Blog | Techniques

Classic API Unhooking to Bypass EDR Solutions

Posted on November 29, 2021Link 

Defeating Av

Intro This blog post will be covering the classic technique used to unhook Windows APIs from EDR solutions. API hooking is a technique that is used by anti-virus and EDR solutions in an attempt to monitor process and code behavior in real time. Commonly, EDR solutions will hook Windows APIs in NTDLL.dll because the APIs in the NTDLL.dll...Continue reading 

Reflective DLL Injection in C++

Posted on October 31, 2021Link 

Dllinjeciton

TL;DR Implant with our encrypted DLL -> allocates memory for the DLL -> put the decrypted DLL into that memory space -> find the offset of the exported ReflectiveLoader function in the DLL -> call the ReflectiveLoader function -> ReflectiveLoader searches backward for the start of the DLL in memory -> allocates a...Continue reading 

Bypassing App Locker & CLM While Evading EDR

Posted on September 29, 2021Link 

Applocker Image

Introduction The  last blog post I wrote got way more recognition than I expected and because of that, I was inspired to continue writing and sharing my experiences/research. This blog will be about the short journey I took to hone bypasses relating to Constrained Language Mode in PowerShell and AppLocker Policies. My goal was to create payloads that...Continue reading 

Have Questions?
Get Answers