Update 2024-02-22-edr-as-rootkit.md

scavengersecurity · Feb 22, 2024 · a417ede · a417ede
1 parent fdb8ccd
commit a417ede
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/_posts/2024-02-22-edr-as-rootkit/2024-02-22-edr-as-rootkit.md b/_posts/2024-02-22-edr-as-rootkit/2024-02-22-edr-as-rootkit.md
@@ -17,7 +17,7 @@ Over the past few months, I have been working with a very interesting open sourc
 After spending several days reviewing the source code and learning new concepts, I discovered some security flaws in the DLL injector module of the EDR driver. This module is responsible for loading a hooking DLL, from kerneland, into all monitored processes to intercept interesting Windows API calls and collect this information. To accomplish this, the driver uses kernel callbacks to receive notifications when a new process is created and, at that time, initiate DLL injection process.
 
 
-During testing of the precompiled version of OpenEDR available on GitHub and the commercial version accessible on the [cloud platform](https://openedr.platform.xcitium.com), I noticed that the driver does not verify the signature of the DLL used during the driver's hook injection phase. This means that an attacker could exploit this vulnerability to replace the original DLL with a malicious one and force the OpenEDR driver to use it to execute malicious code in any monitored process, compromising the integrity and confidentiality of the entire computer.
+During testing of the precompiled version of OpenEDR available on GitHub (v2.5) and the commercial version accessible on the [cloud platform](https://openedr.platform.xcitium.com), I noticed that the driver does not verify the signature of the DLL used during the driver's hook injection phase. This means that an attacker could exploit this vulnerability to replace the original DLL with a malicious one and force the OpenEDR driver to use it to execute malicious code in any monitored process, compromising the integrity and confidentiality of the entire computer.
 
 
 OpenEDR incorporates some anti-tampering technologies to mitigate attacks against the EDR. For example, EDR protects the installation path against tampering while the EDR service is running. 
@@ -89,4 +89,4 @@ Here are the conclusions of this research:
 - During the study, other programs and functionalities were identified that allow the use of this technique for a driver to inject malicious DLLs into monitored processes. For example, Lakeside Software's tool used for measuring user experience, Microsoft's AppInit functionality, and Vmware's vmtools (which inject `vm3dum64.dll` and `vm3dum64_10.dll`).
 
 
-Finally, we would like to thank Xcitium for their commitment to open source software and for publishing this interesting tool. 
+Finally, we would like to thank Xcitium for their commitment to open source software and for publishing this interesting tool.