Quirks of an EDR: Usermode (in progress)
Introduction EDR vendors solve the same problems, they just do it differently. This causes logical pitfalls to occur. This is a work in progress article about an EDR. A formal representation of my notes. A static ( not dynamic) analysis of different parts of an EDR. I'll highlight some remarks on the usermode components. Kernel mode part might come later. I'll try to be concise and on point. Of course, everything I mention here needs dynamic analysis to verify. Hook Installation The EDR installs hooks on a set of API functions in ntdll.dll to log telemetry into ETW by injecting a dll into all processes. Each function meant to be hooked is represented by a 4-part structure whose elements are in order: The name of the DLL where it resides. The name of the API function A pointer to the original function The "hook" The "hook" is a function that calls the original one and logs telemetry. The next figure is an example: After calling the original API function by...