ANATOMY OF

EDR
BYPASSES
MALWARE DEVELOPMENT IN 2024
BY
SARTHAK SAINI (@SARTHAK_0000)
PRAVEEN NAIR (@M4LV0ID)
~#WHOAMI
CTO @ Secneural, Qatar
Red Team Operator
Ex-HTB CTF player
Malware Dev.
X - @m4lv0id
~#WHOAMI
Independent Security Researcher
Red Team Operator
Malware Dev.
X - @Sarthak_0000
AGENDA
Boring Stuff
Malware detection 101
Interesting Stuff
Understand how EDRs are working under the hood
Different techniques to evade EDR solutions
Mutations to revive the novel techniques
Exciting Stuff
DEMO
Closing Stuff
Q&A
DISCLAIMER
Target Audience
Red Team Operators, Malware devs., Pentesters, or any one
who like hack into stuff
Level of Understanding
Beginner <-> Intermediate
We have tried our best to follow the rule of “Just Keep It
SIMPLE!!”
What not to Expect
Not gonna drop any exploits or Evasion Scripts to bypass
security products
What to Expect
Understanding the mindset of EDR vendors towards
“Windows Platform”
Writing your own payloads combining novel techniques and
some evasion tricks.
DISCLAIMER
Target Audience
Red Team Operators, Malware devs., Pentesters, or any one
who like hack into stuff
Level of Understanding
Beginner <-> Intermediate
We have tried our best to follow the rule of “Just Keep It
SIMPLE!!”
What not to Expect
Not gonna drop any exploits or Evasion Scripts to bypass
security products
What to Expect
Understanding the mindset of EDR vendors towards
“Windows Platform”
Writing your own payloads combining novel techniques and
some evasion tricks.
BORING STUFF ALERT
MALWARE DETECTION 101
- ANTI VIRUS
Signature-Based Detections
What does this mean: Utilizes known patterns or 'signatures' of malware to identify
and block malicious software.
How to do it: Compares files against a database of known malware signatures

Heuristic-Based Detections
What does this mean: Employs algorithms to identify suspicious behavior or
characteristics indicative of malware, rather than relying on known signatures.
How to do it: Analyzes behaviors and properties of files to identify potentially
malicious activities or anomalies.
SIGNATURE-BASED DETECTIONS
Strengths
High Accuracy for Known Malware: Very effective at
detecting and stopping known threats.
Efficiency: Fast and resource-light, due to the
straightforward nature of matching signatures.

Weaknesses
Limited to Known Threats: Cannot detect new, unknown
malware or variants of existing malware without the specific
signature.
Regular Updates Required: Needs constant updates to the
signature database to remain effective.
HEURISTIC-BASED DETECTIONS
Strengths
Detects Unknown Malware: Capable of identifying new or
modified malware that doesn't match any known signature.
Behavior Analysis: Looks at how the software operates,
potentially catching malware designed to evade traditional
signature-based detection.

Weaknesses
Higher False Positives: Cannot detect new, unknown
malware or variants of existing malware without the specific
signature.
Resource Intensive: Requires more processing power and
memory, as it analyzes behaviors in real-time or through
sandboxing.
HOW EDR IS BETTER THAN
TRADITIONAL A/V
Behavioral Analysis:
EDR uses behavioral analysis to detect anomalies and suspicious activities, identifying
threats without prior knowledge of their signatures.
Real-time Response and Remediation:
EDR provides real-time monitoring and response tools, allowing for immediate action (e.g.,
isolating an endpoint) to mitigate threats.
Threat Hunting and Forensics:
EDR tools include features for threat hunting and forensic analysis, enabling detailed
investigation of how a breach occurred and the scope of the impact.
Continuous Monitoring and Advanced Analytics:
EDR ensures continuous monitoring of all endpoints, utilizing advanced analytics and
machine learning to detect sophisticated threats.
Integration and Automation:
EDR can integrate with other security tools (SIEM, SOAR, etc.), enhancing overall security
posture through automation and coordinated defense strategies.
Adaptability to Evolving Threats:
EDR platforms are designed to evolve, incorporating new intelligence and adapting to
changing threat landscapes.
HOW EDR IS BETTER THAN
TRADITIONAL A/V
Behavioral Analysis:
EDR uses behavioral analysis to detect anomalies and suspicious activities, identifying
threats without prior knowledge of their signatures.
Real-time Response and Remediation:

OKS !!
EDR provides real-time monitoring and response tools, allowing for immediate action (e.g.,
isolating an endpoint) to mitigate threats.

O
H
Threat Hunting and Forensics:
EDR tools include features for threat hunting and forensic analysis, enabling detailed
investigation of how a breach occurred and the scope of the impact.
Continuous Monitoring and Advanced Analytics:
EDR ensures continuous monitoring of all endpoints, utilizing advanced analytics and
machine learning to detect sophisticated threats.
Integration and Automation:
EDR can integrate with other security tools (SIEM, SOAR, etc.), enhancing overall security
posture through automation and coordinated defense strategies.
Adaptability to Evolving Threats:
EDR platforms are designed to evolve, incorporating new intelligence and adapting to
changing threat landscapes.
HOW EDR IS BETTER THAN
TRADITIONAL A/V
Behavioral Analysis:
HOOK
EDR uses behavioral analysis to detect anomalies and suspicious activities, identifying

S
threats without prior knowledge of their signatures.

!
Real-time Response and Remediation:

S !! !
EDR provides real-time monitoring and response tools, allowing for immediate action (e.g.,

OK
isolating an endpoint) to mitigate threats.

HO
Threat Hunting and Forensics:
EDR tools include features for threat hunting and forensic analysis, enabling detailed
investigation of how a breach occurred and the scope of the impact.
Continuous Monitoring and Advanced Analytics:
EDR ensures continuous monitoring of all endpoints, utilizing advanced analytics and
machine learning to detect sophisticated threats.
Integration and Automation:
EDR can integrate with other security tools (SIEM, SOAR, etc.), enhancing overall security
posture through automation and coordinated defense strategies.
Adaptability to Evolving Threats:
EDR platforms are designed to evolve, incorporating new intelligence and adapting to
changing threat landscapes.
HOW EDR IS BETTER THAN
TRADITIONAL A/V
HOOK
S !!!
Behavioral Analysis:

OK
EDR uses behavioral analysis to detect anomalies and suspicious activities, identifying

S
HO
threats without prior knowledge of their signatures.

!
Real-time Response and Remediation:

S !! !
EDR provides real-time monitoring and response tools, allowing for immediate action (e.g.,

OK
isolating an endpoint) to mitigate threats.

HO
Threat Hunting and Forensics:
EDR tools include features for threat hunting and forensic analysis, enabling detailed
investigation of how a breach occurred and the scope of the impact.
Continuous Monitoring and Advanced Analytics:
EDR ensures continuous monitoring of all endpoints, utilizing advanced analytics and
machine learning to detect sophisticated threats.
Integration and Automation:
EDR can integrate with other security tools (SIEM, SOAR, etc.), enhancing overall security
posture through automation and coordinated defense strategies.
Adaptability to Evolving Threats:
EDR platforms are designed to evolve, incorporating new intelligence and adapting to
changing threat landscapes.
INTERESTING STUFF ALERT
UNDERSTAND HOW EDRS ARE
WORKING UNDER THE HOOD
The gist of “HOW” can be categorized into the following

Process Hooking and Monitoring:

Process hooking techniques to monitor system calls and operations, providing
visibility into the actions of applications and services on the endpoint.
Network Traffic Analysis:
Analyze network traffic to and from endpoints, identifying suspicious
communications that may indicate command and control (C2) activity or data
exfiltration attempts.
“Machine Learning and AI”:
EDRs claims to leverage “machine learning models” to detect novel threats by
learning from historical data and identifying patterns that suggest malicious
behavior.
PROCESS HOOKING AND
MONITORING
Types of Hooking Techniques Used by EDRs

API Hooking:
Inline Hooking: Insert a jump instruction into the beginning of a target function in memory. When the
function is called, execution is redirected to the EDR's monitoring function before returning control to the
original function. This allows EDRs to inspect or modify the call's parameters and return value.
Import Address Table (IAT) Hooking: Targets the IAT of a process, which is used to resolve addresses of
dynamically linked functions from DLLs. By modifying the IAT entries, EDRs can intercept and examine calls
to critical system APIs.
Kernel Hooking:
System Service Descriptor Table (SSDT) Hooking: Involves modifying the SSDT, which the Windows
kernel uses to handle system call requests. By redirecting system calls to their monitoring functions, EDRs
can observe and potentially block malicious activities.
Object Manager Hooks: Utilize the Windows Object Manager to monitor access to system objects like files,
registry keys, and processes, providing a mechanism for behavioral analysis beyond what user-space API
hooking can offer.
Hardware Breakpoints:
Utilize the CPU's debug registers to monitor access to specific memory addresses. This technique can be
used to detect when specific code sequences are executed or when particular data is accessed, with
minimal performance impact.
HOLD ON: THINGS TO UNDERSTAND
Before we move forward we need to have a general idea of :

What is a Process Flow in Windows Systems?

What are WinAPI calls ?
Combination of Syscalls with WinAPI ?
What is WinAPI Hooking ?
WINDOWS SYSTEM ARCHITECTURE

IMAGE COUTSEY OF PAVEL’S WINDOWS KERNEL PROGRAMMING BOOK: HTTPS://LEANPUB.COM/WINDOWSKERNELPROGRAMMINGSECONDEDITION

WINDOWS PROCESS FLOW
In Windows operating systems, a process flow refers to the sequence of steps that an executable takes from its
initiation to termination. This involves several stages, including:

Process Creation: Initiated by system calls such as CreateProcess, NtCreateProcess, or by higher-level

mechanisms like shell commands. The Windows Loader (ntdll.dll) is then involved in loading the executable into
memory, resolving DLL dependencies, and setting up the initial thread.

Execution: The process executes its code, which can involve a variety of operations such as file I/O, network
communication, memory management, and interaction with other processes or system components. This
execution is managed by the Windows Scheduler, handling context switching and resource allocation.

Termination: A process can terminate normally (e.g., completing its task or through a call to ExitProcess) or
abnormally (e.g., killed by another process or due to an unhandled exception).
WINAPI CALL
The example here includes a call to a WinAPI
function, like CreateProcess, directly in its code.

When the program is compiled, the linker resolves

this function call to the Windows DLL that
contains CreateProcess (e.g., kernel32.dll), and
the call is made explicitly when the program runs.

EDR systems can easily identify such calls and

hook into these statically linked calls to monitor
for malicious activity.
UNDERSTANDING WINAPI USING
SYSCALLS
HOOKS ?!?!
HOW DOES EDR HOOKING WORK?
WHAT ARE HOOKS?

The unconditional JMP instruction here is pointed to the EDR solution.

MEANWHILE....
Red Team Operators
and Malware Devs
UNDERSTANDING SYSCALL STUB
A syscall stub is a piece of code that serves as a template or a bridge for making system calls (syscalls) from
user space to kernel space. When a user-mode application calls a Windows API function that needs to perform
an operation requiring kernel privileges (like accessing the file system or managing processes), it doesn't call the
kernel directly. Instead, it goes through a syscall stub.

Purpose and Functionality

Abstraction: Syscall stubs abstract the details of switching from user mode to kernel mode, making it easier
for developers to utilize system services without dealing with the complexities of mode switching.
Transition Mechanism: They provide the necessary instructions to safely transition the execution context
from user mode to kernel mode. This involves preparing the CPU registers with the appropriate syscall
number and arguments, and then executing a special instruction (like syscall on x64 architectures) that
switches the processor to kernel mode to execute the kernel-side code.
Standardization: Syscall stubs standardize the way syscalls are made across different versions of
Windows, even though the underlying syscall numbers and implementations may change
UNDERSTANDING SYSCALL STUB

mov eax, 23: This is a syscall instruction in which we are setting the EAX register with a HEXADECIMAL value
“23” which is for NtOpenProcess WinAPI Call
SYSCALL: This instruction will redirect the flow from userland to kernel land
BTW, DID WE MISS SSN ?
SSN(S) VS SYSCALL NUMBERS
UNDERSTANDING SYSCALL NUMBERS
Syscall numbers are essentially unique identifiers assigned to each system call in the Windows NT kernel
(ntoskrnl.exe). These numbers serve as an index to the system service dispatch table, known as the SSDT (System
Service Dispatch Table), which the kernel uses to locate the corresponding system call implementation when a
syscall is invoked.

Purpose and Use

Direct Invocation: To invoke syscalls directly using their numbers to perform operations with minimal API
usage, thereby reducing their footprint and potentially evading detection by security software that monitors API
calls.
Performance: Direct syscall invocation can sometimes offer performance benefits by bypassing the overhead
associated with higher-level API calls.
Evasion and Stealth: Malware and certain tools aimed at penetration testing or security evasion might use
direct syscalls to avoid hooks and monitoring mechanisms placed by security products on higher-level API
functions.
UNDERSTANDING WINAPI USING
SYSCALLS
UNDERSTANDING SYSCALL NUMBERS
UNDERSTANDING SYSCALL NUMBERS

Lets see this in Action...

YOU SAID IT WILL BE FUN...?!
TECHNIQUES TO BYPASS HOOKS
Direct syscalls
Load the syscall numbers via different techniques and directly invoke the
SYSCALL instruction from malware’s memory space
Indirect syscalls
Load the syscall numbers via different techniques and invoke the SYSCALL
instruction from ntdll.dll’s memory space
TECHNIQUES TO BYPASS HOOKS
Direct syscalls
Load the syscall numbers via different techniques and directly invoke the
SYSCALL instruction from malware’s memory space
Indirect syscalls
Load the syscall numbers via different techniques and invoke the SYSCALL
instruction from ntdll.dll’s memory space
DIRECT SYSCALLS: ANATOMY

REEFERENCE: HTTPS://REDOPS.AT/EN/BLOG/DIRECT-SYSCALLS-VS-INDIRECT-SYSCALLS
INDIRECT SYSCALLS: ANATOMY

REEFERENCE: HTTPS://REDOPS.AT/EN/BLOG/DIRECT-SYSCALLS-VS-INDIRECT-SYSCALLS
BUT WE DON’T HAVE SSN(S)..
WHAT IF WE CAN JUST HUNT FOR THE
SSN(S)..
ENUMERATING SYSTEM SERVICE
NUMBER (SSN)
Hell’s Gate
Dynamically look for a sequence of memory bytes 0x4c 0x8b 0xd1 0xb8 0xZZ 0xZZ 0x00
0x00 which is the Opcode for initials of syscall stub
Halo’s Gate
Hell’s Gate but with a twist, It looks for neighbor function for syscall numbers if the function is
hooked.
Freshycall’s or SysWhisper’s
Since all the syscalls are incremented by 1 and each syscall is at 32 bits of displacement
which means moving 32 bits forward in memory from the base address of first syscall stub we
can enumerate all the function Names with SYSCALL ID?

Note: There are other techniques as we will only go through the ones mentioned above.
SSN: HELL’S GATE
What are we doing with Hell's Gate?
The objective of Hell's Gate is to execute syscalls without being detected by EDRs that hook or monitor high-level Windows API functions and even
the syscall stubs within ntdll.dll. By directly invoking syscalls in a novel manner by dynamically looking for a sequence of memory bytes 0x4c
0x8b 0xd1 0xb8 0xZZ 0xZZ 0x00 0x00 which is the Opcode for initials of syscall stub

How are we doing it?

Syscall Number Discovery: The first step involves dynamically discovering the syscall numbers at runtime. This is typically achieved by
parsing the executable code of ntdll.dll loaded in memory, identifying the syscall stubs, and extracting the syscall numbers embedded within
those stubs.
Direct Syscall Invocation: Once the syscall numbers are known, Hell's Gate constructs and executes a custom syscall invocation sequence.
This involves setting up the CPU registers with the appropriate values (including the syscall number and any parameters) and executing the
syscall instruction to switch from user mode to kernel mode, thereby invoking the desired system call.
Limitations of Hell's Gate
Static OPCODE Identification: Because we are looking for a sequence of memory bytes 0x4c 0x8b 0xd1 0xb8 0xZZ 0xZZ 0x00 0x00,
This can be easily identified by static signature based detections
SSN: HELL’S GATE

Dynamically look for a sequence of memory bytes 0x4c 0x8b 0xd1 0xb8 0xZZ 0xZZ 0x00 0x00 which is the
Opcode for initials of syscall stub
SSN: HELL’S GATE

Example Implementation of Hell’s Gate

SSN: HALO’S GATE
What are we doing with Halo's Gate?
The enhanced Hell's Gate technique dynamically locates unhooked syscall numbers by searching up to 32 bits around a hooked function,
leveraging the sequential nature of syscall allocations to efficiently bypass security hooks. This method optimizes evasion by intelligently
narrowing the search based on syscall proximity

How are we doing it?

Decoy Syscall Execution: Initially, a benign syscall is executed. This syscall is chosen because it's unlikely to raise suspicions on its own. The
purpose here is to set up a scenario where the system's execution flow is under the control of the attacker but appears legitimate to
monitoring tools.
Stack Manipulation: Before executing the decoy syscall, Halo's Gate manipulates the stack in such a way that, upon completion of the decoy
syscall, the execution flow does not return to the next expected instruction in the benign code path. Instead, it's redirected to the malicious
code that contains the actual target syscall.
Execution of Target Syscall: With the execution flow redirected, the target syscall is executed directly, bypassing the API and ntdll.dll layers.
This direct execution is achieved by preparing the appropriate registers with the syscall number and arguments, then using the syscall
instruction to transition to kernel mode.

Limitations of Halo's Gate

Static OPCODE Identification: Because we are looking for a sequence of memory bytes, This can be easily identified by signature based
detections
SSN: HALO’S GATE

Searching up to 32 bits around a hooked function to enumerate SSNs

SSN: HALO’S GATE

Example Implementation of Halo’s Gate

SSN: SYSWHISPER’S CALL
What are we doing with Halo's Gate?
The approach involves fetching all NT function addresses in memory, then sorting these addresses in ascending order. Starting from a base
syscall number of 0 (in hexadecimal), each successive syscall's number is incremented by 1, aligning with the ordered list of NT functions

How are we doing it?

Syscall Function Generation: SysWhispers generates the necessary boilerplate assembly code for invoking syscalls. This code includes
the setup for passing arguments to the syscalls according to the x64 or x86 calling conventions and the appropriate instructions to transition
from user mode to kernel mode (e.g., the syscall instruction on x64).
Dynamic Syscall Number Resolution: Instead of using hardcoded syscall numbers, which can be signatured and vary across different
versions of Windows, SysWhispers can dynamically resolve syscall numbers at runtime. This is typically achieved by parsing the export table
of ntdll.dll to find the addresses of the Nt/Zw functions, which act as wrappers for syscalls, and extracting the syscall numbers from these
function stubs.
Indirect Invocation: The generated code indirectly invokes the system calls through the dynamically resolved numbers, thereby reducing the
likelihood of detection by signature-based EDR mechanisms. This method complicates static analysis and evades simple behavioral
detections that monitor for direct syscall patterns.

Limitations of Hell's Gate

Detection Through Behavioral Analysis: While SysWhispers can evade signature-based and some heuristic-based detection mechanisms,
sophisticated EDR systems employing advanced behavioral analysis might still detect the anomalous patterns of behavior indicative of
syscall abuse or unusual sequences of system calls.
SSN: SYSWHISPER’S CALL

WinAPI CALL are sorted and arranged in ascending order of memory addresses
BUT HOW DO WE GET TO THE
NTDLL.DLL FUNCTIONS?
ANALYSIS WITH TRADITIONAL WAY:

Loading a WinAPI CALL in C program

ANALYSIS WITH TRADITIONAL WAY:

IAT imports would expose the function name

WON’T THAT GET DETECTED ???
WELL, THATS WHY WE HAVE SOME
TRICKS
SOME TRADECRAFTS
Custom implementation of GetModuleHandle
WinAPI call
PEB: GS register points to PEB at 0x60 or 96 bytes from TEB

PEB_LDR_DATA: This member contains the list of DLLs loaded in

theprocess

InMemoryOrderModuleList: It is an important member of

PEB_LDR_DATA which points to the first LIST_ENTRY structure

LIST_ENTRY: It is a doubly linked list which points to the next

and previous node

FullDllName: Name of the DLL loaded

SOME TRADECRAFTS
Custom implementation of GetModuleHandle WinAPI call

The get_module_handle function enumerates the following:

Loads the PEB address via GS register
Enumerates the InLoadOderModuleList to traverse through the linked list
Retrieve and compare the function names in order to return the correct dll base address
SOME TRADECRAFTS
Custom implementation of GetProcAddress WinAPI call
SOME TRADECRAFTS
Custom implementation of GetProcAddress WinAPI call

The get_proc_address function enumerates the following:

AddressOfNames: Array of Names of the functions present in the DLL
AddressOfFunctions: Array of Base Address of the functions
AddressOfOrdinals: Array of total ordinals of the functions
SOME TRADECRAFTS
Custom implementation of GetModuleHandle and GetProcAddress WinAPI call in SysWispers
implementation
HOW DO WE BYPASS HOOKS?
Hiding IAT imports
Using Custom GetModuleHandle Implementation
Using Custom GetProcAddress Implementation
Enumerating SSN numbers
Using different techniques we can enumerate the SSN numbers: Hell’s Gate, Halo’s Gate and
Syswhisper’s Call
SYSCALL Execution
We have discussed 2 different ways to execute the SYSCALL : Direct & Indirect Syscall
BUT NOW, WHAT ABOUT STATIC
DETECTIONS?
STATIC DETECTIONS

Just by performing a static strings on the binary, it is possible to understand what

all DLL the application is trying to invoke to use which function exactly
STATIC DETECTIONS
Bypassing static detection via API HASHING
STATIC DETECTIONS
Bypassing static detection via API HASHING

No indications of any malicious API call detected in the audit.exe

STATIC DETECTIONS
Bypassing static detection via API HASHING

No indications of any malicious API call detected in the audit.exe

TECHNIQUES USED TO BYPASS EDR IN
OUR POC
Evading Static Analysis
Using API Hashing to obfuscate the names of Syscalls
Using Custom encryption algorithm to encrypt the shellcode
Evading Dynamic Analysis
Custom Sleep Routine to burn the CPU cycles to delay execution in sandbox.
Custom GetModuleHandle and GetProcAddress with mutations.
Implemented SysWhisper’s call and Indirect Syscalls with mutations.
A RECENT COMMUNITY POLL
EXCITING STUFF ALERT
CALL THE DEMO GODS....
DEMO
DEMO
REFERENCES
Pavel’s Windows Kernel Programming Book: https://leanpub.com/windowskernelprogrammingsecondedition
Direct Syscalls vs Indirect Syscalls: https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls
Hell’s Gate: https://github.com/am0nsec/HellsGate
Halo’s Gate: https://blog.sektor7.net/#!res/2021/halosgate.md
SysWhispers: https://github.com/jthuraisamy/SysWhispers
SysWhispers2: https://github.com/jthuraisamy/SysWhispers2
When You sysWhisper Loud Enough for AV to Hear You:
https://captmeelo.com/redteam/maldev/2021/11/18/av-evasion-syswhisper.html
Hooking Nirvana: https://www.youtube.com/watch?v=pHyWyH804xE
Custom GetModuleHadle: https://gist.github.com/OtterHacker/8abaf54694ef27b9e3d38dfe57f13bd3
Custom GetProcAddress: https://gist.github.com/OtterHacker/8abaf54694ef27b9e3d38dfe57f13bd3
API Hashing: https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware
CLOSING STUFF ALERT
CHEERS, TILL WE MEET AGAIN ..