-
Notifications
You must be signed in to change notification settings - Fork 46
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
ffc929c
commit e47af36
Showing
1 changed file
with
24 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,24 @@ | ||
| # hookchain | ||
| # Hookchain | ||
|
|
||
| **Abstract**: In the current digital security ecosystem, where threats evolve rapidly and with complexity, companies developing Endpoint Detection and Response (EDR) solutions are in constant search for innovations that not only keep up but also anticipate emerging attack vectors. In this context, this article introduces the HookChain, a look from another perspective at widely known techniques, which when combined, provide an additional layer of sophisticated evasion against traditional EDR systems. | ||
| Through a precise combination of IAT Hooking techniques, dynamic SSN resolution, and indirect system calls, HookChain redirects the execution flow of Windows subsystems in a way that remains invisible to the vigilant eyes of EDRs that only act on Ntdll.dll, without requiring changes to the source code of the applications and malwares involved. | ||
| This work not only challenges current conventions in cybersecurity but also sheds light on a promising path for future protection strategies, leveraging the understanding that continuous evolution is key to the effectiveness of digital security. | ||
| By developing and exploring the HookChain technique, this study significantly contributes to the body of knowledge in endpoint security, stimulating the development of more robust and adaptive solutions that can effectively address the ever-changing dynamics of digital threats. This work aspires to inspire deep reflection and advancement in the research and development of security technologies that are always several steps ahead of adversaries. | ||
|
|
||
| ## DEF CON 32 | ||
|
|
||
| The full research findings, results and a PoC will be unveiled at DEF CON 32. | ||
|
|
||
| **Note:** The code will be released at the same time here. | ||
|
|
||
| **See you!** | ||
|
|
||
| ## My public releases regarding HookChain: | ||
|
|
||
| - [Cylance bypass](https://www.linkedin.com/posts/helviojunior_hookchain-edrbypass-lsassdump-activity-7212439618598686720-mfNm?utm_source=share&utm_medium=member_desktop) | ||
| - [SentinelOne bypass](https://www.linkedin.com/posts/helviojunior_hookchain-edrbypass-lsassdump-activity-7208853059592982530-0Ufa?utm_source=share&utm_medium=member_desktop) | ||
| - [CrowdStrike bypass](https://www.linkedin.com/posts/helviojunior_hookchain-havoc-edr-activity-7181441094356783104-nyk_?utm_source=share&utm_medium=member_desktop) | ||
| - [CrowdStrike bypass - again](https://www.linkedin.com/posts/helviojunior_hookchain-edrbypass-lsassdump-activity-7188911783510724609-iaoV?utm_source=share&utm_medium=member_desktop) | ||
| - [Trend Apex One bypass](https://www.linkedin.com/posts/helviojunior_hookchain-havoc-edr-activity-7183817134488051713-J3d-?utm_source=share&utm_medium=member_desktop) | ||
| - [BitDefender bypass](https://www.linkedin.com/posts/helviojunior_bypass-bypassedr-hookchain-activity-7179578975701123072-tISP?utm_source=share&utm_medium=member_desktop) | ||
| - [Call for EDR/XDR product with zero answers](https://www.linkedin.com/posts/helviojunior_hookchain-edrbypass-xdrbypass-activity-7188225698434596865-3Jxy?utm_source=share&utm_medium=member_desktop) |