Skip to content

Xacone/BestEdrOfTheMarket

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

88 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Little AV/EDR Evasion Lab for training & learning purposes. (🏗️ under construction..)​


BestEDROfTheMarket is a naive user-mode EDR (Endpoint Detection and Response) project, designed to serve as a testing ground for understanding and bypassing EDR's user-mode detection methods that are frequently used by these security solutions.
These techniques are mainly based on a dynamic analysis of the target process state (memory, API calls, etc.),

➡️ What's new in Best EDR Of The Market v1.1.0 🏹

Defensive Techniques ⚔️​

In progress:

List of hooks 🪝

NTDLL hooks (More hooks on road..)


Function Description
NtProtectVirtualMemory Change the protection on a region of committed pages in the virtual address space of a process using native API.
NtWriteVirtualMemory Write data to the memory of a specified process using native API.
NtMapViewOfSection Create a view of a section of a file mapping into the address space of the calling process using native API.

Kernel32/Base hooks


Function Description
VirtualAlloc Allocate memory in the virtual address space of a process.
WriteProcessMemory Write data to the memory of a specified process.
VirtualFree Release or decommit a region of memory previously allocated.
VirtualFreeEx Release or decommit a region of memory in a specified process.
VirtualProtect Change the protection on a region of committed pages in the virtual address space of a process.
MapViewOfFile Create a view of a file mapping into the address space of the calling process.
VirtualProtectEx Change the protection on a region of committed pages in the virtual address space of a specified process.
UnmapViewOfFile Unmap a mapped view of a file from the calling process's address space.
VirtualQuery Retrieve information about a range of pages in the virtual address space of a specified process.
ReadProcessMemory Read data from the memory of a specified process.
InternetOpenUrlW Opens a URL for reading on the internet.
InternetReadFile Reads data from a handle opened by the InternetOpenUrl or InternetOpenUrlW function.
InternetReadFileExW Reads data from a handle opened by the InternetOpenUrl or InternetOpenUrlW function, and can also return additional data.
InternetOpenW Initializes an application's use of the WinINet functions.

Import Address Table (IAT) Hooks


Function Name Purpose
WriteProcessMemory Writes data to an area of memory in a specified process
ReadProcessMemory Reads data from an area of memory in a specified process
VirtualAlloc Reserves or commits a region of memory within the virtual address space of a process
VirtualAllocEx Reserves or commits a region of memory within the virtual address space of a specified process
VirtualProtect Changes the access protection for a region of committed pages in the virtual address space of the calling process
HeapAlloc Allocates a block of memory from a heap
HeapFree Frees a memory block allocated from a heap
LoadLibraryA Loads the specified module into the address space of the calling process
LocalFree Frees the specified local memory object and invalidates its handle
VirtualQuery Retrieves information about a range of pages in the virtual address space of a specified process
InternetOpenW Initializes an application's use of the WinINet functions
InternetOpenUrlW Opens a URL
InternetReadFile Reads data from a handle opened by the InternetOpenUrl or InternetOpenUrlEx function
VirtualProtectEx Changes the protection on a region of committed pages in the virtual address space of a specified process

Usage 📜

Usage: BestEdrOfTheMarket.exe [args]


      /help : Shows this help message and quit
      /v : Verbosity  
      /p : Target process path (PID required if not specified)
      /yara : Enabling scanning YARA rules canning
      /iat : IAT hooking
      /stack : Threads call stack monitoring
      /nt : Inline Nt-level hooking
      /k32 : Inline Kernel32/Kernelbase hooking
      /ssn : SSN crushing
      /direct : Direct syscalls detection
      /indirect : Indirect syscalls detection
      /heap : Enabling heap regions analysis (to use with /iat, /k32 or /nt)

Examples⚡

Low-Level Shellcode Injector Detection (Stack analysis + YARA)
BestEdrOfTheMarket.exe /stack /p C:\Samples\MediumLevelDropper.exe /yara /v


Early Bird APC Queue Injector detection (Kernel32 hooking + Normal patterns)
BestEdrOfTheMarket.exe /p C:\Samples\apc_injector.exe /k32 /yara /v


Early Bird APC Queue Injector detection (IAT hooking + YARA)
BestEdrOfTheMarket.exe /p C:\Users\1234Y\apc_injector\x64\Debug\apc_injector.exe /iat /yara


Low level Early Bird APC Queue Injector detection (NT-level hooking + Normal patterns)
BestEdrOfTheMarket.exe /p C:\Samples\low_level_apc_inector.exe /nt


Indirect Syscalls Detection (Stack pointer sanity check)
Hell's Hall (@Maldev-Academy) Github repository

BestEdrOfTheMarket.exe /p C:\Malwares\HellsHall.exe /indirect /v


Direct Syscalls Detection (Instruction pointer sanity check)
DenfensiveInjector (@bats3c) Github repository

BestEdrOfTheMarket.exe /direct /p C:\Malwares\defensiveinjector.exe


Reflective DLL Injector (Heap analysis + YARA)
BestEdrOfTheMarket.exe /p C:\Malwares\ReflectiveDLLInjection.exe /iat /heap


AMSI Patcher detection
BestEdrOfTheMarket.exe /p C:\Malwares\etw_amsi_patcher.exe /v /nt



Structure & Config files ⚙️

📁 BestEdrOfTheMarket/
    📄 BestEdrOfTheMarket.exe
    📁 DLLs/
        📄 KerneI32.dll
        📄 ntdII.dll
        📄 iat.dll
        📄 callbacks.dll
        📄 magicbp.dll
    📁 YARA/
        📄 Metasploit_Artefacts_Rule.yara
        📄 ...
    📝 YaroRules.json
    📄 jsoncpp.dll
    📄 libcrypto-3-x64.dll

YaroRules.json: Contains a json array filled with the simple/normal (not Yara) patterns you would like to be identified through the defensive mechanisms.

{
	"StackPatterns": [
		"40 53 48 83 EC 90 65 48 8B 04",
    "..."
	],
	"HeapPatterns": [
		"4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00",
    "..."
    ],
	"DllHookingPatterns": [
		"59 61 7A 69 64 6F 75",
    "..."
	],
	"GeneralPatterns": [
		"FC E8 82 00 00 00 60 89 E5 31 C0 64 8B 50",
		"..."
	]	
}		

Disclaimer ⚠️

  • There's no interest in mixing the defensive methods or in putting them all (/nt + /stack + /k32 + /blahblah) as you may encounter crashes due to conflicts beetwen them, especially for low level hooks. Activate the one you want depending on your needs.

  • Don't link the EDR to programs that are too CPU-intensive/thread-creating, as some detection techniques such as call stack analysis constantly monitor the stack state of each thread and this can quickly increase the load on the EDR, it's more relevant (that's also the point) that you link the tool to your own artifacts and keep in mind that a good evasive artifact tries to be as discrete as possible.