Mapping Hacker Hotkey is

Jan 24, 2022
Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a handy trick.

Proof-of-Concept Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a h

May 29, 2022
This repo contains solutions to coding questions available online on coding platforms like - Codeforces, Codechef, URI Online Judge, and Hackerrank.

CPP_Soln This repo contains solutions to coding questions available online on coding platforms like - Codeforces, Codechef, URI Online Judge , LeetCod

Nov 1, 2021
This repo contains solution of 450 DSA sheet by love babbar

450DSA This repo contains solution of 450 DSA sheet by love babbar . Here is the link for that list : https://450dsa.com/ Guidlines to be followed Onl

Apr 25, 2022