bats3c / ghost-in-the-logs Goto Github PK
View Code? Open in Web Editor NEWEvade sysmon and windows event logging
Home Page: https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
License: MIT License
Evade sysmon and windows event logging
Home Page: https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
License: MIT License
The project is about 1.4GB in size and contains multiple unnecessary files, please remove all ipch files in the .vs folder and recreate the repo.
Hi @bats3c,
I tried your gitl on the currently latest Windows version (gitl.exe load
) and it continues to cause a BSOD. Are you aware of some new features / measures of MS prohibiting your approach of hooking NtTraceEvent
to evady Sysmon / ETW events?
When getting a first view on the MEMORY.DMP the following details are shown by (!analyze -v
):
nt!KeBugCheckEx:
fffff807`7c5fce40 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffff8d0d`59622740=0000000000000139
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000003d, Type of memory safety violation
Arg2: ffff8d0d59622a60, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffff8d0d596229b8, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
Page fd68 not present in the dump file. Type ".hh dbgerr004" for details
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 3140
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 6265
Key : Analysis.Init.CPU.mSec
Value: 608
Key : Analysis.Init.Elapsed.mSec
Value: 41059
Key : Analysis.Memory.CommitPeak.Mb
Value: 82
Key : FailFast.Name
Value: ETW_CORRUPTION
Key : FailFast.Type
Value: 61
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
VIRTUAL_MACHINE: VMware
BUGCHECK_CODE: 139
BUGCHECK_P1: 3d
BUGCHECK_P2: ffff8d0d59622a60
BUGCHECK_P3: ffff8d0d596229b8
BUGCHECK_P4: 0
TRAP_FRAME: ffff8d0d59622a60 -- (.trap 0xffff8d0d59622a60)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff9a8ed138649c rbx=0000000000000000 rcx=000000000000003d
rdx=0000000000000018 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8077c61e6f6 rsp=ffff8d0d59622bf0 rbp=00000000000000c0
r8=0000000000000002 r9=0000000000001000 r10=0000000000000000
r11=ffff8d0d59622de8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!EtwpReserveTraceBuffer+0x20f696:
fffff807`7c61e6f6 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffff8d0d596229b8 -- (.exr 0xffff8d0d596229b8)
ExceptionAddress: fffff8077c61e6f6 (nt!EtwpReserveTraceBuffer+0x000000000020f696)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000003d
Subcode: 0x3d FAST_FAIL_ETW_CORRUPTION
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXWINLOGON: 1
PROCESS_NAME: explorer.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 000000000000003d
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
ffff8d0d`59622738 fffff807`7c60ed69 : 00000000`00000139 00000000`0000003d ffff8d0d`59622a60 ffff8d0d`596229b8 : nt!KeBugCheckEx
ffff8d0d`59622740 fffff807`7c60f190 : 00000000`00000000 00000000`00000002 ffff9a8e`d6d1b080 fffff807`7c90c565 : nt!KiBugCheckDispatch+0x69
ffff8d0d`59622880 fffff807`7c60d523 : 00000000`23010900 00000000`2f44990e 00007fff`573d9810 00007fff`5a9acc10 : nt!KiFastFailDispatch+0xd0
ffff8d0d`59622a60 fffff807`7c61e6f6 : 00000000`00000000 fffff807`7c467ace ffff9a8e`d6d1b080 ffff8d0d`59622ca0 : nt!KiRaiseSecurityCheckFailure+0x323
ffff8d0d`59622bf0 fffff807`7c40f799 : 00000000`00000000 00000000`00000001 ffff8d0d`59622cf0 00000000`00000001 : nt!EtwpReserveTraceBuffer+0x20f696
ffff8d0d`59622c80 fffff807`7c4afd3d : 00000000`0000000c ffff9a8e`d1a5e000 00000000`00501802 ffff8d0d`00000001 : nt!EtwpLogKernelEvent+0x1e9
ffff8d0d`59622d30 fffff807`7c7ab7b0 : ffff8ad0`42daa010 ffff8aaa`3625df10 ffff8d0d`59622ec0 00000000`00501802 : nt!EtwTraceSiloKernelEvent+0x99
ffff8d0d`59622d90 fffff807`7c60eccc : ffff9a8e`d6d1b080 00000000`0ec5e8fc ffff8aaa`357d0f34 ffff8aaa`00501802 : nt!PerfInfoLogSysCallEntry+0x70
ffff8d0d`59622df0 00007fff`582514a4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExitPico+0x297
00000000`0ec5e078 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`582514a4
SYMBOL_NAME: nt!KiFastFailDispatch+d0
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: d0
FAILURE_BUCKET_ID: 0x139_3d_nt!KiFastFailDispatch
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {5afad1eb-92dc-6d7d-cecb-2e29d36aec95}
Followup: MachineOwner
---------
I do this tests on WIN10 PRO x64 Version 10.0.18363 Build 18363 with everything disabled in windows defender.
I open a cmd.exe in a privileged context and made the load and enabling. Everything was fine, after starting a new cmd.exe or powershell.exe nothing got detected by sysmon (used the swiftsecurity xml for sysmon).
In the second step I disabled the hook and enabled it again, open a new cmd and powershell and got logs in sysmon. Tried it a few timesm but wont work in the second run. So I restarted the win10 and after that everthing was fine again.
But I have to say, that wasn't always, just two minutes ago I tried multiple enabling and disabling and it works fine, no detections in ETW/Sysmon
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.