timwhitez starred Interceptor
2023-1-5 11:0:12 Author: github.com(查看原文) 阅读量:20 收藏

Author: @Cerbersec

Interceptor is a kernel driver focused on tampering with EDR/AV solutions in kernel space by patching kernel callbacks and hooking IRPs. Interceptor was made as part of an internship at NVISO Security's Red Team. The associated blogposts can be found here (kernel karnage).

In 2022, Kernel Karnage was presented at SANS Pen Test HackFest, prompting the release of this repository to the public as well as the following demos:

Build

Requirements:

  • Windows 10 SDK 10.0 or above link
  • Windows 10 WDK 10.0 or above link

Build steps:

  1. git clone https://github.com/NVISO-ARES/Interceptor.git
  2. Select the appropriate configuration in Visual Studio. The configuration should be x64 Debug or Release.
  3. Verify the selected configuration has Driver Signing correctly configured.
    1. Sign Mode: Test Sign
    2. File Digest Algorithm: sha256
  4. Build solution

Installation

The driver can be installed on machines which have Driver Signature Enforcement (DSE) disabled or are in test signing mode. For a solution to disable DSE see here. Alternative options include signing the driver with a valid code signing certificate.

Note: Machines with Secure Boot or Hypervisor-Protected Code Integrity (HVCI) enabled are not vulnerable

The driver can be created and started from a command prompt or PowerShell (mind the spaces):

sc create Interceptor type= kernel binPath= C:\Path\To\Driver\Interceptor.sys
sc start Interceptor
sc stop Interceptor
sc delete Interceptor

Usage

Usage: InterceptorCLI.exe <option> <parameter> <values>
Options:
  -list <parameter>
        vendors                         List all supported EDR vendors and their modules
        modules                         List all loaded drivers
        hooked                          List all hooked drivers
        callbacks                       List all registered callbacks

  -hook <parameter>
        index           <values>        Hook driver(s) by index
        name            <device name>   Hook driver by name (\Device\Name)

  -unhook <parameter>
        index           <values>        Unhook driver(s) by index
        all                             Unhook all drivers

  -patch <parameter>
        vendor          <name>          Patch all modules associated with vendor
        module          <names>         Patch all callbacks associated with module(s)
        process         <values>        Patch process callback(s) by index
        thread          <values>        Patch thread callback(s) by index
        image           <values>        Patch image callback(s) by index
        registry        <values>        Patch registry callback(s) by index
        objectprocess   <values>        Patch object process callback(s) by index
        objectthread    <values>        Patch object thread callback(s) by index

  -restore <parameter>
        vendor          <name>          Restore all modules associated with vendor
        module          <names>         Restore all callbacks associated with module(s)
        process         <values>        Restore process callback(s) by index
        thread          <values>        Restore thread callback(s) by index
        image           <values>        Restore image callback(s) by index
        registry        <values>        Restore registry callback(s) by index
        objectprocess   <values>        Restore object process callback(s) by index
        objectthread    <values>        Restore object thread callback(s) by index
        all                             Restore all callbacks

Values: space separated. see -list <modules | hooked | callbacks>
Name: case sensitive. see -list <vendors>

Improvements

  • Port extra client functionality from BOF version to InterceptCLI
  • Add/validate EDR vendors
  • Find alternative to SysWhispers --> static detections
  • Parse intercepted IRPs to determine if it should be blocked or not
  • Configure valid code signing
  • Implement PPL tampering (reference)
  • Implement AMSI/ETW tampering

文章来源: https://github.com/NVISOsecurity/Interceptor
如有侵权请联系:admin#unsafe.sh