Little AV/EDR Evasion Lab for training & learning purposes. (????️ under construction..)
____ _ _____ ____ ____ ___ __ _____ _
| __ ) ___ ___| |_ | ____| _ \| _ \ / _ \ / _| |_ _| |__ ___
| _ \ / _ \/ __| __| | _| | | | | |_) | | | | | |_ | | | '_ \ / _ \
| |_) | __/\__ \ |_ | |___| |_| | _ < | |_| | _| | | | | | | __/
|____/_\___||___/\__| |_____|____/|_| \_\ \___/|_| |_| |_| |_|\___|
| \/ | __ _ _ __| | _____| |_
| |\/| |/ _` | '__| |/ / _ \ __|
| | | | (_| | | | < __/ |_ Yazidou - github.com/Xacone
|_| |_|\__,_|_| |_|\_\___|\__|
BestEDROfTheMarket is a naive user-mode EDR (Endpoint Detection and Response) project, designed to serve as a testing ground for understanding and bypassing EDR’s user-mode detection methods that are frequently used by these security solutions.
These techniques are mainly based on a dynamic analysis of the target process state (memory, API calls, etc.),
In progress:
Usage: BestEdrOfTheMarket.exe [args]
/help Shows this help message and quit
/v Verbosity
/iat IAT hooking
/stack Threads call stack monitoring
/nt Inline Nt-level hooking
/k32 Inline Kernel32/Kernelbase hooking
/ssn SSN crushing
BestEdrOfTheMarket.exe /stack /v /k32
BestEdrOfTheMarket.exe /stack /nt
BestEdrOfTheMarket.exe /iat
???? BestEdrOfTheMarket/
???? BestEdrOfTheMarket.exe
???? DLLs/
???? Kernel32.dll
???? ntdll.dll
???? iat.dll
???? TrigerringFunctions.json
???? YaroRules.json
???? jsoncpp.dll
YaroRules.json: Contains a json array filled with the patterns you would like to be identified while monitoring threads call stacks.
{
"Patterns": [
"d2 65 48 8b 52 60 48 8b 52 18 48 8b 52 20 48 8b 72 50 48",
"49 be 77 73 32 5f 33 32 00 00",
"..."
]
}
TrigerringFunctions.json: Describes the functions that are already hooked or/and to hook:
ℹ️ Note on call stack monitoring: Some NT routines are more appropriate and less exposed to false positives, for instance, it is strongly recommended to monitor the NtCreateFile
when targeting an encrypted shellcode loader, but you should avoid it when targeting a reflective loader in favor of NtCreateUserProcess
, which is better suited.
{
"DLLBasedHooking": {
"NTDLL.dll": [
"NtAllocateVirtualMemory",
"..."
],
"KERNELBASE.dll": [
"VirtualAlloc"
"..."
],
"KERNEL32.dll": [
"VirtualAlloc"
"..."
]
},
"StackBasedHooking": {
"Functions": [
"NtCreateUserProcess",
"..."
]
},
"SSNCrushingRoutines": {
"Functions": [
"NtCreateSection"
"..."
]
},
"IATHooking": {
"Functions": [
"VirtualAlloc",
"..."
]
}
}
If you don’t compile your own DLLs, take a look at the functions already hooked into the DLLs provided in sources.
Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…
Docker is one of the most widely used containerization platforms. But there may come a…
Introduction Google Dorking is a technique where advanced search operators are used to uncover information…
Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…
What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…
Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…