For the sake of simplicity, I decided to store the patched callbacks internally in an array of size 64, instead of another linked list.Extended Support Release (Windows only)1.104 / 16 February 2023Įxtended Support Release (macOS only)1.100 / 14 February 2023ĩ.18.12(ESV) & 9.16.38(ESV) / 15 February 2023Įxtended Support Release102.8.0esr / 14 February 2023
The code to patch and subsequently restore these callbacks is almost identical, using the same iteration method. In the previous blogpost, I demonstrated how we can retrieve and enumerate the registry callback doubly linked list.
Having covered process, thread and image callbacks in the previous blogposts, I think it’s only fair if we conclude this topic with registry and object callbacks. In this blogpost I would like to conclude the kernel callbacks, having solved my issues with registry and object callbacks, revisit the shellcode injector in a bit more detail and once more bring the fight to $vendor2. To solve this problem, I then developed a custom shellcode injector using the EarlyBird technique, which combined with the Interceptor driver was able to partially bypass $vendor2 and launch a meterpreter session on the compromised system.Īfter this small success, I spent a good amount of time on code maintenance, refactoring, bug fixing and research, which has brought me to today’s blogpost. I took the driver for a test drive against $vendor2 and concluded that attacking an EDR/AV product from kernel land alone is not sufficient and user land detection techniques should be taken into consideration as well.
Once I had the basics sorted and got comfortable working with the kernel and a kernel debugger, I started developing my own driver called Interceptor, which has kernel callback patching and IRP MajorFunction hooking capabilities. Then I took a step back and did a deepdive in the inner structure and workings of a kernel driver, how it communicates with other drivers and applications and how I can intercept these communications using IRP MajorFunction hooks. I confirmed these concepts by leveraging existing work against $vendor1 and successfully executing Mimikatz on the compromised system. I started off strong by examining kernel callbacks and why EDR/AV products use them extensively to gain vision into what’s happening on the system. In the course of these 6 weeks, I’ve covered several aspects of kernel drivers and EDR/AVs kernel mechanisms.
With the release of this blogpost, we’re past the halfway point of my internship time flies when you’re having fun.
0 kommentar(er)
