EDRs are constantly evolving with the cat-mouse nature of threats evolving and threat actors are becoming more cognizant of detection methods deployed. One technique EDRs are currently utilizing is 'hook' placement on certain Windows API function calls such as Nt* and Zw* functions. When this takes place and the hooked function is called it will replace the original syscall code and undergo certain measures to detect malicious activity.
One way to mitigate this security feature is direct syscalls. Simply put the code of direct syscalls is the syscall stub which is what forwards the execution to the code in Kernel mode and what we will be exploring some below:
In the above picture the syscall instruction is what transfers the execution flow when the values are assigned to the registers. The number moved into the eax register is the syscall # or system service number (SSN) which changes with Windows operating systems and service versions.
In the second picture here we also see the corresponding opcodes that comes with the above syscall stub (note the 0xBA is the syscall instruction # or SSN in this particular case for NtCreateProcess)
There are many ways to retrieve these syscalls, but today we'll be choosing Tarturus' Gate which utilizes Hell's / Halo's Gate which also adds a check to the 4th byte to see if it is 'E9' and if the byte is this opcode then we have further conclusion that the API call is hooked by the EDR.
In this picture we see Hell's gate checking the address of where the called function lies loaded in memory for any hooks as well as Tarturus' gate checking for the 'E9' byte for the jmp instruction and if found checks neighboring syscalls up and down until it finds one unhooked, then from there calculates what the SSN would be for the hooked API function from where it originally started searching to the offset of what the first unhooked function is.
Keeping in mind this is just a small addition to Halo's gate, EDRs are becoming more advanced in detecting the techniques of (in)direct syscalls by memory returns and where the API code is executed in memory. This is just a short example of one way to further circumvent API hooks for *certain* EDRs and the purpose of this post is to really try and just help develop the mindset of simple but effective additions to existing tools when a vendor has 'caught-on' to what once worked..the cat-and-mouse nature πͺ€π
:LINKS:
https://github.com/boku7/AsmHalosGate/tree/main
https://blog.sektor7.net/#!res/2021/halosgate.md
https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/
https://github.com/trickster0/TartarusGate/tree/master
https://trickster0.github.io/posts/Halo%27s-Gate-Evolves-to-Tartarus-Gate/
