Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Whatever protection is implemented in user-land can be removed from user-land too. This is why most EDR vendors are now gradually relying on kernel based mechanisms rather than doing stuff like injecting their DLL in a process, hooking syscalls, etc...


This is wrong, there are many facilities that, once applied, cannot be modified (unless reboot)


Such as ?


Random example: https://man.openbsd.org/OpenBSD-7.3/msyscall

This is a syscall used by userspace to tell the kernel which memory portion is allowed to do syscalls

This syscall can only be used once : once the linker has done it, the kernel will refuse extra calls (so allowing more memory pages is not possible)


First, we were talking about EDR in Windows usermode.

Second, still, that doesn't change anything. You can make your malware jmp to anywhere so that the syscall actually comes from an authorized page.

In fact, in windows environment, this is actively done ("indirect syscalls"), because indeed, having a random executable directly calling syscalls is a clear indicator that something is malicious. So they take a detour and have a legitimate piece of code (in ntdll) do the syscall for them.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: