Skip to content

SAERXCIT/ToyEDR

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
TargetProcess
TargetProcess
 
 
ToyEDR
ToyEDR
 
 
ToyEDR_hooks
ToyEDR_hooks
 
 
ToyEDR_injector
ToyEDR_injector
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
ToyEDR.sln
ToyEDR.sln
 
 

Repository files navigation

ToyEDR

A proof-of-concept project implementing various techniques and telemetry sources used by EDRs. Only user-mode sources are available.

Warning: obviously do not use in production, only on a throwaway machine, it will probably catch fire.

Techniques implemented:

  • NTAPI hooking

ToyEDR

Main binary.

Listens on \\.\pipe\TOYEDR_COMM for PIDs of newly created processes in which to inject the hooking DLL.

Warning: You can probably exploit this as a low-priv user !

ToyEDR_injector

DLL exporting a function loading another DLL in a remote process. For now only CreateRemoteThread(LoadLibraryA) is implemented.

Todo: implement manual PE injection, it's more fun.

ToyEDR_hooks

DLL implementing various NTAPI hooks.

Hooks:

  • NtCreateUserProcess
  • NtCreateProcess
  • NtCreateProcessEx
  • NtAllocateVirtualMemory
  • NtAllocateVirtualMemoryEx

No detection logic has been implemented yet.

After executing a syscall creating process, sends the newly created PID to the main binary through the named pipe.

There's also a nice Cleanup() function that removes the hooks in the current process, for the attacker's convinience.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages