Rust-for-Malware-Development
Bypassing EDR Syscall Hooks with a Early Exception Handler
The problem with the (VEH, SEH, etc..) are themselves hooked and monitored heavily by modern EDRs
AddVectoredExceptionHandler→ EDR adds its own VEH before yours.- SEH frames are scanned by the EDR at process start-up.
Modern EDRs monitor syscalls by placing inline hooks (usually a jmp at offset +3) inside the Nt* functions in ntdll.dll.
so when you call hooked funcitons like NtAllocateVirtualMemory, NtProtectVirtualMemory, … the EDR gets the first chance to inspect the arguments and block the call.
So to avoid detection, we can develop our own exception handler without relying on VEH or SEH to manipulate exception handling before the VEH is called.
To know more about this, the Example poc has been described in detail in this blog: Early Exception Handling
Note: Please note that this poc uses hardcoded SSN just for demonstration of the PoC. in your practices you can extract and use SSN using syscall techniques using Hells/halos/tartarus gate: For Syscall technique you can visit this seciton: Syscalls
PoC
We are going to test it on EDR Products. [Release Mode]
Debug print that explains how this PoC works step by step [Debug Mode]
Usage
To compile and run in debug mode. [To understand How this works]
cargo -r r --features debug
To compile and run it on release mode [Final]:
cargo r -r
To compile on release mode [Final]:
cargo b -r
Credits / Resoucres
- https://kr0tt.github.io/posts/early-exception-handling/
- https://www.ibm.com/think/x-force/using-veh-for-defense-evasion-process-injection
- https://mannyfreddy.gitbook.io/ya-boy-manny#fun-with-exception-handlers
- https://revers.engineering/applied-re-exceptions/
- https://github.com/joaoviictorti/dinvk/tree/main?tab=readme-ov-file#retrieving-module-addresses-and-exported-apis
- https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html