Mr-Un1k0d3r/EDRs Mr-Un1k0d3r/EDRs

  • Stars
    star
    1,857
  • Rank 24,974 (Top 0.5 %)
  • Language
    C
  • Created over 3 years ago
  • Updated almost 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Mr-Un1k0d3r/EDRs
github

Mr-Un1k0d3r

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

EDRs

This repo contains information about EDRs that can be useful during red team exercise.

patch_syscall_dynamically64.c

This proof-of-concept is resolving the syscall ID dynamically no need to check the version running on the remote host. To get the information on disk (not tampered) a call to CreateFileMapping and MapViewOfFile Windows APIs is performed. The DLL is then parsed to retrived the data and used to patch the live code.

patch_syscall64.c

This proof-of-concept is patching the syscall ID specified in the code. The live version of the DLL is then patched using the hardcoded syscall ID and reverted to the original unpatched state.

get_syscall64.c

This utility is used to retrived the sycall ID associated with a Windows API.

get_syscall64.exe ntdll.dll NtOpenProcess

ntdll.dll!NtOpenProcess at 0x00007FF873F6CAD0
NtOpenProcess syscall ID 0x00000026 (38)

unhookIAT.c

This proof-of-concept detects hooks placed by EDR/AV/Malware in the Import Address Table and replace them with original addresses (coded by xalicex).

Excel version of the list of hooks

EDRs.xlsx formatted by Vincent Yiu

Markdown version of the list of hooks

EDRs.md formatted by Vincent Yiu

EDRs Hooked APIs

Want to contribute simply run hook_finder64.exe C:\windows\system32\ntdll.dll and submit the output.

CrowdStrike hooked ntdll.dll APIs

CrowdStrike hooks list

The newer version moved away from UMH and instead rely on kernel callback as shown below:

kernel callback

SentinelOne hooked ntdll.dll APIs

SentinelOne hooks list

Cylance hooked ntdll.dll APIs (Thanks to Seemant Bisht)

Cylance hooks list

Sophos hooked ntdll.dll APIs

Sophos hooks list

Attivo Deception hooked ntdll.dll APIs

Attivo hooks list

CarbonBlack hooked ntdll.dll APIs (Thanks to Hackndo)

CarbonBlack hooks list

Symantec hooked ntdll.dll APIs (Thanks to CarsonSallis)

Symantec hooks list

DeepInstinct hooked ntdll.dll APIs (Thanks to P0chAcc0)

DeepInstinct hooks list

McAfee hooked ntdll.dll APIs

McAfee hooks list

CheckPoint SandBlast hooked ntdll APIs

CheckPoint SandBlast hooks list

ESET endpoint Security 8.0.2028.0 hooked ntdll APIs

Eset hooks list

TrendMicro 17.7.1130 hooked ntdll APIs

TrendMicro hooks list

Cortex XDR hooked APIs (KERNEL MODE)

⚠️ These hooks are set kernel mode. They can't be unhooked from the user mode

Cortex XDR hooks list

Bitdefender hooked ntdll APIs

Bitdefender hooks list

Credit

Mr.Un1k0d3r RingZer0 Team

And the whole community <3

More Repositories

1

PowerLessShell

Run PowerShell command without invoking powershell.exe
Python
1,413
star
2

DKMC

DKMC - Dont kill my cat - Malicious payload evasion tool
Python
1,323
star
3

SCShell

Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
C
1,268
star
4

RedTeamPowershellScripts

Various PowerShell scripts that may be useful during red team exercise
PowerShell
878
star
5

MaliciousMacroGenerator

Malicious Macro Generator
Visual Basic
811
star
6

ThunderShell

Python / C# Unmanaged PowerShell based RAT
Python
770
star
7

RedTeamCSharpScripts

C# Script used for Red Team
C#
706
star
8

RedTeamCCode

Red Team C code repo
C
464
star
9

CatMyPhish

Search for categorized domain
Python
418
star
10

PoisonHandler

lateral movement techniques that can be used during red team exercises
PowerShell
264
star
11

MaliciousClickOnceGenerator

Quick Malicious ClickOnceGenerator for Red Team
C#
234
star
12

ADHuntTool

official repo for the AdHuntTool (part of the old RedTeamCSharpScripts repo)
C#
229
star
13

Windows-SignedBinary

Python
224
star
14

.NetConfigLoader

.net config loader
223
star
15

Shellcoding

Shellcoding utilities
C
209
star
16

ATP-PowerShell-Scripts

Microsoft Signed PowerShell scripts
PowerShell
203
star
17

WindowsDllsExport

A list of all the DLLs export in C:\windows\system32\
C
199
star
18

AMSI-ETW-Patch

Patch AMSI and ETW
C#
196
star
19

DLLsForHackers

Dll that can be used for side loading and other attack vector.
Python
175
star
20

MaliciousDLLGenerator

DLL Generator for side loading attack
C
163
star
21

SCT-obfuscator

Cobalt Strike SCT payload obfuscator
Python
142
star
22

RedTeamScripts

Repo with various Red Team scripts
Python
137
star
23

Elevate-System-Trusted-BOF

C
132
star
24

Cookie-Graber-BOF

C or BOF file to extract WebKit master key to decrypt user cookie
C
129
star
25

SPFAbuse

SPF are not as strong as you may think. Red Team tool to send email on behalf of your target corp
Python
128
star
26

RemoteProcessInjection

C# remote process injection utility for Cobalt Strike
C#
80
star
27

Base64-Obfuscator

Simple PowerShell Base64 encoder to avoid detection of your malicious payload
PowerShell
74
star
28

SearchIPOwner

Search public IP owner through ARIN
Python
51
star
29

RedTeamFSharp

Red Team Toolset written in F# (Experimental)
F#
26
star
30

SideChannelAttack

Side Channel script
Python
24
star
31

BOFCode

Bunch of BOF files
C
13
star
32

blog.mr.un1k0d3r.com

Mr.Un1k0d3r.com blog
HTML
9
star
33

MsGraphFunzy

Scripts to interact with Microsoft Graph APIs
Python
5
star