https://threatvector.cylance.com/en_us/home/universal-unhooking-blinding-security-software.html … seems like your assessed EDR fell a victim of its own research?!
-
-
-
That is literally the definition of ironic. Thanks for the laugh!
Kraj razgovora
Novi razgovor -
-
-
That EDR gui looks very familiar .... lol
-
Shhh...... hahahaaha
Kraj razgovora
Novi razgovor -
-
-
What program/version are you using to compile?
-
Visual Studio 2017 with windows 10 sdk but I got it to work with win 7 and 8.1 sdk as well.
Kraj razgovora
Novi razgovor -
-
-
Very cool, but most nowadays EDR checking for IAT as well
-
A simple solution around that is instead of calling the winapi, you call your own function without modifying the IAT. You could also perform a VEH hook on the NtReadVirtualMemory and jmp to your function without any modification.
Kraj razgovora
Novi razgovor -
-
-
Thanks for the article it's very clear! I was just wondering, you need admin rights (or a specific privilege like SeDebug) to do this, isn't it?
-
You would need admin rights to get a handle to lsass and lsass on newer versions of windows (correct me if I'm wrong) requires SeDebugPrivilege. The "bypass" itself does not requires admin rights and all processes can modify their own memory.
- Još 1 odgovor
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.