EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State

Posted by on

EDR-Freeze logo post

I. STARTER

Currently, in addition to merely focusing on avoiding scrutiny from EDRs (Endpoint Detection and Response) and Antivirus, the trend of using BYOVD (Bring Your Own Vulnerable Driver) techniques to disable the processes of EDRs and Antivirus by attackers is becoming increasingly popular.

The biggest drawback of the BYOVD technique is the need to find a way to install and execute drivers with vulnerabilities to exploit. Alternatively, a more straightforward approach is to exploit vulnerabilities in existing drivers on Windows.

In this article, instead of using the BYOVD technique to exploit vulnerabilities in drivers pre-installed on Windows, I will use Windows Error Reporting to put the processes of Antivirus into a state of dormancy. All of this is done using user-mode code and does not require any third-party tools.

Find me on X to get the latest pentest and red team tricks that I've been researching: Two Seven One Three (@TwoSevenOneT) / X

I also quite often follow back profiles that have tweets related to the field of cybersecurity 😉


II. MAIN SECTION

1. Some Basic Information About The Minidumpwritedump Function

The MiniDumpWriteDump function from the Windows DbgHelp library is used to create a minidump of a process, essentially a snapshot of its memory and state for debugging.

But here's the catch: it suspends all threads in the target process during the dump. 

The function internally suspends all threads in the target process to ensure a consistent snapshot of memory and thread states. This is necessary because threads could otherwise be modifying memory while the dump is being written, leading to corruption or inconsistencies.

Microsoft recommends using this function from an external process to avoid calling it from within the crashing process, which can prevent deadlocks.

2. Exploiting The Minidumpwritedump Function To Freeze A Process

As with the information that the MiniDumpWriteDump function halts every thread of a process, if we can use this function with a process, we can put that process into a suspended state. However, two major issues will arise as follows:

  1. The MiniDumpWriteDump function executes very quickly, and some people may not even notice or feel that it has suspended the target process. So, how can we extend its execution time?
  2. The processes we want to freeze are often those of EDRs and Antivirus. These processes are typically protected with PPL (Protected Process Light). We must bypass the PPL protection in order to interact with these processes.

Okay, we will tackle the easier issue first. While developing the tool to dump the LSA process, WSASS, I obtained some information about the program WerFaultSecure.exe.

  • WerFaultSecure supports running with PPL protection at the WinTCB level.
  • With the parameters to run WerFaultSecure reverse-engineered from a previous article, we can use it to activate the MiniDumpWriteDump function with any desired process.

By combining with the CreateProcessAsPPL tool, we can leverage WerFaultSecure to address the second issue mentioned above.

Returning to the first issue, you may notice that if a normal process can run a new process with PPL protection, then during the CreateProcess, we can force the child PPL process to suspend by using the CREATE_SUSPENDED flag.

If we can create a new child process and put it into a suspended state, then it is highly likely that we can use the OpenProcess function with the PROCESS_SUSPEND_RESUME privilege to resume it.

And if we can call the OpenProcess function with the PROCESS_SUSPEND_RESUME privilege on PPL processes, then we can also suspend that process.

Let's verify this in practice by writing a code snippet that uses the OpenProcess function to open a PPL process with the PROCESS_SUSPEND_RESUME flag and then uses the undocumented NtSuspendProcess function to suspend that target process.

We will use a tool that is always available on the machines of security researchers: Process Explorer. Right-click the process name then select Suspend from the context menu. 

process explorer can suspend PPL process

As you can see in the image above, Process Explorer can suspend a process protected with PPL.

However, if you quickly click on processes marked as Antimalware, Procexp will not be able to suspend these processes.

But that is enough. With all the information above, if we can make WerFaultSecure perform the dump process and then call MiniDumpWriteDump with Antivirus processes, and then we suspend WerFaultSecure right at the moment it puts the target process into a suspended state, the target program will be suspended indefinitely because the process that could resume it, WerFaultSecure, has also been suspended.

Yes, we will proceed with a race-condition attack.

The steps to execute will be as follows:

  1. Use CreateProcessAsPPL to run WerFaultSecure with protection at the WinTCB level.
  2. Fill in the appropriate parameters for WerFaultSecure so that it performs the dump of the process we want.
  3. Immediately after running WerFaultSecure, we will continuously check the status of the target process until it enters a suspended state.
  4. At that moment, use OpenProcess with the PROCESS_SUSPEND_RESUME privilege and use NtSuspendProcess to suspend the WerFaultSecure process.

After successfully executing the above steps, we will have successfully put the Antimalware process into a suspended state.

3. EDR-Freeze: A Tool That Puts A Process Into A Coma State

To carry out the steps mentioned above, I developed a tool called EDR-Freeze.

https://github.com/TwoSevenOneT/EDR-Freeze

EDR-Freeze running parameters

This tool takes two parameters: the first is the PID of the program we want to "freeze", and the second is the duration for which the target process will be forced to pause.

A practical example is when you are about to perform a series of high-risk actions with EDR or Antimalware. You would temporarily suspend these monitoring eyes, execute the necessary actions, and then allow the programs to resume normal operation.

I will conduct a practical experiment using EDR-Freeze to suspend the MsMpEng.exe process of Windows Defender on Windows 11 24H2 as follows:

EDR-Freeze can suspend MsMpEng antimalware

According to the results from the above run, I successfully suspended MsMpEng for 5000 milliseconds. You can perform a similar experiment and monitor it with Process Explorer.

III. SUMMARY

With the increasingly popular BYOVD attack type, the preventive measures of EDRs and Antivirus software will also become more effective.

The biggest weakness of the BYOVD attack is that you must carry drivers with software vulnerabilities to exploit, which can easily cause dangerous disturbances on monitored target machines.

With EDR-Freeze, exploiting the software vulnerability of the WerFaultSecure program available on Windows will address the weakness of the BYOVD technique. Additionally, we can flexibly control the programs of EDRs and Antimalware, deciding when they should run and when they should be suspended at will, ensuring that everything operates more smoothly.

To prevent or monitor whether EDR-Freeze is being used on the network, we should rely on the running parameters of WerFaultSecure. If it points to the PID of sensitive processes such as LSASS, Antivirus, or EDR agents, there is a high likelihood that further investigation is necessary.


Author of the article: Two Seven One Three


Comments

Post a Comment