Hit-And-Run is a proof-of-concept implementation of a syscall technique for evading EDRs systems using a novel combination of call stack theft and vectored exception handling (VEH). This technique executes syscalls with attacker-defined parameters while maintaining a legitimate-looking call stack, effectively evading both inline hooking and call stack analysis mechanisms.
- Call Stack Theft: Mimics standard Windows API behavior to create a coherent call stack, avoiding detection.
Vectored Exception Handling (VEH): Dynamically handles exceptions to manipulate syscall execution flow.- [PATCH 1] Built-In Exception Handling: Dynamically handles exceptions to manipulate syscall execution flow.
- Hardware Breakpoints: Utilized to intercept and redirect execution without modifying code, reducing detection risk.
The setup phase (e.g., AddVectoredExceptionHandler) andthe use of debug registers (e.g., Dr0, Dr7) may trigger EDR alerts.- Patch 1 replaced VEH with built-in exception handling, effectively removing the IOC associated with the use of API
AddVectoredExceptionHandler.
- Patch 1 replaced VEH with built-in exception handling, effectively removing the IOC associated with the use of API
- Repeated exceptions and predictable behavior patterns could be flagged by behavior-based detection systems.
For detailed implementation steps and technical insights, refer to the blog post: Hit-And-Run: A Novel Syscall Method