search

Mr-Un1k0d3r / EDRs

1.96k stars 348 forks source link

Kaspersky #19

Closed 0xShkk closed 2 years ago

0xShkk commented 2 years ago

Hi,

wanted to share my observation for Kaspersky. Seems like Kaspersky does the real hooking in Kernel mode as well like Cortex or Defender MDE.

How can those hooks be identified?

Loading c:\Windows\System32\ntdll.dll
HookFinder Mr.Un1k0d3r RingZer0 Team
Listing loaded modules
------------------------------------------
C:\Users\user\Desktop\hook_finder64.exe is loaded at 0x0000000000400000.
C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FFF0C150000.
C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FFF0BBF0000.
C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FFF09A90000.
C:\Windows\System32\msvcrt.dll is loaded at 0x00007FFF0BDE0000.
***Listing Nt* API only

NtQuerySystemTime is hooked
------------------------------------------
Completed
Mr-Un1k0d3r commented 2 years ago

yes there is no user mode hooking

tamburro92 commented 1 year ago

I would say the same for ESET

Mr-Un1k0d3r commented 1 year ago

Yep most of the EDRs have moved to the kernel which is good. Some of them have moved to the kernel a long time ago.

On Wed, May 17, 2023 at 11:12 AM tamburro92 @.***> wrote:

I would say the same for ESET

— Reply to this email directly, view it on GitHub https://github.com/Mr-Un1k0d3r/EDRs/issues/19#issuecomment-1551582329, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABAK3LQAYS7DEJC4353XMC3XGTTF5ANCNFSM5O4IJNXA . You are receiving this because you modified the open/close state.Message ID: @.***>

-- *Mr.Un1k0d3r* or 1 #