Zerosalarium

A Tool That Puts EDRs And Antivirus Into A Coma State

5 min read
Share X / Twitter LinkedIn Reddit WhatsApp


I. STARTER

Currently, in addition to merely focusing on avoiding scrutiny from
EDRs (Endpoint Detection and Response) and Antivirus, the trend of
using BYOVD (Bring Your Own Vulnerable Driver) techniques to disable
the processes of EDRs and Antivirus by attackers is becoming increasingly
popular.

The biggest drawback of the BYOVD technique is the need to find a way
to install and execute drivers with vulnerabilities to exploit. Alternatively,
a more straightforward approach is to exploit vulnerabilities in existing
drivers on Windows.

In this article, instead of using the BYOVD technique to exploit
vulnerabilities in drivers pre-installed on Windows, I will use
Windows Error Reporting to put the processes of Antivirus into a state
of dormancy. All of this is done using user-mode code and does not require any
third-party tools.

Find me on X to get the latest pentest and red team tricks that I’ve been
researching: Two Seven One Three (@TwoSevenOneT) / X

I also quite often follow back profiles that have tweets related to the
field of cybersecurity

II. MAIN SECTION

1. Some Basic Information About The Minidumpwritedump Function

The
MiniDumpWriteDump function from the Windows DbgHelp library is used to create a
minidump of a process, essentially a snapshot of its memory and state for
debugging.

But here’s the catch:
it suspends all threads in the target process during the dump. 

The function internally suspends all threads in the target process to ensure a
consistent snapshot of memory and thread states. This is necessary because
threads could otherwise be modifying memory while the dump is being written,
leading to corruption or inconsistencies.

Microsoft recommends using this function from an external process to avoid
calling it from within the crashing process, which can prevent deadlocks.

2. Exploiting The Minidumpwritedump Function To Freeze A Process

As with the information that the MiniDumpWriteDump function halts every
thread of a process, if we can use this function with a process, we can put
that process into a suspended state. However, two major issues will arise as
follows:

  1. The MiniDumpWriteDump function executes very quickly, and some people
    may not even notice or feel that it has suspended the target process. So,
    how can we extend its execution time?
  2. The processes we want to freeze are often those of EDRs and Antivirus. These
    processes are typically protected with PPL (Protected Process Light).
    We must bypass the PPL protection in order to interact with these
    processes    .

Okay, we will tackle the easier issue first. While developing the tool to dump
the LSA process,
WSASS, I
obtained some information about the program WerFaultSecure.exe.

  • WerFaultSecure supports running with PPL protection at the
    WinTCB level.
  • With the parameters to run WerFaultSecure reverse-engineered
    from a previous article, we can use it to activate the MiniDumpWriteDump function with any
    desired process.

By combining with the
CreateProcessAsPPL tool, we can leverage WerFaultSecure to address the second issue
mentioned above.

Returning to the first issue, you may notice that if a normal process can run
a new process with PPL protection, then during the
CreateProcess, we can force the child PPL process to suspend by
using the CREATE_SUSPENDED flag.

If we can create a new child process and put it into a suspended state, then
it is highly likely that we can use the OpenProcess function with the
PROCESS_SUSPEND_RESUME privilege to resume it.

And if we can call the OpenProcess function with the
PROCESS_SUSPEND_RESUME privilege on PPL processes, then we can
also suspend that process.

Let’s verify this in practice by writing a code snippet that uses the
OpenProcess function to open a PPL process with the
PROCESS_SUSPEND_RESUME flag and then uses the undocumented
NtSuspendProcess function to suspend that target process.

We will use a tool that is always available on the machines of security
researchers: Process Explorer. Right-click the process name then select
Suspend from the context menu. 

process explorer can suspend PPL process

As you can see in the image above, Process Explorer can suspend a
process protected with PPL.

However, if you quickly click on processes marked as Antimalware,
Procexp will not be able to suspend these processes.

But that is enough. With all the information above, if we can make
WerFaultSecure perform the dump process and then call
MiniDumpWriteDump with Antivirus processes, and then we suspend
WerFaultSecure right at the moment it puts the target process into a
suspended state, the target program will be suspended indefinitely because the
process that could resume it, WerFaultSecure, has also been suspended.

Yes, we will proceed with a race-condition attack.

The steps to execute will be as follows:

  1. Use
    CreateProcessAsPPL to run WerFaultSecure with protection at the
    WinTCB level.
  2. Fill in the appropriate parameters for WerFaultSecure so that it
    performs the dump of the process we want.
  3. Immediately after running WerFaultSecure, we will continuously check
    the status of the target process until it enters a suspended state.
  4. At that moment, use OpenProcess with the
    PROCESS_SUSPEND_RESUME privilege and use NtSuspendProcess to
    suspend the WerFaultSecure process.

After successfully executing the above steps, we will have successfully put
the Antimalware process into a suspended state.

3. EDR-Freeze: A Tool That Puts A Process Into A Coma State

To carry out the steps mentioned above, I developed a tool called EDR-Freeze.

https://github.com/TwoSevenOneT/EDR-Freeze

EDR-Freeze running parameters

This tool takes two parameters: the first is the PID of the program we want to
freeze“, and the second is the duration for which the target process
will be forced to pause.

A practical example is when you are about to perform a series of high-risk
actions with EDR or Antimalware. You would temporarily suspend these
monitoring eyes, execute the necessary actions, and then allow the programs to
resume normal operation.

I will conduct a practical experiment using EDR-Freeze to suspend the
MsMpEng.exe process of Windows Defender on
Windows 11 24H2 as follows:

EDR-Freeze can suspend MsMpEng antimalware

According to the results from the above run, I successfully suspended
MsMpEng for 5000 milliseconds. You can perform a similar
experiment and monitor it with Process Explorer.

III. SUMMARY

With the increasingly popular BYOVD attack type, the preventive
measures of EDRs and Antivirus software will also become more effective.

The biggest weakness of the BYOVD attack is that you must carry drivers
with software vulnerabilities to exploit, which can easily cause dangerous
disturbances on monitored target machines.

With
EDR-Freeze, exploiting the software vulnerability of the WerFaultSecure program
available on Windows will address the weakness of the BYOVD technique.
Additionally, we can flexibly control the programs of EDRs and Antimalware,
deciding when they should run and when they should be suspended at will,
ensuring that everything operates more smoothly.

To prevent or monitor whether EDR-Freeze is being used on the network,
we should rely on the running parameters of WerFaultSecure. If it
points to the PID of sensitive processes such as LSASS, Antivirus, or
EDR agents, there is a high likelihood that further investigation is
necessary.

IV. READING

Some books you should read to sharpen your cybersecurity skills, especially in offensive security:

Books on Programming and Cybersecurity recommended by Zero Salarium Researchers

Essential hardware tools that every security researcher and hacker should have in their toolkit:

Hardware Tools For Security Researcher and Hacker

Author of the article: Two Seven One Three



Source link

Share X / Twitter LinkedIn Reddit WhatsApp

Related Articles

All Zerosalarium →