An Introduction to Bypassing User Mode EDR Hooks

While cross-referencing notes against old blog posts, I realized that I never actually published the majority of my work on system calls and user mode hooking.
System calls are the standard way to transition from user mode to kernel mode.
On Windows, the kernel has a table of functions that are allowed to be called from user mode.
To call a system service from user mode a system call must be performed, which is done via the syscall instruction.
The System Service ID, is the index of the function's entry within the SSDT. So, setting eax to 0 will call the first function in the SSDT, 1 will call the second, 2 will call the third, and so on.
The ntdll versions of these functions simply perform syscalls to call their kernel mode counterparts, which is why they're often referred to as system call stubs.
This is due to the fact that Nt functions are designed to be called from user mode, therefore do more extensive validation of function parameters.
Previously, security products monitored user mode calls from inside the kernel by hooking the SSDT. Since all Nt/Zw functions are implemented in the kernel, all user mode calls must go through the SSDT, and are therefore subject to SSDT hooks.
Once the EDR is done, it can resume the ntdll call by executing the overwritten instructions, then jumping to the location in ntdll right after the hook.
Whenever the EDR wants to call the real NtWriteFile, it executes the 3 overwritten instructions, then jumps to the 4th instruction of the hooked function to complete the syscall.
If the SSN for the function we want to call is 0x18, then the one directly before it will likely be 0x17 and the one directly after, 0x19. Since the EDR doesn't hook every Nt function, we can simply grab the SSN from the nearest non-hooked function, then calculate the one we want by adding or subtracting how many functions are between it and our target function.
The function before it is system call number 0x17, and the function after it is 0x19. We can easily assume that the SSN we want is 0x18. This method does have one flaw though: we can't 100% guarantee system call numbers will remain sequential forever, or the DLL won't skip a few.
If we perform a manual syscall, and somewhere along the way the kernel function we call hits any of the above, the EDR could take the opportunity to inspect the callstack of our thread. By unwinding the call stack and inspecting return addresses, the EDR can see the entire chain of function calls that led to this syscall.
This tells us that the executable called VirtualAlloc(), which called NtAllocateVirtualMemory(), which then performed a system call to transition into kernel mode.
Because direct system calls are such a strong indicator of malicious activity, more sophisticated EDRs will log detections for system call that originated outside ntdll.
One issue we could run into is if the EDR hooks or overwrites the syscall instruction part of the Nt call.
Not just where the syscall came from, but who called the function that executed the syscall.
Since the function is hooked by the EDR, the EDR's hook would be expected to appear in the call stack.
As you can see here it's clear from the call stack that we bypassed the EDR hook.
The EDR's hook is visible in the call stack from a regular call but not from an indirect syscall.


This Cyber News was published on malwaretech.com. Publication date: Mon, 25 Dec 2023 08:13:05 +0000


Cyber News related to An Introduction to Bypassing User Mode EDR Hooks

Silly EDR Bypasses and Where To Find Them - One of the drawbacks of direct & indirect syscalls is that it's clear from the callstack that you bypassed the EDR's user mode hook. As you can see from the last image, when a call is done through a hooked function the return address for the EDR's ...
1 year ago Malwaretech.com
An Introduction to Bypassing User Mode EDR Hooks - While cross-referencing notes against old blog posts, I realized that I never actually published the majority of my work on system calls and user mode hooking. System calls are the standard way to transition from user mode to kernel mode. On Windows, ...
1 year ago Malwaretech.com
Windows Incident Response: EDRSilencer - Going unnoticed on an endpoint when we believe or feel that EDR is prevalent can be a challenge, and this could be the reason why these discussions have taken hold. If you look at other aspects of EDR and SOC operations, there are plenty of ...
1 year ago Windowsir.blogspot.com Silence
WordPress Request Architecture and Hooks - Before diving into the security features of WordPress, it's critical to understand the underlying request architecture. WordPress is a dynamic system that processes and responds to user requests in various ways, depending on the nature of the request ...
11 months ago Wordfence.com
Windows Incident Response: Round Up - MSSQL is still a thingTheDFIRReport recently posted an article regarding BlueSky ransomware being deployed following MSSQL being brute forced. I'm always interested in things like this because it's possible that the author will provide clear ...
1 year ago Windowsir.blogspot.com
Building A Unified Security Strategy: Integrating Digital Forensics, XDR, And EDR For Maximum Protection - To effectively counter these threats, organizations must integrate Digital Forensics, Extended Detection and Response (XDR), and Endpoint Detection and Response (EDR) into a unified security framework. It involves two main components: digital ...
1 month ago Cybersecuritynews.com
Kaspersky Unveils New Flagship Product Line for Business, Kaspersky Next - PRESS RELEASE. Woburn, MA - April 16, 2024 - Today Kaspersky introduced its new flagship product line, Kaspersky Next, combining robust endpoint protection with the transparency and speed of EDR, alongside the visibility and powerful tools of XDR. ...
1 year ago Darkreading.com
10 Best EDR Tools ( Endpoint Detection & Response) - 2025 - What is good?What Could Be Better ?Provides comprehensive endpoint monitoring.Some users might find the installation and configuration process of the solution tedious.Protect your entire security stack with in-depth threat intelligence.Some users ...
2 months ago Cybersecuritynews.com
New "Bring Your Own Installer" EDR bypass used in ransomware attack - A new "Bring Your Own Installer" EDR bypass technique is exploited in attacks to bypass SentinelOne's tamper protection feature, allowing threat actors to disable endpoint detection and response (EDR) agents to install the Babuk ransomware. ...
3 weeks ago Bleepingcomputer.com
Secure email gateways struggle to keep pace with sophisticated phishing campaigns - In 2023, malicious email threats bypassing secure email gateways increased by more than 100%, according to Cofense. In just two years, Cofense identified over 1.5 million malicious emails bypassing their customers' SEGs, signaling a 37% increase in ...
1 year ago Helpnetsecurity.com
EDR & Antivirus Solutions Miss Two-Thirds (66%) of Malware Infection - SpyCloud Research - SpyCloud, the leading identity threat protection company, today released new analysis of its recaptured darknet data repository that shows threat actors are increasingly bypassing endpoint protection solutions: 66% of malware infections occur on ...
1 month ago Cybersecuritynews.com
CVE-2022-25837 - Bluetooth® Pairing in Bluetooth Core Specification v1.0B through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when at least one device supports BR/EDR Secure Connections pairing and the ...
2 years ago
CVE-2022-48935 - In the Linux kernel, the following vulnerability has been resolved: ...
5 months ago
ThreatDown EDR update: Streamlined Suspicious Activity investigation - Navigating the complex world of alerts just got easier, thanks to our latest enhancements to the ThreatDown Endpoint Detection and Response platform. The detailed technical information in EDR alerts-replete with complicated diagrams and references to ...
1 year ago Malwarebytes.com
Top 10 XDR (Extended Detection & Response) Solutions - 2025 - CrowdStrike Falcon XDR uses this data to extend EDR outcomes and advanced threat detection across the security stack, thereby stopping breaches more quickly. It does this by using CrowdStrike’s world-class machine learning, artificial ...
1 month ago Cybersecuritynews.com
SentinelOne vs Palo Alto Cortex XDR: Which Tool is Best? - SentinelOne and Palo Alto are two of the top brands in this space, and this comparison will help you decide if either one of the company's tools is right for you. SentinelOne's Singularity platform offers four subscription tiers that include their ...
1 year ago Techrepublic.com
Akira ransomware encrypted network from a webcam to bypass EDR - S-RM confirmed to BleepingComputer that the threat actors utilized the webcam's Linux operating system to mount Windows SMB network shares of the company's other devices. The Akira ransomware gang was spotted using an unsecured webcam to launch ...
2 months ago Bleepingcomputer.com Akira
MEDUSA Ransomware Using Malicious ABYSSWORKER Driver to Disable EDR - Elastic Security Labs analysts noted that this driver is specifically designed to target and silence different EDR vendors, effectively removing a critical layer of defense against ransomware attacks. One particularly troubling aspect of the ...
2 months ago Cybersecuritynews.com Abyss Silence Medusa
Threat Actor Bypass SentinelOne EDR to Deploy Babuk Ransomware - The method exploits a vulnerability in SentinelOne’s agent upgrade process, allowing attackers to circumvent the EDR solution’s anti-tamper protection without requiring administrative console access or specialized tools. This discovery ...
3 weeks ago Cybersecuritynews.com
Google paid $10 million in bug bounty rewards last year - Google awarded $10 million to 632 researchers from 68 countries in 2023 for finding and responsibly reporting security flaws in the company's products and services. Though this is lower than the $12 million Google's Vulnerability Reward Program paid ...
1 year ago Bleepingcomputer.com Hunters
Apple 'Lockdown Mode' Bypass Subverts Key iPhone Security Feature - The new feature was designed to protect particularly vulnerable users - for example, activists and journalists in the crosshairs of dictatorships - by shutting off or otherwise significantly reducing features of the device that hackers love best. In ...
1 year ago Darkreading.com
New iPhone Hack Convinces Users With Fake Lockdown Mode - A post-exploitation tampering technique has been discovered that allows the malware to visually trick the user into thinking their iPhone is in Lockdown Mode. While iOS devices with Lockdown Mode have a smaller attack surface, it's crucial to keep in ...
1 year ago Cybersecuritynews.com
CVE-2023-53114 - In the Linux kernel, the following vulnerability has been resolved: ...
4 weeks ago
Hackers Actively Exploiting PowerShell to Evade Antivirus & EDR - Cyber Security News - The visualization reveals how legitimate Windows processes are hijacked to execute malicious code, creating a complex chain that makes attribution and detection challenging for security teams. Cybersecurity experts have identified a concerning trend ...
2 weeks ago Cybersecuritynews.com
New 'Pool Party' Process Injection Techniques Undetected by EDR Solutions - Breach and attack simulation firm SafeBreach has discovered eight new process injection techniques that leverage Windows thread pools to trigger malicious code execution as the result of legitimate actions. Dubbed Pool Party, the injection variants ...
1 year ago Securityweek.com