RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

RefleXXion

Introduction

RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array. After that, there are two techniques that the user can choose to bypass the user-mode hooks.

Technique-1, reads the NTDLL as a file from C:\Windows\System32\ntdll.dll. After parsing, the .TEXT section of the already loaded NTDLL (where the hooks are performed) in memory is replaced with the .TEXT section of the clean NTDLL.

In Technique-2, NTDLL reads as Section from KnownDlls, \KnownDlls\ntdll.dll. (beacuse DLL files are cached in KnownDlls as Section.) After parsing, the .TEXT section of the already loaded NTDLL (where the hooks are performed) in memory is replaced with the .TEXT section of the clean NTDLL.

The detailed flow of the methodology and all techniques is given below.

RefleXXion Flow

How to Use

You can open and compile the project with Visual Studio. The whole project supports x64 architecture for both Debug and Release modes.

The RefleXXion-EXE solution generates the EXE for PoC purpose. If you want to understand how the project works step by step, it will make your job easier. Main function contains Technique1 and Technique2 functions definations. Comment one of them and compile. Do not use both functions at the same time.

The RefleXXion-DLL solution generates the DLL that you inject into the process you want to bypass the user-mode hooks for NTDLL. At the beginning of the main.cpp file, there are definitions of which technique to use. You can choose one of them and compile it. Do not set all values at the same time, set only the one technique you want. Example configuration is given below.

// Techniques configuration section
#define FROM_DISK 1 // If you set it to 1, the Technique-1 will be used. For more information; https://github.com/hlldz/RefleXXion
#define FROM_KNOWNDLLS 0 // If you set it to 1, the Technique-2 will be used. For more information; https://github.com/hlldz/RefleXXion

Operational Usage Notes & OPSEC Concerns

  • RefleXXion currently is only supports for x64 architecture.

  • RefleXXion only unhooks NTDLL functions, you may need to unhook other DLLs (kernel32.dll, advapi32.dll etc.) as well. For this, you can easily edit the necessary places in the project.

  • The RefleXXion only uses the RWX memory region when overwriting the .TEXT section process starts. For this process a new memory reginon is not created, the existing memory region (the TEXT section of the NTDLL that is already loaded) is RWXed and then converted to RX.

    ULONG oldProtection;
    ntStatus = NtProtectVirtualMemory(NtCurrentProcess(), &lpBaseAddress, &uSize, PAGE_EXECUTE_READWRITE, &oldProtection);
    memcpy()...
    ntStatus = NtProtectVirtualMemory(NtCurrentProcess(), &lpBaseAddress, &uSize, oldProtection, &oldProtection);

    P.S. The RefleXXion invokes the NtProtectVirtualMemory API over the cleanly installed NTDLL. It uses the CustomGetProcAddress function for this because the clean NTDLL is not in the InLoadOrderModuleList even though it is loaded into memory. So a solution like here (https://stackoverflow.com/questions/6734095/how-to-get-module-handle-from-func-ptr-in-win32) will not work. That's why the custom GetProcAddress function exists and is used.

  • You can load RefleXXion DLL from disk to target process. You may not prefer a run like this for sensitive work such as a Red Team operation. Therefore, you can convert the RefleXXion DLL to shellcode using the sRDI project or integrate the RefleXXion code into your own loader or project.

  • Even if NTDLL (as file or as section) is reloaded to the injected process, it does not remain loaded. RefleXXion close all opened handles (file & section handles) for own processes.

Special Thanks & Credits

Owner
Halil Dalabasmaz
Blurred Lines
Halil Dalabasmaz
Similar Resources

Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel.

Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel.

Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted.

Dec 10, 2022

Shellcode loader written in rust. Strives to evade modern EDR solutions.

Pestilence What is pestilence? Pestilence is a shellcode loader written in rust. It strives to evade modern EDR solutions. How does it work? It loads

Dec 5, 2022

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Jan 2, 2023

If the button pressed esp will reset and App mode will on. App mode will on then led will on, network is connected led will off.

DHT22-to-Google-sheet-Reset-Using-ESP8266-LED-Switch If button pressed esp will reset and App mode will on. App mode will on then led will on, network

Aug 17, 2022

Simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled (faking secure boot)

Simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled (faking secure boot)

SecureFakePkg is a simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled. In other words, it fakes secure boot status.

Dec 30, 2022

Scans all modules in target process for jmp/int3 hooks dissassembles then and follows jmps to destination

Scans all modules in target process for jmp/int3 hooks dissassembles then and follows jmps to destination

Scans all modules in target process for jmp/int3 hooks dissassembles then and follows jmps to destination.

Dec 29, 2022

A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

manual-syscall-detect A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks. Description A full write-up of this to

Dec 26, 2022

OffensivePH - use old Process Hacker driver to bypass several user-mode access controls

offensiveph OffensivePH is a post-exploitation tool that utilizes an old Process Hacker driver to bypass several user-mode access controls. Usage Comp

Dec 29, 2022

x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Dec 30, 2022
Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.

SysmonSimulator SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the att

Dec 25, 2022
A LoadLibrary injector for CS:GO that automatically bypasses Trusted Mode by disabling various Win32 function hooks.

TrustedInjector This is a LoadLibrary injector for Counter-Strike: Global Offensive. Information It automatically bypasses trusted mode by removing ho

Jan 6, 2023
A ros package for robust odometry and mapping using LiDAR with aid of different sensors

W-LOAM A ros package for robust odometry and mapping using LiDAR with aid of different sensors Demo Video https://www.bilibili.com/video/BV1Fy4y1L7kZ?

Nov 2, 2022
Evasive shellcode loader for bypassing event-based injection detection (PoC)
Evasive shellcode loader for bypassing event-based injection detection (PoC)

(cleaned up version here: https://github.com/xinbailu/DripLoader-Ops) DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection de

Dec 28, 2022
This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.
This is a PoC for bypassing UAC using DLL hijacking and abusing the

UAC bypass - DLL hijacking Description This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification. Summary

Nov 30, 2022
TartarusGate, Bypassing EDRs

Tartarus' Gate - Bypassing EDRs Description Hell's Gate evolved to Halo's Gate to bypass EDRs by unhooking some of them and now it turned to Tartarus'

Dec 24, 2022
Evasive shellcode loader for bypassing event-based injection detection (PoC)
Evasive shellcode loader for bypassing event-based injection detection (PoC)

DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection. The project

Dec 28, 2022
EasyAntiCheat bypassing driver

EasyEACBypass EasyAntiCheat bypassing driver (23/01/2022) KernelMode driver with some parts not included so no pasta! Includes This driver includes a

Dec 31, 2022
My version of psxfunkin with new changes like new story mode, new options,etc
My version of psxfunkin with new changes like new story mode, new options,etc

PSXFunkin Friday Night Funkin' on the PSX LOL Compilation Refer to COMPILE.md here Characters Igor Ver added new characters Like XmasGF,Monster and mu

Jun 8, 2022
Project to check which Nt/Zw functions your local EDR is hooking

Probatorum EDR Userland Hook Checker Probatorum will check which Nt/Zw functions your local EDR is hooking. Most credit for this code goes to SolomonS

Nov 15, 2022