Defeating EDR Evading Malware with

Memory Forensics

Andrew Case, Austin Sellers, Golden Richard, David McDonald, Gustavo Moreira

© Volexity Inc. 1
 Research Motivation – EDR Evasion in the Wild
• EDR evasion techniques are frequently applied by
malware used in ransomware deployments, targeted
attacks, and lateral movement

• We often perform memory forensics of infected systems

during engagements with EDR protection active and
malware running unhindered

• Detecting EDR evasion with memory forensics leads right

to the malware

© Volexity Inc. 2
 Research Goals
• Develop effective, scalable triage techniques for detecting
EDR evasion techniques as used in the wild

• Focus where malware operates - physical memory (RAM)

• Not only detect the evasion techniques, but also pinpoint

the source of the malware

© Volexity Inc. 3
 Why Memory Forensics?
• Across platforms, memory-only payloads are often used by
malware to avoid detection and hinder analysis

• Disk and live forensics generally can find no traces of this malware

• Volatile memory is the *only* place to determine that such

malware is present and to fully investigate it

Microsoft Report: [45]

© Volexity Inc. 4
 How EDRs Monitor System Activity
• Kernel callbacks [1, 2]
⏤ Notifications of process creation, DLL loading, etc.

• Event Tracing for Windows (ETW) [3]

⏤ Notification for a wide range of system events

• Antimalware Scan Interface (AMSI) [4]

⏤ Notification and contents of PS/Jscript/VBA scripts

• System call monitoring [5]

⏤ Hooking system call handlers in process memory

© Volexity Inc. 5
 How Malware Bypasses EDRs
• Kernel callbacks [6, 7, 10, 14]
⏤ Unregistering and/or disabling

• Event Tracing for Windows (ETW) [8, 9]

⏤ Unregistering and/or disabling (kernel)
⏤ API hooks (userland)

• Antimalware Scan Interface (AMSI) [8]

⏤ API hooks (userland)

• System call monitoring

⏤ A variety of techniques, which are the focus of this talk

© Volexity Inc. 6
 Monitoring vs Bypasses vs Detection
Monitoring Technique Bypassed? Previously Detectable with Memory Forensics?

Kernel callbacks Yes Yes

ETW Kernel Yes Yes

ETW Userland Yes Yes

AMSI Yes Yes

System call monitoring Yes No

© Volexity Inc. 7
 Windows System Calls Boundary [11]

© Volexity Inc. 8
 Windows System Call Handlers

© Volexity Inc. 9
 EDR Bypass: (Module|System Call|API) Unhooking [12, 13]
• This technique unhooks system call handlers by reverting
them to their default, unhooked implementation

• After unhooking handlers of interest, malware can then make

system calls without the EDR’s hooks being activated

© Volexity Inc. 10
 Detection Approach
• When an EDR is active, all processes will have the EDR’s hooks
present by default

• When module unhooking is performed, it will be only inside the

few – usually one or two – processes where the malware is
active

• Our new detection: Compare the implementation of system

call handlers across processes

• Benefit: Agnostic to the EDR vendor and hook implementation

© Volexity Inc. 11
 Unhooking Detection Experiment [15, 16, 17]
• SylantStrike, an open source EDR meant for bypass testing,
was chosen as our EDR platform
⏤ Allows other researchers to verify and recreate our work

• SylantStrike hooks NtProtectVirtualMemory to prevent

memory from being changed to RWX permissions

• We used a base Windows 10 install (no EDR) and then created

notepad.exe and wordpad.exe processes under SylantStrike’s
protection
⏤ A memory sample was taken after

• R77 was then used to unhook the notepad.exe process

⏤ A second memory sample was then taken

© Volexity Inc. 12
 New windows.unhooked_system_calls Plugin
• After starting processes through SylantStrike:

• After unhooking:

© Volexity Inc. 13
 EDR Bypass: Suspended and Cloned Processes
• Module unhooking requires access to a clean (unhooked)
ntdll.dll to gather the instructions used for overwriting

• Obvious choice (as a malware author): read the version

on disk

• Downside: some EDRs detect reads of ntdll.dll

© Volexity Inc. 14
 Abusing Suspended Processes [18, 19]
• Setting the CREATE_SUSPENDED flag to CreateProcess will
partially create a process before returning control to the parent:
⏤ Only maps the application exe and ntdll.dll
⏤ Does not yet trigger kernel callbacks for process monitoring

• These design decisions allow the parent process to read a

clean ntdll.dll from the child without EDRs noticing

© Volexity Inc. 15
 Detecting Suspended Processes
• Each process is represented by an EPROCESS structure
• Threads have an ETHREAD with an embedded KTHREAD

• KTHREAD.SuspendCount holds the current suspend state of

the thread
⏤ Processes created normally have a count of 0 in their main thread
⏤ Processes initially suspended have a count of 1, and if the main
thread is never resumed, the count stays 1

• Detection Approach: Find threads with a suspend count > 0

⏤ Only false positive: WorkFoldersShell.dll in MS browser processes
⏤ Extra benefit: Also detects a variety of process hollowing techniques

© Volexity Inc. 16
 Abusing Cloned Processes
• Initially showcased in Dirty Vanity at Black Hat EU [20]

• Dirty Vanity bypassed EDRs by performing the first steps

of code injection in the parent and the final steps in the
cloned child

• EDRs did not follow the activity across the two processes
and missed the code injection

© Volexity Inc. 17
 Detecting Cloned Processes
• While analyzing Dirty Vanity, we determined that a cloned
child initially starts suspended and does not resume
normally
⏤ Can reuse previous detection of suspended threads

• We also found “The Definitive Guide To Process Cloning on

Windows”, which stated that a cloned process’ thread will
point to RtlpProcessReflectionStartup [23]
⏤ We verified this with an updated threads plugin that reports
the symbol of each thread’s Start and Win32Start addresses

© Volexity Inc. 18
 Detecting Dirty Vanity
• Detecting the cloned process due to its suspended thread

• Parent (PID 7472) and cloned child (PID 6752)

© Volexity Inc. 19
 EDR Bypasses without Code Overwrites
• Previous bypasses overwrote code for hooked system call
handlers, which has downsides:
⏤ Potentially unstable (overwrite while other threads executing)
⏤ EDRs can check its own hooks periodically

• Alternative methods were developed that do not overwrite

EDR code, but still execute system calls without being
monitored
⏤ Direct system calls
⏤ Indirect system calls
⏤ Exception handlers and debug registers

© Volexity Inc. 20
 EDR Bypass: Direct System Calls [22, 23]
• Method: execute the syscall (or int 2e instruction) directly from
the malware’s code instead of going through the ntdll.dll
handler

• Advantage: EDR hooks in ntdll.dll do not detect the calls

• Disadvantages:
⏤ EDR in kernel monitors can detect it (call stack examination)
⏤ The malware must first gather the system calls indexes of interest

© Volexity Inc. 21
 Evolution of Direct System Calls – Dumpert [22]

Parameter 1, others are the same

System call table index (SSN)

syscall instruction in malware code region

© Volexity Inc. 22
 Evolution of Direct System Calls – Hell’s Gate [24]
• Dynamically resolves SSNs by
obtaining and parsing a clean
ntdll.dll

• Allows for much wider

Windows version coverage

© Volexity Inc. 23
 Evolution of Direct System Calls – More Gates
• Tartarus Gate [25]
⏤ Inserts NOP instructions into Hell’s Gate to avoid naïve scanners

• Halo’s Gate [26]

⏤ Finds neighboring, unhooked system calls to determine SSN of hooked ones

• Address Sorting [27]

⏤ Sorts system calls by address to exploit how the compiler orders them

• SysWhispers2 [28]
⏤ Implements Address Sorting in a simple wrapper for writing code in VS

© Volexity Inc. 24
 Detecting Direct System Calls
• System calls should only occur from a very limited set of DLLs
⏤ ntdll.dll
⏤ wow64win.dll (Wow64 support)
⏤ win32u.dll (Win32k/GUI support)

• With direct system calls, the syscall instruction occurs from an

unexpected DLL or a region not backed by a file (shellcode,
reflectively loaded DLL, etc.)

© Volexity Inc. 25
 Detecting Direct System Calls – EDRs [33]
• EDRs can monitor system calls from the kernel to resolve
the code flow that led to the system call through stack
frame reconstruction [31, 32]

• Call stack spoofing is a highly popular bypass method to

avoid this detection [34]

© Volexity Inc. 26
 Detecting Direct System Calls – Memory Forensics
• Our new detection algorithm looks for the code necessary
to execute system calls outside of the expected DLLs

• Ingredients:
⏤ Update RAX/EAX
⏤ Update R10
⏤ syscall or int 2e invocation
⏤ ret(|f|n)

• Avoid obfuscation by searching instructions around the

set, not including NOPs
⏤ Extensive obfuscation not feasible in a system call path

© Volexity Inc. 27
 windows.direct_system_calls vs HellsGate

© Volexity Inc. 28
 EDR Bypass: Indirect System Calls [35]
• Technique: Instead of making the syscall invocation inside
the malware’s code, jump to a syscall instruction within a
valid module

• Advantage: Bypasses EDRs/techniques that only examine

the first level of the call stack

• Downside: Still requires call stack spoofing for complete

bypass

© Volexity Inc. 29
 Detecting Indirect System Calls

© Volexity Inc. 30
 EDR Bypass: Exception Handlers and Debug Registers [36-38]

• Abusing debug registers was first discussed in Phrack in

2008 [39]

• Recently combined with the abuse of exception handlers

to bypass EDRs

• Although many variations exist, the general concept is to

execute the syscall from the exception handler to avoid
EDR monitoring

• *Must* read on the topic [40]

© Volexity Inc. 31
 MutationGate’s Bypass

© Volexity Inc. 32
 MutationGate’s VEH

© Volexity Inc. 33
 Detecting Vectored Exception Handlers (VEH)
• Previous research from NCC Group and Dmitri Fourny
showed how to enumerate VEHs [41, 42]

• Testing showed that many legitimate software

applications use VEH

• We analyzed the source code of open-source tools and

performed binary analysis of closed source malware to
determine how malicious handlers operate

© Volexity Inc. 34
 New Volatility Plugin: windows.veh
• Reports handlers that manipulate the following registers:
⏤ (R|E)AX (syscall parameter, faking return function value)
⏤ R10 (syscall parameter)
⏤ RSP/stack pointer (several evasion purposes)
⏤ RIP/instruction pointer (several evasion purposes)
⏤ RCX (address of start address to thread creation)

© Volexity Inc. 35
 EDRception’s Unfiltered Exception Handler (UEH) [43]

• A POC project by Marcus Hutchins to bypass EDRs with UEH

© Volexity Inc. 36
 Detecting Unhandled Exception Handlers (UEH)
• The address of the UEH is set in the global
BasepCurrentTopLevelFilter variable

• We enumerate these handlers and perform the same

checks as for VEHs

© Volexity Inc. 37
 Patchless AMSI’s Abuse of Debug Registers [44]

© Volexity Inc. 38
 Patchless AMSI’s Breakpoint Handler

© Volexity Inc. 39
 Detecting Patchless AMSI

© Volexity Inc. 40
 Questions? Comments?
Please read our whitepaper - 19 pages with technical details!

Contact
[email protected]

Social Media
- @volexity, @volatility, @lsucyber, @attrc
- https://www.linkedin.com/in/andrewcase/

© Volexity Inc. 41
 References
[1] https://pre.empt.blog/2023/maelstrom-5-edr-kernel-callbacks-hooks-and-call-stacks
[2] https://jsecurity101.medium.com/understanding-telemetry-kernel-callbacks-1a97cfcb8fb3
[3] https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
[4] https://github.com/subat0mik/whoamsi
[5] https://www.paloaltonetworks.com/blog/security-operations/a-deep-dive-into-malicious-direct-syscall-detection/
[6] https://synzack.github.io/Blinding-EDR-On-Windows/
[7] https://gustavshen.medium.com/bypass-amsi-on-windows-11-75d231b2cac6
[8] https://nyameeeain.medium.com/etw-bypassing-with-custom-binary-together-e2249e2f5b02
[9] https://jsecurity101.medium.com/understanding-etw-patching-9f5af87f9d7b
[10] https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-edr-nullifying-malware/
[11] http://msdn.microsoft.com/en-us/library/windows/hardware/ff554836(v=vs.85).aspx
[12] https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf
[13] https://www.advania.co.uk/insights/blog/a-practical-guide-to-bypassing-userland-api-hooking/
[14] https://github.com/wavestone-cdt/EDRSandblast
[15] https://github.com/CCob/SylantStrike/tree/master
[16] https://ethicalchaos.dev/2020/05/27/lets-create-an-edr-and-bypass-it-part-1/

© Volexity Inc. 42
 References Cont.
[17] https://github.com/bytecode77/r77-rootkit
[18] https://github.com/plackyhacker/Peruns-Fart/
[19] https://www.hawk-eye.io/2023/06/freeze-a-payload-toolkit-for-bypassing-edrs-using-suspended-processes/
[20] https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Nissan-DirtyVanity.pdf
[21] https://github.com/huntandhackett/process-cloning
[22] https://www.outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
[23] https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf
[24] https://github.com/am0nsec/HellsGate/blob/master/hells-gate.pdf
[25] https://github.com/trickster0/TartarusGate
[26] https://blog.sektor7.net/#!res/2021/halosgate.md
[27] https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
[28] https://github.com/jthuraisamy/SysWhispers2
[29] https://dtsec.us/2023-09-15-StackSpoofin/
[30] https://klezvirus.github.io/RedTeaming/AV_Evasion/StackSpoofing/
[31] https://www.elastic.co/security-labs/upping-the-ante-detecting-in-memory-threats-with-kernel-call-stacks
[32] https://www.elastic.co/security-labs/peeling-back-the-curtain-with-call-stacks
[33] https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1
[34] https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs

© Volexity Inc. 43
 References Cont.
[35] https://github.com/Maldev-Academy/HellHall
[36] https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/
[37] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-campaigns-a-deep-dive-analysis-of-a-highly-evasive-shellcode-
based-loader/
[38] https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html
[39] http://phrack.org/issues/65/8.html
[40] https://redops.at/en/blog/syscalls-via-vectored-exception-handling
[41] https://dimitrifourny.github.io/2020/06/11/dumping-veh-win10.html
[42] https://research.nccgroup.com/2022/03/01/detecting-anomalous-vectored-exception-handlers-on-windows/
[43] https://github.com/MalwareTech/EDRception?tab=readme-ov-file
[44] https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/
[45] https://www.microsoft.com/en-us/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-
day-exploits/

© Volexity Inc. 44