• Stars
    star
    288
  • Rank 143,818 (Top 3 %)
  • Language
    C
  • License
    BSD 3-Clause "New...
  • Created over 1 year ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Ruy-Lopez

Ruy Lopez Opening

Endpoint Detection and Response systems (EDRs) are like the white player in a Chess game:

  • They do the first move with hooks loaded directly via the kernel
  • The EDR DLL is typically loaded directly after ntdll.dll

But what if we can prevent their DLL from being loaded at all? Do we get the white player and can do the first moves (for the new process at least)?

This repository contains the Proof-of-Concept(PoC) for a new approach to completely prevent DLLs from being loaded into a newly spawned process. The initial use-case idea was to block AV/EDR vendor DLLs from being loaded, so that userland hooking based detections are bypassed.



The simplified workflow of the PoC looks as follows:

Workflow

The SubFolder HookForward contains the actual PIC-Code which can be used as EntryPoint for a hooked NtCreateSection function. Blockdll.nim on the other hand side spawns a new Powershell process in suspended mode, injects the shellcode into that process and remotely hooks NtCreateSecion to JMP to our shellcode. As this is a PoC, only amsi.dll is being blocked in the new in this case Powershell process, which effectively leads to an AMSI bypass. But the PoC was also tested against multiple EDR vendors and their DLLs without throwing an alert or without being blocked before releasing it. I expect detections to come up after releasing it here.

Challenges / Limitations

  • When customizing this PoC, you can only use ntdll.dll functions in the PIC-Code, as the process is not fully initialized yet when the hook occurs and therefore only ntdll.dll is loaded. Other DLLs also cannot be loaded by the shellcode, because process initialization has to take place first.
  • This PoC can only prevent DLLs from being loaded which are not injected but instead loaded normally. Some vendors inject specific or single DLLs.

Setup

On linux, the PIC-Code was found to be compiled correctly with mingw-w64 version version 10-win32 20220324 (GCC). With that version installed, the shellcode can be compiled with a simple make and extracted from the .text section via bash extract.sh. Newer mingw-w64 versions, such as 12 did lead to crashes for me, which I'm currently not planning to troubleshoot/fix.

If you'd like to compile from Windows, you can use the following commands:

as -o directjump.o directjump_as.asm
gcc ApiResolve.c -Wall -m64 -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o ApiResolve.o -Wl,--no-seh
gcc HookShellcode.c -Wall -m64 -masm=intel -ffunction-sections -fno-asynchronous-unwind-tables -nostdlib -fno-ident -O2 -c -o HookShellcode.o -Wl,--no-seh
ld -s directjump.o ApiResolve.o HookShellcode.o -o HookShellcode.exe
gcc extract.c -o extract.exe
extract.exe

You also need to have Nim installed for this PoC.

After installation, the dependencies can be installed via the following oneliner:

nimble install winim

The PoC can than be compiled with:

nim c -d:release -d=mingw -d:noRes BlockDll.nim # Cross compile
nim c -d:release BlockDll.nim # Windows

PoC

OPSec improvement ideas

  • Userland-hook evasion for injection from the host process
  • RX Shellcode (needs some PIC-code changes)
  • Use hashing instead of plain APIs to block
  • Use hardware breakpoints instead of hooking

CREDITS

Footnotes

  1. https://bruteratel.com/release/2022/08/18/Release-Scandinavian-Defense/ ↩

More Repositories

1

WinPwn

Automation for internal Windows Penetrationtest / AD-Security
PowerShell
3,153
star
2

Pentest-Tools

2,063
star
3

Amsi-Bypass-Powershell

This repo contains some Amsi Bypass methods i found on different Blog Posts.
1,465
star
4

PowerSharpPack

PowerShell
1,380
star
5

OffensiveVBA

This repo covers some code execution and AV Evasion methods for Macros in Office documents
VBA
1,131
star
6

Creds

Some usefull Scripts and Executables for Pentest & Forensics
PowerShell
1,007
star
7

MultiPotato

C++
493
star
8

SharpImpersonation

A User Impersonation tool - via Token or Shellcode injection
C#
391
star
9

Invoke-SharpLoader

PowerShell
333
star
10

Caro-Kann

Encrypted shellcode Injection to avoid Kernel triggered memory scans
C
294
star
11

SharpNamedPipePTH

Pass the Hash to a named pipe for token Impersonation
C#
286
star
12

Nim-RunPE

A Nim implementation of reflective PE-Loading from memory
Nim
253
star
13

NimGetSyscallStub

Get fresh Syscalls from a fresh ntdll.dll copy
Nim
215
star
14

SharpVeeamDecryptor

Decrypt Veeam database passwords
C#
150
star
15

NamedPipePTH

Pass the Hash to a named pipe for token Impersonation
PowerShell
139
star
16

SyscallAmsiScanBufferBypass

AmsiScanBufferBypass using D/Invoke
C#
129
star
17

Nim_DInvoke

D/Invoke implementation in Nim
Nim
97
star
18

Excel-Phish

Phish password protected Excel-Files
VBA
93
star
19

Sharp-HackBrowserData

C# binary with embeded golang hack-browser-data
C#
93
star
20

Get-System-Techniques

PowerShell
85
star
21

NimShellcodeFluctuation

ShellcodeFluctuation PoC ported to Nim
Nim
74
star
22

RDPThiefInject

RDPThief donut shellcode inject into mstsc
C#
70
star
23

Invoke-Sharpcradle

Load C# Code straight to memory
PowerShell
54
star
24

Nim_CBT_Shellcode

CallBack-Techniques for Shellcode execution ported to Nim
Nim
53
star
25

LDAP-Signing-Scanner

A little scanner to check the LDAP Signing state
46
star
26

BitwardenDecryptBrute

Wordlist attacks on Bitwarden data.json files
Python
44
star
27

SharpOxidResolver

IOXIDResolver from AirBus Security/PingCastle
C#
40
star
28

SharpPolarBear

Privesc through import of Sheduled tasks + Hardlinks - CVE-2019-1069
C#
36
star
29

SharpByeBear

AppXSVC Service race condition - privilege escalation
C#
26
star
30

S3cur3Th1sSh1t

23
star
31

TeamViewerDecrypt

PowerShell
17
star
32

SharpLigolo

C# wrapper for ligolo
C#
16
star
33

Invoke-WMI-Information

Straight forward script for WMI information gathering (local or remote)
13
star
34

EmpEISDecrypt

Decrypt Matrix42 Empirum /EIS Passwords
C#
11
star
35

NimWinstaEveryoneAccess

Nim
10
star
36

darkamour_clone

Objective-C
9
star
37

WinFor

Powershell script to execute different forensic Powershell functions / tools on a compromised host
PowerShell
7
star
38

ssdp-poisoning

Python
7
star
39

MimiMisc

C
6
star
40

SSJI---JSGen

Just a copy from here: https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
Python
5
star
41

Hosts-File---AD-Tracking-Blocker

Hosts File for Blocking Advertising & Tracking Domains
3
star
42

nim-strenc

string encryption in Nim
Nim
2
star