GithubHelp home page GithubHelp logo

bats3c / ghost-in-the-logs Goto Github PK

View Code? Open in Web Editor NEW
608.0 608.0 116.0 186.29 MB

Evade sysmon and windows event logging

Home Page: https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/

License: MIT License

C++ 41.98% C 55.36% Objective-C 2.60% PowerShell 0.06%

ghost-in-the-logs's People

Contributors

bats3c avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

m00zh33 rahmiy alpha0king msf-ntdll gavz topotam askyeye rvrsh3ll 0xsv1 wisdark fengjixuchui jackge007 chenbo667 red-infosec bravery9 analyticsearch bladeism humble-desser wolfking2 crackercat b0y1n4o4 raystyle pegasusx ashr ohio813 fcccode johnnash99 l34rner gdraperi shantanu561993 bigbrobro a10ncoder rmdavy thewover ahmedkhlief fariin zobber an4kein sh1nu11bi tchigher ceyhuncamli meheditest123 c0axx h4xl0r shaunstanislauslau l34rn atropineal startagain2016 xizhimen moonwalker0x01 ykankaya killvxk y11en hymeca yang123vc 2010phenix mmg1 zcg19 xinyuweb 5l1v3r1 opensesamedoors codingman invokethreatguy hkfmz joeinfosec beerandgin kthemis 3453-315h mitbad-d ndur0 polling-repo-continua sec-js axax002 tobey123 legionxkp hkirito sastry17 githubforex glides powerpress nosorry livinglegend13 ronioncloud liushouhuo re-expoc wrathfuldiety xiaolei20190417 zha0 preventions tai-rex sesyi ring2003 iamasbcx reanimat0r weiwhy modulexcite yuaom adversaryemulator c0bber ckwindowsproject

ghost-in-the-logs's Issues

Remove all ipch files

The project is about 1.4GB in size and contains multiple unnecessary files, please remove all ipch files in the .vs folder and recreate the repo.

BSOD on Win 10 21H1

Hi @bats3c,

I tried your gitl on the currently latest Windows version (gitl.exe load) and it continues to cause a BSOD. Are you aware of some new features / measures of MS prohibiting your approach of hooking NtTraceEvent to evady Sysmon / ETW events?

When getting a first view on the MEMORY.DMP the following details are shown by (!analyze -v):

nt!KeBugCheckEx:
fffff807`7c5fce40 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:ffff8d0d`59622740=0000000000000139
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000003d, Type of memory safety violation
Arg2: ffff8d0d59622a60, Address of the trap frame for the exception that caused the BugCheck
Arg3: ffff8d0d596229b8, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------

Page fd68 not present in the dump file. Type ".hh dbgerr004" for details

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 3140

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 6265

    Key  : Analysis.Init.CPU.mSec
    Value: 608

    Key  : Analysis.Init.Elapsed.mSec
    Value: 41059

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 82

    Key  : FailFast.Name
    Value: ETW_CORRUPTION

    Key  : FailFast.Type
    Value: 61

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1


VIRTUAL_MACHINE:  VMware

BUGCHECK_CODE:  139

BUGCHECK_P1: 3d

BUGCHECK_P2: ffff8d0d59622a60

BUGCHECK_P3: ffff8d0d596229b8

BUGCHECK_P4: 0

TRAP_FRAME:  ffff8d0d59622a60 -- (.trap 0xffff8d0d59622a60)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff9a8ed138649c rbx=0000000000000000 rcx=000000000000003d
rdx=0000000000000018 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8077c61e6f6 rsp=ffff8d0d59622bf0 rbp=00000000000000c0
 r8=0000000000000002  r9=0000000000001000 r10=0000000000000000
r11=ffff8d0d59622de8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
nt!EtwpReserveTraceBuffer+0x20f696:
fffff807`7c61e6f6 cd29            int     29h
Resetting default scope

EXCEPTION_RECORD:  ffff8d0d596229b8 -- (.exr 0xffff8d0d596229b8)
ExceptionAddress: fffff8077c61e6f6 (nt!EtwpReserveTraceBuffer+0x000000000020f696)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 000000000000003d
Subcode: 0x3d FAST_FAIL_ETW_CORRUPTION 

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  explorer.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  000000000000003d

EXCEPTION_STR:  0xc0000409

STACK_TEXT:  
ffff8d0d`59622738 fffff807`7c60ed69     : 00000000`00000139 00000000`0000003d ffff8d0d`59622a60 ffff8d0d`596229b8 : nt!KeBugCheckEx
ffff8d0d`59622740 fffff807`7c60f190     : 00000000`00000000 00000000`00000002 ffff9a8e`d6d1b080 fffff807`7c90c565 : nt!KiBugCheckDispatch+0x69
ffff8d0d`59622880 fffff807`7c60d523     : 00000000`23010900 00000000`2f44990e 00007fff`573d9810 00007fff`5a9acc10 : nt!KiFastFailDispatch+0xd0
ffff8d0d`59622a60 fffff807`7c61e6f6     : 00000000`00000000 fffff807`7c467ace ffff9a8e`d6d1b080 ffff8d0d`59622ca0 : nt!KiRaiseSecurityCheckFailure+0x323
ffff8d0d`59622bf0 fffff807`7c40f799     : 00000000`00000000 00000000`00000001 ffff8d0d`59622cf0 00000000`00000001 : nt!EtwpReserveTraceBuffer+0x20f696
ffff8d0d`59622c80 fffff807`7c4afd3d     : 00000000`0000000c ffff9a8e`d1a5e000 00000000`00501802 ffff8d0d`00000001 : nt!EtwpLogKernelEvent+0x1e9
ffff8d0d`59622d30 fffff807`7c7ab7b0     : ffff8ad0`42daa010 ffff8aaa`3625df10 ffff8d0d`59622ec0 00000000`00501802 : nt!EtwTraceSiloKernelEvent+0x99
ffff8d0d`59622d90 fffff807`7c60eccc     : ffff9a8e`d6d1b080 00000000`0ec5e8fc ffff8aaa`357d0f34 ffff8aaa`00501802 : nt!PerfInfoLogSysCallEntry+0x70
ffff8d0d`59622df0 00007fff`582514a4     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExitPico+0x297
00000000`0ec5e078 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`582514a4


SYMBOL_NAME:  nt!KiFastFailDispatch+d0

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  d0

FAILURE_BUCKET_ID:  0x139_3d_nt!KiFastFailDispatch

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {5afad1eb-92dc-6d7d-cecb-2e29d36aec95}

Followup:     MachineOwner
---------

Multiple Enable/Disabling

I do this tests on WIN10 PRO x64 Version 10.0.18363 Build 18363 with everything disabled in windows defender.

I open a cmd.exe in a privileged context and made the load and enabling. Everything was fine, after starting a new cmd.exe or powershell.exe nothing got detected by sysmon (used the swiftsecurity xml for sysmon).

In the second step I disabled the hook and enabled it again, open a new cmd and powershell and got logs in sysmon. Tried it a few timesm but wont work in the second run. So I restarted the win10 and after that everthing was fine again.

But I have to say, that wasn't always, just two minutes ago I tried multiple enabling and disabling and it works fine, no detections in ETW/Sysmon

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.