This repo contains information about EDRs that can be useful during red team exercise.
This proof-of-concept is resolving the syscall ID dynamically no need to check the version running on the remote host. To get the information on disk (not tampered) a call to CreateFileMapping
and MapViewOfFile
Windows APIs is performed. The DLL is then parsed to retrived the data and used to patch the live code.
This proof-of-concept is patch the syscall ID specified in the code. The live version of the DLL is then patched using the hardcoded syscall ID and reverted to the original unpatched state.
This utility is used to retrived the sycall ID associated with a Windows API.
get_syscall64.exe ntdll.dll NtOpenProcess
ntdll.dll!NtOpenProcess at 0x00007FF873F6CAD0
NtOpenProcess syscall ID 0x00000026 (38)
EDRs.xlsx formatted by Vincent Yiu
EDRs.md formatted by Vincent Yiu
Want to contribute simply run hook_finder64.exe C:\windows\system32\ntdll.dll
and submit the output.
Mr.Un1k0d3r RingZer0 Team