Mr-Un1k0d3r
commented
1 year ago CrowdStrike moved from user mode hooking to kernel callback which means that they gather their information from the kernel instead of the user mode like they used to. user mode unhooking is not working against CS anymore.
On Wed, Jan 18, 2023 at 3:33 AM ll3N1GmAll @.***> wrote:
Thank you for putting this together! I have been trying to get this to work; but am not having success. I'm using crowdstrike in my test environment and have compiled the cs unhooking C code into an EXE. Running it does not appear to unhook cs and allow post ex activities (like mimikatz) after the unhooking code is executed. Am I missing something? Is there a detailed usage guide for how to make use of this? Thanks to any who are able to provide some pointers!
— Reply to this email directly, view it on GitHub https://github.com/Mr-Un1k0d3r/EDRs/issues/23, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABAK3LR4UA36GXCT2C3L7JLWS6TGRANCNFSM6AAAAAAT6ZG3F4 . You are receiving this because you are subscribed to this thread.Message ID: @.***>
-- *Mr.Un1k0d3r* or 1 #
ll3N1GmAll
Thank you for putting this together! I have been trying to get this to work; but am not having success. I'm using crowdstrike in my test environment and have compiled the cs unhooking C code into an EXE. Running it does not appear to unhook cs and allow post ex activities (like mimikatz) after the unhooking code is executed. Am I missing something? Is there a detailed usage guide for how to make use of this? Thanks to any who are able to provide some pointers!