edrs's People
Forkers
fengjixuchui epichoxha killvxk raystyle bfuzzy1 fuzzheaded ferretking gavz l34rn rvrsh3ll y11en laowang1026 nusiloot indiazhangsan gajasurve hackndo skysbsb ashr harry1080 kobbycyber zha0 jymcheong crackercat hm200958 firstblue hatchetxuexi goowen binlmmhc triplekill sesyi kibercthulhu bhassani jack51706 littlecho fishdom888 gdraperi red-infosec carsonsallis digitalarche tomyang9 wfclym codingman lyingsimon shelld0n olivierh59500 syphon1c m00zh33 lex1010 2217936322 freeide c9a1k todonnal-r7 v4nyl oldsecureiqlab vysecurity dskho blueskeye th3xace xenoscr labba lt-src marciopocebon pirenga 5m477 cybersecops jessefmoore brittadams vn-os w0rk3r invokethreatguy s0fianehamlaoui cpo-eh compilepeace thebigplate zephrfish ktaranov drwpeng helviojunior diegoalbuquerque fnsank idkwim tristandostaler 3v0lver benheise r3dtap3 humble-desser t3hpaul qiqi1 wisdark credteam ignitionlab br3ign ccdev-labs stackrun boku7 zanzo420 her0ness a10ncoder knsankar msmakhloufedrs's Issues
Kaspersky
Hi,
wanted to share my observation for Kaspersky.
Seems like Kaspersky does the real hooking in Kernel mode as well like Cortex or Defender MDE.
How can those hooks be identified?
Loading c:\Windows\System32\ntdll.dll
HookFinder Mr.Un1k0d3r RingZer0 Team
Listing loaded modules
------------------------------------------
C:\Users\user\Desktop\hook_finder64.exe is loaded at 0x0000000000400000.
C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FFF0C150000.
C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FFF0BBF0000.
C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FFF09A90000.
C:\Windows\System32\msvcrt.dll is loaded at 0x00007FFF0BDE0000.
***Listing Nt* API only
NtQuerySystemTime is hooked
------------------------------------------
Completed
Detailed usage guide
Thank you for putting this together! I have been trying to get this to work; but am not having success. I'm using crowdstrike in my test environment and have compiled the cs unhooking C code into an EXE. Running it does not appear to unhook cs and allow post ex activities (like mimikatz) after the unhooking code is executed. Am I missing something? Is there a detailed usage guide for how to make use of this? Thanks to any who are able to provide some pointers!
MDE/ATP
Wanted to share that Microsoft Defender for Endpoint (MDE) (previously known as Advanced Threat Protection (ATP)) is embedded within the operating system and does not seem to hook anything on ntdll.dll
. Perhaps you might want to add that to the list despite the empty output.
Suggestion
You may want to include Tanium advance EDR solution. Being used by big organizations and to address insider threat.
Windows 10 Home - SO 18363.1440
Loading C:\windows\system32\ntdll.dll
HookFinder Mr.Un1k0d3r RingZer0 Team
------------------------------------------
BASE 0x00007FF8BC940000 MZÉ
PE 0x00007FF8BC9400D8 PE
ExportTableOffset 0x00007FF8BCA8C370
OffsetNameTable 0x00007FF8BCA8E8CC
Functions Count 0x94d (2381)
------------------------------------------
RtlInitializeSListHead is hooked
------------------------------------------
Completed
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.