| “a ON ap hySUNTAN Te UR ee CEC eC ae nae eR cen aa CRs a eR ee Ronee) Dy eae etc ae ec ee os Syne eer ie ete ese eat eee ek crea eee etm eee ee em ecco e eeer Cea ae PR ee Cue ane cd Syscalls (system calls) are direct interfaces to the operating system's kernel, allowing software Ce eee ee eee a ieee aac eens cau tetera carey OTT eet aes a aR CU ee eC eee ys (ene eke UR eee eat eee) Cee cea Pe ete eee Re cu eae oe Rae eta Cee Men ese eee een ae eee eee ead Dee ede ecu a areas ae ec ence Utd SEC eae Rca oe aD Dee Ree eee a a ee ee a ce cece on RC ae ne a ecm oe oe ad DE ecm oe RU ee oe ee ae a fresh, unhooked copy of ntdll without reading it from the disk. The idea is to exploit the brief Oe tne heen ene hana cao Pe CEI DOC Ce CeCe ei ton ae ee Ren eo ee ey Cea ee cece eee oe eg EDR solutions to detect malicious activities. peeredDOCUMENT INFO HADESS RCC Ce eC Re ee SoC te Re ee Sree eR Me ee UR RO ace ie a eC ee en eee ce Rn A oe ec ee symbol of trust, resilience, and retribution in the fight against cyber threats. a ee CR Cen a Ce CC ae Pee eu Cn cic ee eet een a ce Cer ease ots tee en Cae aes ee Ne ee kta cute ene eeu cae ee ee Se eae ete cece ie a ae eee a an unwavering focus on integrity, innovation, and client satisfaction, we strive to be the guardian of trust and security in the digital realm. Reena ag Peace Cee CUI) SIPS uk CL aero)EV Executive Summary Attacks CP ie tole N11) CREST) o-1 Oia a=) ce f-05-3 em a-\Cok eB C1K} © tartarus gate ¢ Indirect system calls Cael ea iclad « APl-unhooking ConclusionHADESS.IO EDR Evasion Techniques: Syscalls Executive Summary Endpoint Detection and Response (EDR) solutions are 5. Hell's Gato & Hel’ Hall ° ‘to monitor, detect, and respond to threats on * Core Concept: Facus an dynamic system call invocation endpoints in real-time. Ho vanced adversaries have + Outcome: Enables dynamic syscall on, making veloped techniques to bypass these solutions, primarily detection by EDR solutions more challenging tsing syscalls and P| calls Here's a concise technical 6. Tartarusgate ‘overview of some of the notable mathads and tools * Design: An advanced version of variant of the Tartar Gate technique, further enhancing the power and stealth 4. Sytalls and API Call: The Basics ° + Syscalls (System Calls: Direct interfaces to ysall-based evasior n operating They allow software to request kerne ‘+ API (pplication Programming Interface! Calls: Set of misuse or leverage less common APIs to evade 2. SysWhispers LAPIS calls, bypassing higher-e + navantage: Evades secur tools and i cu 3-Tartarus Gate * Nature: A te + Effectiveness: By diving deep into syscall, it remains undetected by most EDR solutions Je leveraging syscals for code + Strategy: Finds an un hed copy of ntl without disk + Mechanism: Exploits the time gap betwe COM ed the art of execution in Windows encompasses a range of advanced techniques that allow malware to operate stealthily and et ee ee ee a Tee eo ee eas ee ete eee eee een eee Perec oe area earnerEDR Evasion Techniques: Syscalls Abstract In the intricate world of cybersecurity, Endpoint Detection and Response (EDR) systems have emerged as. critical tools, designed to monitor, detect, and counteract threats in real-time at the endpoint level. These systems, while robust, are not infallible. As they evolve, so tao do the techniques of those who wish to bypass them. A particularly sophisticated method gaining prominence among adversaries is the use of system calls, commonly referred to as syscalls, to navigate around these defenses. Syscalls act as direct conduits to an operating system's kernel. They are fundamental in allowing software ‘to request specific services from the kernel. in the context of evasion, attackers leverage syscalls to bypass the more conspicuous and frequently monitored Application Programming Interfaces (APIs). By directly invoking syscalls, malicious entities can effectively operate beneath the typical radar of EDR systems, making their activities harder to detect and counter. ‘The appeal of syscall-based evasion lies in its subtlety. Instead of confronting EDR systems head-on, attackers are essentially slipping through the cracks, exploiting the very mechanisms that operating systems rely upon for their functionality. This approach not only challenges current EDR capabilities but also raises questions about the fundamental ways in which we approach endpoint security. For cybersecurity professionals, the rise of syscall-based evasion techniques underscores a pivotal challenge: the need for continuous adaptation, As attackers refine their methods, EDR solutions must advance in tandem, ensuring they can detect not just known threats, but also anticipate novel evasion strategies, HADESS.1OANE ied Tartarus Gate ald eer Uc PeeO1 =—=s—" AttacksEEE HADESS.IO EDR Evasion Techniques: Syscalls, What are Windows Syscalls EDR evasion is a set of techniques that attackers use to bypass endpoint detection and response (EDR) solutions. EDR to monitor endpoints for malic to resp ly developing new techniques to evade EDR sol solutions are design us activity a nd to incidents when they occur. However attackers are constar syscalls are windows internals components that provide a way for wi programs related to win weit your programs. But syscalls are intermidiatary when someone use’ using wing2. These syscalls are also called native api for windows, The m: ied by Microsoft , Thus we reli id party documentation, gernall All syscalls returns NTSTATUS value indicate its sucess or error, but It is important to note that while some NtAPIs return NTSTATUS, they are not necessarily syscalls, s programmer to interact or develop th is system , These programs can be used in ways such as accessing specific services , reading or 0 a file, creating a new process in userland, or allocating memory to programs , use cryptographic functions in ls are not officially docume ies on other eg : NtAllocateVirtualMemory is syscalls that is actually runs under the hood when we access the functions likes Virtualalloc or Virtualallocex From winapi. Here ntdl.dll File from windows plays important role, how? most of the native syscalls, which are called are from ntalll file This syscalls have more advantages over standard winapi functions. This syscalls functions from ntdldll provide more customizablity over the parameter passed and arguments that those functions will be acceptings , Thus p evading host: rity solutions eg: NTAllocateVirtualMemory vs VirtualAlloc in terms of arguments NtAllocateVirtualMemory allows you to set custom memory protection flags using the All rameters, This enables you to have more control over the protaction of the allocated memory inType and ProtesEEE HADESS.IO EDR Evasion Techniques: Syscalls, asceavitalenen) System Service Number (SSN) Every 5yscalls has special unique number given tot called SSN, thls SSN number fs used by Kernel to dstnguish syscall from other sycal. For example, the NellocateVirwalMemory syscall withave an SSN of 24 Whereas NtProtectVirtualMemory will have an SSN of 80, these numbers are what the kernel uses to differentiate NtAllocateVirtualMemory from NtProtectVirtuallemory How EDR works / How Userland Hooking implemented by EDR? EDR usually detects the malicious call from the program using Hooking Technique Userland Hooking Kernel Mode Hooking When we (red teamer's) tires to execute any functions using high level WinAPI , function from ntdltdll are indirectly ‘triggered , The EDR applies hooks over them to detect for malicious calls. For eg: By hooking the NtProtectvirtualMemory syscall, the security solution can detect higher-level WinAPI calls such as VirtualProtect even when itis hidden from the import address table (IAT) of the binary. We can use ntall functions directly by resolving their addresses from ntal.all but they are still hooked by EDR solutions , the way they work is that they use an instruction called syscall(64bit)/sysenter(22bit) to invoke the ntapi function and enter the kernel mode to execute that function, and EDR places its hook right before that instruction. Thus Interupting the execution flow. To overcome this problem malware developer/ Red Teamers uses SSN (system service number) and do rot relies on ntdll.dll to resolve the address of the functions. to execute the functions thus potentially bypassing the hooks set up by EDR. EDR solutions can search any region of the memory that have execution permision for the malicious Signature. This Userland hooks are placed just before the calling of syscals instruction which s last step in exection in usermode.EEE HADESS.IO EDR Evasion Techniques: Syscalls, Moder (ces Its hook in post-execution after the flow is transferred to the kernel revents the patching memory and makes it difficult to pl mode hooks may also result in stability issue and cause unexpected behavior, wi modern EDRs, ndows other security that, Placing kernel plement usually in of kernel leHADESS.IO EDR Evasion Techniques: Syscalls, emote proces F solutior Using Ntdll functions directly from ntdll.dll file by resolving addresses on Runtime for Remote Process InjectionEEE HADESS.IO EDR Evasion Techniques: Syscalls, high level breakdown of the code + In above code we are using Windows Native api to resolve the address of the functions in ntdll.all files to run the program + The program above waits for user to attach EDR.dll file which will apply useriand hooks over the program lMemory + The programs then allocate virtual memory in the remote process using NtOpenProcess and NtAllocateVir + Program now supplies our shellcode to allocated region of remote process and give nessarry permission to execute it Using NtProtectVirtualMemory + Then program run the shelicode using NtCreateThreadex in context of remote process POC on How Userland Hooks in EDRs Detect syscalls First we have compile our main malware program , which uses the concept of Remote Process inject , where we have to specify the <\PID> of remote process as an argument to our malware program AAfte we compile our malware program from the above code , we can the program as malware.exe , here PID can be any PID for remote process injection, for the demonstration purpose will will use notpad.exe pid . open the notepad in background and gets its pi.EEE HADESS.IO EDR Evasion Techniques: Syscalls, After Running the Program with that PID , it will ask for dll to inject into the process which is actually running the malware (here EDR_EVASION.exe } we have to use our edrl file which we generate earlier, that will applies hook over usage of NtAllocateVirtualMemory EDR HOOK INSTALLED after sucessfully hooking our program with apropiated dl file, we will ge reponse in promptEEE HADESS.IO EDR Evasion Techniques: Syscalls, detected NTAllocateVirtualMemory Now if try to run the program (press enter again) it will gets detected by EDR.dl fle Although , here we allowed remote process injection , and then unhook the dll file, but the full fldge EDR will going to stop the execution flow and never let the shellcode run ! EDR Evasion / Evasing of EDR Hooking There are several Techniques that we can use to Bypass EDR detection hooking , but before moving to hurestic detection bypasses , we first have to bypass static signature dection on EDR Stati Detection Bypasses Encrypting Shellcode Encoding Shellcode The first step always comes in evasion is using great shellcode, that are not flagged by AV/EDR . the shellcode generate by various C2 are heavily flagged eg (msfvenomsliver,convenent,mythic) , though they provide there default encryption/encoding mechanism , but thier signature are heavily lagged. so we have used our custom encryption and encoding on shellcode. While there are several tools out there, we can use httns//eithub com/arimacg/strfle-encryptor. which helps in XOR Encoding and AES Encryption on shellcode ( shellcode it must be in a file in raw format) Converting NET assemblies to raw .bin code . Donut is a shellcode generation tool that creates x86 or x64 shellcade payloads from .NET Assemblies (eg: mimikatz.exe, covenent agents) . This shelicode may be used to inject the Assembly into arbitrary Windows processes. Given an arbitrary .NET Assembly, parameters, and an entry point (such as Program.Main, it produces position-independent shellcode that loads it from memory. The .NET Assembly can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the .NET Assembly is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the Assembly is loaded through the CLR, the original reference is erased from memory to deter memory scanners. The Assembly is loaded into a new Application Domain to allaw for running Assemblies in disposable AppDomainsEEE HADESS.IO EDR Evasion Techniques: Syscalls, Dynamic Detection / EDR Hooking Bypass Dirac systom calls sysuhisper het’ gate halos gate tartarus gate Indirect system calls, perun’s fart APrunhooking, Direct Syscalls The use of Direct Syscalls allows an attacker to execute shellcode on windows operating system in such a way that the system cals is not dependent on ntalll , instead this system call is passed as a stub inside PE's(malware portable cexecutalbe) resource section like rsc or txt Section in form of the assembly instructions . Syscalls hooking by EDR can be Evaded by obtaining the syscall function coded in the assembly language and calling that crafted syscall directly from within the assembly file. ‘The point here is SSN (sysetm service number) is varies from system to system, To overcome this problem, the SSN can be either hard-coded in the assembly file or calculated dynamically during runtime.Tools suchs as syswhispers , HellsGate, HallosGate, Tartarus gate can be ustilized in this techniques Here is & sample crafted syscall in an assembly file (asm)EEE HADESS.IO EDR Evasion Techniques: Syscalls, Indirect Syscalls The indirect syscalls are implemented in same way direct syscalls are implemented where assembly files are firs manually crafted , the difference lies is that in indirect syscalls , syscalls are not used directly , instead we use mp instruction in its assemby file to jump the function of ntdlL dll. Thus code will ultimatly will be running in address space of ntdllll, Thus it wont be flagged sucpicious for EDR,HADESS.IO EDR Evasion Techniques: Syscalls, ye assembly functions for NtAllocatevirtualMemor tualMemory are Peat See ee eet ese er eee etree eet) Pryett eee Reet esas ey PCat Imp (address of a syscatl instruction) Peete eens 0, in indirect syscalls we want to dynamically extract not only the SSN (service security number) , but also the memory address of the syscall instruction from ntl. SysWhispers Windows operating systems that facilitates direct syscall invocation. By directly making 5y an bypass standard API calls, which ean be useful for various purposes, includi le ystem manipulation and jevelopment. SysWhisper comes in three versions, each with its own set of features and capabilities hy call the kernel when you c The First ver or direct syscall invocation on Windows systems. It provided a basi Understanding of how to ma si sing the traditional API calls, The SSNs are retrieved from Windows n Syscall Table and hardcoded in the asm files genarated by SysWhispers!: on Te erence eC) es Pee mca emi? ces erence p duord ptr [rax+i18h], 5 tte enc cee ed Eoeerercstt itd Bote eed eee ra corset Aer) Peeve ee ene eee eT err rennrnin tesco taT re]HADESS.IO EDR Evasion Techniques: Syscalls, sysWhispers2; Th cond version improved upon the iginal by introducing dynam all resolution. Thi means that it could Identify and invoke ‘on various Windows versions, providing a more versatile and user-friendlyEEE HADESS.IO EDR Evasion Techniques: Syscalls, Resulting in fewer lines and no hardcoded SSN value: SysWhispe ring by system call adi 2w and saving their address in an array in as sswhispers2 is able to dynamically find the SSN values. jdress methad to find the SSN. This is done by finding all syscalls starting with sending order. The SSN will become the index of the system call stored in the sysWhispers ‘SysWhispers3 is introduced in a blog titled as "Syswhispers is dead, Long live Syswhispers' Unlike its predecessors, SysWhispers3 makes indirect syscalls where it searches for syscall instruction ntall address space and jumps to that instruction instead of directly invoking it 5 a jumper randomizer which searches for ra summary the instruction belongs to anather function Fealso in sm functions’ syscall inst jon and jumps to ther. So in This asm ile calls SW2_GatSyscallAddress which is defined in a file that SysWhispers3 generates: Itealls 5 3_PopulatesyscallList function to populate the syscall list and then searches through it for the target function Syswhisper3 Exam ll be using syswhisper our edr-dll can hookit or nat. 1.Genera oVirtualMemory as a PoC to see whether 0 invoke direct syscall on NtAll necessary filas using syswhispers3:EEE HADESS.IO EDR Evasion Techniques: Syscalls, Copy the generated files to Visual Studio project root directory: Enable MASMEEE HADESS.IO EDR Evasion Techniques: Syscalls, Import files in the project: Set ASM item type to Microsoft Macro Assembler: Finally, execute: Prom sey ‘As you can see edr.dll has indeed installed its hooks but cannot detect the use of NtAllacateVirtualMemary on PID 15148,HADESS.IO Hell’s gate Hells gate is binary hen using h cal Then it oint GetVvTabletntry fun It checks for t EDR Evasion Techniques: Syscalls, st reads through ntalland dynamically fi alls and executes them from fare a_VX_TABLE.ENTRY structure that Jatae and traverse the in-memory order module list to NTDLL and the invokes the uulate_VX_TABLE streutre using ntall's EAT. fer to PEB: used n found they can be used to execute a payloadEEE HADESS.IO EDR Evasion Techniques: Syscalls, Example We are going to use the default code that isin hell's gate repository with just a few modifications, 1 Clone the repository in Visual Studio: https://github.com/amOnsec/HellsGate 2.Change .VX_TABLE fields. You can place the functions you want to use in this structure, for simplicity’s sake, I'm leaving them to be the default ones: evar Clres rior loa Pras iccas tas a oh Peer neta e Perreau stad 3, Change the Payload function per your needs. | only added my own shellcode and a printf, But you can change the funetions and use something completely different: 4. Change the main function. You should set each function's hash value, in the default code, they were hardcoded and | only replaced the hardcoded ones with the djb2 function to dynamically calculate them and also a printf and a getchar before executing the Payload function:EEE HADESS.IO EDR Evasion Techniques: Syscalls, 5. Execution: [As you can see, edr.dll could not detect the use of NtAllocateVirtualMemory. Hell’s hall Hells hall developed by the Maldev academy is a combination of hell's gate and indirect syscalls, Untinke hell's gate which is used to invoke direct syscall, Hell's hall combines the hell's gate and tarcarus gate’s techniques and invokes indirect syscall, Tartarusgate The HellsGate technique is a method used for dynamic system call invocation. This technique is particularly useful in the realm of low-level programming, especially when one wants to bypass certain security mechanisms or avoid detection by security software, Let's break down the provided cade to understand its Functionality and purpose. 1. hellsgate.asm: This Assembly file defines two procedures: HellsGate and HellDescent. HollsGate PROC: This procedure seems to be setting up a system call number. It uses the nop instruction, which is a placeholder that does nothing, possibly for alignment or obfuscation purposes The system call number is maved into the wSystemCall varlable from the ecx register. HellDescent PROC: This procedure prepares for the actual system call. The rax and r10 registers are set up, and then the system call number is moved into the eax register. The syscall instruction is then executed, which invokes t 2.hellsgatec: This C file contains the main logic and functions that utilize the HellsGate technique. \e system call Data Structures: The file defines several structures, most notably the VK_TABLE and VX_TABLE_ENTRY. These structures seem to be used for storing information about various system calls, including their addresses and hashes. RUGetThreadEnvironmentBlock) This function retrieves the Thread Environment Block (TEB) for the current thread. The TEB contains information about the thread's state and its associated resources. dib20: ‘hash function used to compute a hash value for a given string. This might be used to quickly identify system calls or other entities GotimageExportDirectory() and GetVxTableEntry(: These functions are used to retrieve the Export Address Table (EAT) of a module (like NTDLL) and to populate the VX-TABLE with the addresses of specific system calls, Payloadd: This function seems to be the main payload that will be executed. It dynamically resolves system calls using the HellsGate technique and then performs various operations, such as memory allocation, writing to memory, changing memory permissions, and creating anew thread VxMoveMemory! ‘A custom implomentation of the memory move operation. It ensures that the memory regions being copied do not overlan,HADESS.IO EDR Evasion Techniques: Syscalls, HellsGats team i advantage amon mOnse fering a method to dynamically retrieve syscalls without relying on statiEEE HADESS.IO EDR Evasion Techniques: Syscalls, Historicaly, evasion techniques focused on nullifying the Import Address Table (IAT) of the PE file by recreating functions like LoadLibrary, GetProcAddress, and FreeLibrary. This approach was popularized in 1987 when Jack Qwerty introduced @ utility that parsed the in-memory module Kerne(a2.dll’s Export Address Table (EAT) to resolve function addresses dynamically However, with the rise of Red Team tactics, there has b main advantages: n.a shift towards using syscalls for evasion, Syscalls offer t They eliminate the need for an in-memary module to be linked, ensuring position independence. They bypass potential hooks set by EDR or AV product: Hell's Gate: The New Approac Hell's Gate Introduces a method to dynamically retrieve syscalls without relying on static elements. The technique leverages the fact that almost every PE image loaded into memory implicitly links against NTDLL ll. This D image loader functionality and is crucial for transitioning from user mode API invocations into kernel memory address contains the Commands and Codes To achieve dynamic system call resolution, the following steps are taken: Retrieve the Process Environment Block (PES) of the process, Jgsqword|0x60);//64bit process 1e LoaderData member, ich contains alist of in-memory modules. PLOR MODULE pLoadModule; pLoadModule = (PLOR_MODULE)(PBYTE)Peb->LoaderData->InMemoryOr Access the base address of the in-memory module (typically NTOLL.dl. jerModulelist.Fink->Flink 16) PBYTE ImageBase, ImageBase = (PBYTE)pLoadModule->Base/ Traverse the module's Export Address Table to locate the functions and their associated sy: PIMAGE_DOS_HEADER Dos = NU Dos = (PIMAGE_DOS_HEADER)ImageBase; Execute System Calls: Functions within NTDLL.ll typically move the system call into the EAX register and then current thread execution environment. If it's determined to be x64 based, the system call is executed; othen function returns. eck the ise, the The Hell's Gate technique introduces two methods: HellsGate: Modifies the syscall that will be executed, : ae re areca ren ete!EEE HADESS.IO EDR Evasion Techniques: Syscalls, Using these methods, one can dynamically s ute syscalls, providing a powerful tool for evasion. Perun's fart API hooks have long been the cornerstone of internal process monitoring, especially for Anti-Virus (AV) and Endpoint Detection and Response (EDR) solutions. Their popularity stems from their simplicity and the necessity imposed by Kernel Patch Protection (KPP). However, as with any security measure, adversaries continually seek ways to bypass or neutralize them. 1. The Evolution of Bypass Techniques Over the years, malware developers and security researchers have devised numerous methods to bypass or entirely remove these hooks. Comprehensive reviews of these techniques have been documen insights into the cat-and-mouse game between attackers and defenders. n various resources, providing Recently, Yarhen Shafir introduced a new method of undetectable code injection, laveraging naw system calls: NtCreateThreadstatechange / NtCreateProcessSt: NtChangeThreadState / NtChangeProcessState However, the defense community is not one to rest on its laurels, Articles detailing methods to detect malicious activities, especially those attempting to bypass hooks and execute direct syscalls, have emerged. These discussions set the stage for the development of innovative techniques, such as syscall unhooking, ange 2 Introduction to Perun's Fart Perun's Fart is not a groundbreaking revelation in the raaim of bypass techniques. Instead, it offers a method to locate a pristine, unhooked copy of ntall without resorting to disk reads, The underlying concept is straightforward: Obtain a copy of ntl from a newly spawned process before AV/EDR solutions apply their hooks. There exists a brief window between the instantiation of a new process and the moment AV/EDR tools inject their hooks Via a DLL This interval might be fleeting, raising the question: Is it Feasible to consi ace this race condition? The answer isa resounding es, and the method is surprisingly simple. 3. Bypassing the Hooks The technique involves the following steps: Spawn a New Process in Suspended State: This ensures that the process remains inactive, preventing any hooks from being applied immediately 16 2 eae - eee RUT Resume Original Process Execution: With the clean ntall in place, the original process can continue its operations, bypassing any hooks that would have been set by AV/EDR solutions, process Resume)EEE HADESS.IO EDR Evasion Techniques: Syscalls, Peruns-Fart is named after the Slavic god interaperation in Ca thunder, Perun. The project appears to be rel J to some form of native 2. Repasitary Structure The repository primarily consists of CH files, with the main code residing in the peruns-fart directory. Key files include Native es: Contains native method signatures and related functionalities. Program.cs: The main entry point of the application 3. Key Code Snippets 3.1 Native Interoperation in Native.cs The Native.cs file contains P/Invoke signatures for native methods. Here's as fom the fle poate tare en Oar eee tener reer ces ait Re eee ets OCG ee eee era ee ee Se ee ee ee eee ee ee) Poe ee aetna erm ese) nee omen eee et ee arent) This isthe entry point of the application, where the main logic is executed.aa Conclusion ee ee Ce eee [eel ee eee ee ens Ce ee ee ee ta) Sophisticated tools to monitor and counteract threats, attackers oe ee CC ce od Ce nee DSC a eee eee ac ee ee ere ee Cee eee Ree acu ‘evolve to detect and mitigate threats that operate at the syscall level, ‘ensuring that these foundational gateways do not become persistent SreeAST eA ood ST enn ee ge eee ee eee) and creating a secure digital ecosystem. Our mission involves punishing hackers SOR a eee ea ee ee eet Website: tt Da react eee)