[losio]

Instrumentation callbacks are a post-op syscall hook that allows a user to execute a specified function before the kernel returns execution to the userland process.

Various security products place hooks in user-mode APIs which allow them to redirect execution flow to their engines and detect for suspicious behaviour. The functions in ntdll.dll that make the syscalls consist of just a few assembly instructions, so re-implementing them in your own implant can bypass the triggering of those security product hooks.

More info and credit about this tecnique here:
https://outflank.nl/blog/2019/06/19/red-...ss-av-edr/

Here a simple POC:

Hidden Content

You must register or login to view this content.

Please if you like this share rep me, I have a lot of material on this and if you like it I want to post it all!

[CorpTax]

I haven't seen the content yet obviously but I already know of this method and it is useful so thanks for actually bringing useful knowledge for the forum. These are the kinds of things you want to research if your fighting against a stubborn AV. Nothing is perfect but this is helpful especially when using something like this gets you far enough to be able to load your own driver so you can take out the AV.

[losio]

I haven't seen the content yet obviously but I already know of this method and it is useful so thanks for actually bringing useful knowledge for the forum. These are the kinds of things you want to research if your fighting against a stubborn AV. Nothing is perfect but this is helpful especially when using something like this gets you far enough to be able to load your own driver so you can take out the AV.

thank you so much for the feedback, I also have something tastier maybe post it later!

[floj]

this could be useful

[joepa]

Nice blog, more of this!

[losio]

Instrumentation callbacks are a post-op syscall hook that allows a user to execute a specified function before the kernel returns execution to the userland process.
[...]
Please if you like this share rep me, I have a lot of material on this and if you like it I want to post it all!

any other resource about this topic???

I will now prepare something new on this!

[n19h7h0Wl]

Good information, can never have to many POC's.

[Amethyst]

Instrumentation callbacks are a post-op syscall hook that allows a user to execute a specified function before the kernel returns execution to the userland process.

Various security products place hooks in user-mode APIs which allow them to redirect execution flow to their engines and detect for suspicious behaviour. The functions in ntdll.dll that make the syscalls consist of just a few assembly instructions, so re-implementing them in your own implant can bypass the triggering of those security product hooks.

More info and credit about this tecnique here:
https://outflank.nl/blog/2019/06/19/red-...ss-av-edr/

Here a simple POC:


Please if you like this share rep me, I have a lot of material on this and if you like it I want to post it all!

will look into this further, thanks for sharing. PS : post more

[z0-O]

Instrumentation callbacks are a post-op syscall hook that allows a user to execute a specified function before the kernel returns execution to the userland process.

Various security products place hooks in user-mode APIs which allow them to redirect execution flow to their engines and detect for suspicious behaviour. The functions in ntdll.dll that make the syscalls consist of just a few assembly instructions, so re-implementing them in your own implant can bypass the triggering of those security product hooks.

More info and credit about this tecnique here:
https://outflank.nl/blog/2019/06/19/red-...ss-av-edr/

Here a simple POC:


Please if you like this share rep me, I have a lot of material on this and if you like it I want to post it all!

thank brother

[darklab677]

Seems interesting!!