Little AV/EDR Evasion Lab for training & learning purposes. (🏗️ under construction..)
BestEDROfTheMarket is a naive user-mode EDR (Endpoint Detection and Response) project, designed to serve as a testing ground for understanding and bypassing EDR's user-mode detection methods that are frequently used by these security solutions.
These techniques are mainly based on a dynamic analysis of the target process state (memory, API calls, etc.),
➡️ What's new in Best EDR Of The Market v1.1.0 🏹
- NT-Level API Hooking
- Kernel32/Base API Hooking
- Active Response w/ YARA rules or simple patterns
- IAT Hooking
- Threads Call Stack Monitoring (Stacked parameters + Unbacked addresses)
- Heap Regions Analysis
- Direct Syscalls Detection
- Indirect Syscalls Detection
- AMSI/ETW Patching Mitigation
In progress:
List of hooks 🪝
| Function | Description |
|---|---|
| NtProtectVirtualMemory | Change the protection on a region of committed pages in the virtual address space of a process using native API. |
| NtWriteVirtualMemory | Write data to the memory of a specified process using native API. |
| NtMapViewOfSection | Create a view of a section of a file mapping into the address space of the calling process using native API. |
| Function | Description |
|---|---|
| VirtualAlloc | Allocate memory in the virtual address space of a process. |
| WriteProcessMemory | Write data to the memory of a specified process. |
| VirtualFree | Release or decommit a region of memory previously allocated. |
| VirtualFreeEx | Release or decommit a region of memory in a specified process. |
| VirtualProtect | Change the protection on a region of committed pages in the virtual address space of a process. |
| MapViewOfFile | Create a view of a file mapping into the address space of the calling process. |
| VirtualProtectEx | Change the protection on a region of committed pages in the virtual address space of a specified process. |
| UnmapViewOfFile | Unmap a mapped view of a file from the calling process's address space. |
| VirtualQuery | Retrieve information about a range of pages in the virtual address space of a specified process. |
| ReadProcessMemory | Read data from the memory of a specified process. |
| InternetOpenUrlW | Opens a URL for reading on the internet. |
| InternetReadFile | Reads data from a handle opened by the InternetOpenUrl or InternetOpenUrlW function. |
| InternetReadFileExW | Reads data from a handle opened by the InternetOpenUrl or InternetOpenUrlW function, and can also return additional data. |
| InternetOpenW | Initializes an application's use of the WinINet functions. |
| Function Name | Purpose |
|---|---|
| WriteProcessMemory | Writes data to an area of memory in a specified process |
| ReadProcessMemory | Reads data from an area of memory in a specified process |
| VirtualAlloc | Reserves or commits a region of memory within the virtual address space of a process |
| VirtualAllocEx | Reserves or commits a region of memory within the virtual address space of a specified process |
| VirtualProtect | Changes the access protection for a region of committed pages in the virtual address space of the calling process |
| HeapAlloc | Allocates a block of memory from a heap |
| HeapFree | Frees a memory block allocated from a heap |
| LoadLibraryA | Loads the specified module into the address space of the calling process |
| LocalFree | Frees the specified local memory object and invalidates its handle |
| VirtualQuery | Retrieves information about a range of pages in the virtual address space of a specified process |
| InternetOpenW | Initializes an application's use of the WinINet functions |
| InternetOpenUrlW | Opens a URL |
| InternetReadFile | Reads data from a handle opened by the InternetOpenUrl or InternetOpenUrlEx function |
| VirtualProtectEx | Changes the protection on a region of committed pages in the virtual address space of a specified process |
Usage: BestEdrOfTheMarket.exe [args]
/help : Shows this help message and quit
/v : Verbosity
/p : Target process path (PID required if not specified)
/yara : Enabling scanning YARA rules canning
/iat : IAT hooking
/stack : Threads call stack monitoring
/nt : Inline Nt-level hooking
/k32 : Inline Kernel32/Kernelbase hooking
/ssn : SSN crushing
/direct : Direct syscalls detection
/indirect : Indirect syscalls detection
/heap : Enabling heap regions analysis (to use with /iat, /k32 or /nt)
Low-Level Shellcode Injector Detection (Stack analysis + YARA)
BestEdrOfTheMarket.exe /stack /p C:\Samples\MediumLevelDropper.exe /yara /v
Early Bird APC Queue Injector detection (Kernel32 hooking + Normal patterns)
BestEdrOfTheMarket.exe /p C:\Samples\apc_injector.exe /k32 /yara /v
Early Bird APC Queue Injector detection (IAT hooking + YARA)
BestEdrOfTheMarket.exe /p C:\Users\1234Y\apc_injector\x64\Debug\apc_injector.exe /iat /yara
Low level Early Bird APC Queue Injector detection (NT-level hooking + Normal patterns)
BestEdrOfTheMarket.exe /p C:\Samples\low_level_apc_inector.exe /nt
Indirect Syscalls Detection (Stack pointer sanity check)
Hell's Hall (@Maldev-Academy) Github repository
BestEdrOfTheMarket.exe /p C:\Malwares\HellsHall.exe /indirect /v
Direct Syscalls Detection (Instruction pointer sanity check)
DenfensiveInjector (@bats3c) Github repository
BestEdrOfTheMarket.exe /direct /p C:\Malwares\defensiveinjector.exe
Reflective DLL Injector (Heap analysis + YARA)
BestEdrOfTheMarket.exe /p C:\Malwares\ReflectiveDLLInjection.exe /iat /heap
AMSI Patcher detection
BestEdrOfTheMarket.exe /p C:\Malwares\etw_amsi_patcher.exe /v /nt
📁 BestEdrOfTheMarket/
📄 BestEdrOfTheMarket.exe
📁 DLLs/
📄 KerneI32.dll
📄 ntdII.dll
📄 iat.dll
📄 callbacks.dll
📄 magicbp.dll
📁 YARA/
📄 Metasploit_Artefacts_Rule.yara
📄 ...
📝 YaroRules.json
📄 jsoncpp.dll
📄 libcrypto-3-x64.dll
YaroRules.json: Contains a json array filled with the simple/normal (not Yara) patterns you would like to be identified through the defensive mechanisms.
{
"StackPatterns": [
"40 53 48 83 EC 90 65 48 8B 04",
"..."
],
"HeapPatterns": [
"4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00",
"..."
],
"DllHookingPatterns": [
"59 61 7A 69 64 6F 75",
"..."
],
"GeneralPatterns": [
"FC E8 82 00 00 00 60 89 E5 31 C0 64 8B 50",
"..."
]
} Releases 📦
-
There's no interest in mixing the defensive methods or in putting them all (
/nt+/stack+/k32+ /blahblah) as you may encounter crashes due to conflicts beetwen them, especially for low level hooks. Activate the one you want depending on your needs. -
Don't link the EDR to programs that are too CPU-intensive/thread-creating, as some detection techniques such as call stack analysis constantly monitor the stack state of each thread and this can quickly increase the load on the EDR, it's more relevant (that's also the point) that you link the tool to your own artifacts and keep in mind that a good evasive artifact tries to be as discrete as possible.