{"id":9032,"date":"2024-04-10T10:24:00","date_gmt":"2024-04-10T08:24:00","guid":{"rendered":"http:\/\/dev.rocketstaff.de\/news\/loader-dev-3-evading-userspace-hooks\/"},"modified":"2024-12-04T09:09:59","modified_gmt":"2024-12-04T08:09:59","slug":"loader-dev-3-evading-userspace-hooks","status":"publish","type":"post","link":"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/","title":{"rendered":"Loader Dev. 3 &#8211; Evading userspace hooks"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"9032\" class=\"elementor elementor-9032\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-a91b69f elementor-section-full_width elementor-section-content-middle elementor-section-height-default elementor-section-height-default\" data-id=\"a91b69f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c727f97\" data-id=\"c727f97\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7695a43 elementor-widget elementor-widget-template\" data-id=\"7695a43\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<header data-elementor-type=\"header\" data-elementor-id=\"6422\" class=\"elementor elementor-6422 elementor-941 elementor-941\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3c20b09 elementor-section-full_width elementor-section-content-middle elementor-section-height-default elementor-section-height-default\" data-id=\"3c20b09\" data-element_type=\"section\" data-e-type=\"section\" id=\"header--sticky\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;,&quot;sticky&quot;:&quot;top&quot;,&quot;sticky_on&quot;:[&quot;desktop&quot;,&quot;tablet_extra&quot;],&quot;sticky_offset&quot;:0,&quot;sticky_effects_offset&quot;:0,&quot;sticky_anchor_link_offset&quot;:0}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-2c6b6ea\" data-id=\"2c6b6ea\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-920f2b0 elementor-widget elementor-widget-theme-site-logo elementor-widget-image\" data-id=\"920f2b0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"theme-site-logo.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/en\/\">\n\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"626\" height=\"188\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png\" class=\"attachment-full size-full wp-image-5868\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png 626w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent-300x90.png 300w\" sizes=\"(max-width: 626px) 100vw, 626px\" \/>\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-b85d260\" data-id=\"b85d260\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-db0098d elementor-widget__width-auto elementor-hidden-desktop elementor-widget elementor-widget-shortcode\" data-id=\"db0098d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n<div role=\"navigation\" aria-label=\"Language Switcher\" class=\"wpml-ls-statics-shortcode_actions wpml-ls wpml-ls-legacy-dropdown-click js-wpml-ls-legacy-dropdown-click\">\n\t<ul>\n\n\t\t<li class=\" wpml-ls-item-legacy-dropdown-click\">\n\n\t\t\t<a href=\"#\" hreflang=\"\" lang=\"\" class=\"js-wpml-ls-item-toggle wpml-ls-item-toggle\" aria-expanded=\"false\" aria-controls=\"wpml-ls-submenu-click-default\" aria-haspopup=\"true\" aria-label=\"Language switcher, click to open then tab to navigate\" tabindex=\"0\" role=\"button\" title=\"\">\n\t\t\t\t<\/a>\n\n\t\t\t<ul id=\"wpml-ls-submenu-click-default\" class=\"js-wpml-ls-sub-menu wpml-ls-sub-menu\">\n\t\t\t\t\n\t\t\t\t\t<li class=\"wpml-ls-slot-shortcode_actions wpml-ls-item wpml-ls-item-de wpml-ls-first-item wpml-ls-last-item\">\n\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/\" hreflang=\"de\" lang=\"de\" class=\"wpml-ls-link\" aria-label=\"Switch to German\" title=\"Switch to German\">\n\t\t\t\t\t\t\t                                    <img decoding=\"async\"\n            class=\"wpml-ls-flag\"\n            src=\"https:\/\/cirosec.de\/wp-content\/plugins\/sitepress-multilingual-cms\/res\/flags\/de.svg\"\n            alt=\"German\"\n            loading=\"lazy\"\n            width=15\n            height=9\n    \/><\/a>\n\t\t\t\t\t<\/li>\n\n\t\t\t\t\t\t\t<\/ul>\n\n\t\t<\/li>\n\n\t<\/ul>\n<\/div>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-65a0be9 elementor-widget__width-initial elementor-widget-tablet__width-initial elementor-nav-menu--dropdown-mobile elementor-nav-menu--stretch elementor-nav-menu__align-start elementor-widget-mobile__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra elementor-widget-mobile_extra__width-initial elementor-nav-menu__text-align-aside elementor-nav-menu--toggle elementor-nav-menu--burger elementor-widget elementor-widget-nav-menu\" data-id=\"65a0be9\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;full_width&quot;:&quot;stretch&quot;,&quot;layout&quot;:&quot;horizontal&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;},&quot;toggle&quot;:&quot;burger&quot;}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-horizontal e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-65a0be9\" class=\"elementor-nav-menu\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-7077\"><a href=\"https:\/\/cirosec.de\/en\/\" class=\"elementor-item\">cirosec<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16136\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\">Services<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15941\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-sub-item\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9131\"><a href=\"https:\/\/cirosec.de\/en\/services\/consulting-concepts-reviews-and-analyses\/\" class=\"elementor-sub-item\">Consulting, Concepts, Reviews and Analyses<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9073\"><a href=\"https:\/\/cirosec.de\/en\/services\/penetration-tests\/\" class=\"elementor-sub-item\">Penetration Tests<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9077\"><a href=\"https:\/\/cirosec.de\/en\/services\/red-team-assessments\/\" class=\"elementor-sub-item\">Red Team Assessments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9076\"><a href=\"https:\/\/cirosec.de\/en\/services\/incident-response-and-forensics\/\" class=\"elementor-sub-item\">Incident Response and Forensics<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9075\"><a href=\"https:\/\/cirosec.de\/en\/services\/selection-implementation-of-products-and-solutions\/\" class=\"elementor-sub-item\">Implementation of Products and Solutions<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9078\"><a href=\"https:\/\/cirosec.de\/en\/services\/it-security-training-and-awareness\/\" class=\"elementor-sub-item\">Trainings and Awareness<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16137\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\">Trainings<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15940\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-sub-item\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9092\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/malware-and-ransomware-background-detection-protection-and-response\/\" class=\"elementor-sub-item\">Malware and Ransomware \u2013 Background, Detection, Protection and Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9095\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-microsoft-office-365\/\" class=\"elementor-sub-item\">Security in Microsoft Office 365<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9083\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-operating-systems\/\" class=\"elementor-sub-item\">Hacking and Hardening of Windows Operating Systems<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9082\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-infrastructures\/\" class=\"elementor-sub-item\">Hacking and Hardening of Windows Infrastructures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9084\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme\/\" class=\"elementor-sub-item\">Hacking Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9086\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-web-applications\/\" class=\"elementor-sub-item\">Hacking Extreme Web Applications<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9080\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/crash-course-it-and-information-security\/\" class=\"elementor-sub-item\">Crash Course IT and Information Security<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-13051\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/nis2-information-security-for-chief-executive-officers\/\" class=\"elementor-sub-item\">NIS 2 Training for Management<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9087\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/incident-handling-response\/\" class=\"elementor-sub-item\">Incident Handling &amp; Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26257\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/training-in-immediate-measures\/\" class=\"elementor-sub-item\">Training in Imm\u00adediate Mea\u00adsures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26265\"><a href=\"https:\/\/cirosec.de\/en\/?page_id=26258\" class=\"elementor-sub-item\">Inci\u00addent Res\u00adponse Readi\u00adness Work\u00adshop<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9094\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-azure-cloud-environments\/\" class=\"elementor-sub-item\">Security in Azure Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9089\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-implementer\/\" class=\"elementor-sub-item\">ISO 27001 Lead Implementer<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9088\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-auditor\/\" class=\"elementor-sub-item\">ISO 27001 Lead Auditor<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9081\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/forensics-extreme\/\" class=\"elementor-sub-item\">Forensics Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9093\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-aws-cloud-environments\/\" class=\"elementor-sub-item\">Security in AWS Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9091\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-strategists-and-managers\/\" class=\"elementor-sub-item\">IT Security for Strategists and Managers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9090\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-developers\/\" class=\"elementor-sub-item\">IT Security for Developers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9085\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-buffer-overflows\/\" class=\"elementor-sub-item\">Hacking Extreme Buffer Overflows<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9064\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9160\"><a href=\"https:\/\/cirosec.de\/en\/blog\/\" class=\"elementor-item\">Blog<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t<div class=\"elementor-menu-toggle\" role=\"button\" tabindex=\"0\" aria-label=\"Menu Toggle\" aria-expanded=\"false\">\n\t\t\t<i aria-hidden=\"true\" role=\"presentation\" class=\"elementor-menu-toggle__icon--open eicon-menu-bar\"><\/i><i aria-hidden=\"true\" role=\"presentation\" class=\"elementor-menu-toggle__icon--close eicon-close\"><\/i>\t\t<\/div>\n\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-65a0be9\" class=\"elementor-nav-menu\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-7077\"><a href=\"https:\/\/cirosec.de\/en\/\" class=\"elementor-item\" tabindex=\"-1\">cirosec<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16136\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\" tabindex=\"-1\">Services<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15941\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9131\"><a href=\"https:\/\/cirosec.de\/en\/services\/consulting-concepts-reviews-and-analyses\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Consulting, Concepts, Reviews and Analyses<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9073\"><a href=\"https:\/\/cirosec.de\/en\/services\/penetration-tests\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Penetration Tests<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9077\"><a href=\"https:\/\/cirosec.de\/en\/services\/red-team-assessments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Red Team Assessments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9076\"><a href=\"https:\/\/cirosec.de\/en\/services\/incident-response-and-forensics\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Incident Response and Forensics<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9075\"><a href=\"https:\/\/cirosec.de\/en\/services\/selection-implementation-of-products-and-solutions\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Implementation of Products and Solutions<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9078\"><a href=\"https:\/\/cirosec.de\/en\/services\/it-security-training-and-awareness\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Trainings and Awareness<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16137\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\" tabindex=\"-1\">Trainings<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15940\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9092\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/malware-and-ransomware-background-detection-protection-and-response\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Malware and Ransomware \u2013 Background, Detection, Protection and Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9095\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-microsoft-office-365\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in Microsoft Office 365<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9083\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-operating-systems\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking and Hardening of Windows Operating Systems<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9082\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-infrastructures\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking and Hardening of Windows Infrastructures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9084\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9086\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-web-applications\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme Web Applications<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9080\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/crash-course-it-and-information-security\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Crash Course IT and Information Security<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-13051\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/nis2-information-security-for-chief-executive-officers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">NIS 2 Training for Management<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9087\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/incident-handling-response\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Incident Handling &amp; Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26257\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/training-in-immediate-measures\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Training in Imm\u00adediate Mea\u00adsures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26265\"><a href=\"https:\/\/cirosec.de\/en\/?page_id=26258\" class=\"elementor-sub-item\" tabindex=\"-1\">Inci\u00addent Res\u00adponse Readi\u00adness Work\u00adshop<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9094\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-azure-cloud-environments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in Azure Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9089\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-implementer\/\" class=\"elementor-sub-item\" tabindex=\"-1\">ISO 27001 Lead Implementer<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9088\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-auditor\/\" class=\"elementor-sub-item\" tabindex=\"-1\">ISO 27001 Lead Auditor<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9081\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/forensics-extreme\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Forensics Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9093\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-aws-cloud-environments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in AWS Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9091\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-strategists-and-managers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">IT Security for Strategists and Managers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9090\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-developers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">IT Security for Developers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9085\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-buffer-overflows\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme Buffer Overflows<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9064\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\" tabindex=\"-1\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9160\"><a href=\"https:\/\/cirosec.de\/en\/blog\/\" class=\"elementor-item\" tabindex=\"-1\">Blog<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9ee7d03 elementor-widget-mobile__width-auto elementor-hidden-desktop elementor-widget-tablet_extra__width-auto elementor-widget-tablet__width-auto elementor-widget-mobile_extra__width-auto elementor-view-default elementor-widget elementor-widget-icon\" data-id=\"9ee7d03\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-wrapper\">\n\t\t\t<a class=\"elementor-icon\" href=\"#elementor-action%3Aaction%3Dpopup%3Aopen%26settings%3DeyJpZCI6MTI1MDcsInRvZ2dsZSI6ZmFsc2V9\">\n\t\t\t<i aria-hidden=\"true\" class=\"fas fa-bars\"><\/i>\t\t\t<\/a>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-9aaaa68 elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra\" data-id=\"9aaaa68\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-eb812f4 elementor-widget__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-widget elementor-widget-shortcode\" data-id=\"eb812f4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n<div role=\"navigation\" aria-label=\"Language Switcher\" class=\"wpml-ls-statics-shortcode_actions wpml-ls wpml-ls-legacy-dropdown-click js-wpml-ls-legacy-dropdown-click\">\n\t<ul>\n\n\t\t<li class=\" wpml-ls-item-legacy-dropdown-click\">\n\n\t\t\t<a href=\"#\" hreflang=\"\" lang=\"\" class=\"js-wpml-ls-item-toggle wpml-ls-item-toggle\" aria-expanded=\"false\" aria-controls=\"wpml-ls-submenu-click-default\" aria-haspopup=\"true\" aria-label=\"Language switcher, click to open then tab to navigate\" tabindex=\"0\" role=\"button\" title=\"\">\n\t\t\t\t<\/a>\n\n\t\t\t<ul id=\"wpml-ls-submenu-click-default\" class=\"js-wpml-ls-sub-menu wpml-ls-sub-menu\">\n\t\t\t\t\n\t\t\t\t\t<li class=\"wpml-ls-slot-shortcode_actions wpml-ls-item wpml-ls-item-de wpml-ls-first-item wpml-ls-last-item\">\n\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/\" hreflang=\"de\" lang=\"de\" class=\"wpml-ls-link\" aria-label=\"Switch to German\" title=\"Switch to German\">\n\t\t\t\t\t\t\t                                    <img decoding=\"async\"\n            class=\"wpml-ls-flag\"\n            src=\"https:\/\/cirosec.de\/wp-content\/plugins\/sitepress-multilingual-cms\/res\/flags\/de.svg\"\n            alt=\"German\"\n            loading=\"lazy\"\n            width=15\n            height=9\n    \/><\/a>\n\t\t\t\t\t<\/li>\n\n\t\t\t\t\t\t\t<\/ul>\n\n\t\t<\/li>\n\n\t<\/ul>\n<\/div>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d5c65bb elementor-search-form--skin-minimal elementor-widget__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-widget elementor-widget-search-form\" data-id=\"d5c65bb\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;skin&quot;:&quot;minimal&quot;}\" data-widget_type=\"search-form.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<search role=\"search\">\n\t\t\t<form class=\"elementor-search-form\" action=\"https:\/\/cirosec.de\/en\/\" method=\"get\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-search-form__container\">\n\t\t\t\t\t<label class=\"elementor-screen-only\" for=\"elementor-search-form-d5c65bb\">Search<\/label>\n\n\t\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-search-form__icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-search\"><\/i>\t\t\t\t\t\t\t<span class=\"elementor-screen-only\">Search<\/span>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\n\t\t\t\t\t<input id=\"elementor-search-form-d5c65bb\" placeholder=\"Search...\" class=\"elementor-search-form__input\" type=\"search\" name=\"s\" value=\"\">\n\t\t\t\t\t<input type='hidden' name='lang' value='en' \/>\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/form>\n\t\t<\/search>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-071bdb7 elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra\" data-id=\"071bdb7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4d21fed elementor-widget elementor-widget-button\" data-id=\"4d21fed\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/inquiry\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Send enquiry<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t<div class=\"elementor-element elementor-element-9865c47 e-flex e-con-boxed e-con e-parent\" data-id=\"9865c47\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4efe62d elementor-widget elementor-widget-html\" data-id=\"4efe62d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<script>\n\ndocument.addEventListener('DOMContentLoaded', function() {\njQuery(function($) {\nvar mywindow = $(window);\nvar mypos = mywindow.scrollTop();\nlet scrolling = false;\nwindow.addEventListener('scroll', function() {\nscrolling = true;\n});\nsetInterval(() => {\nif (scrolling) {\nscrolling = false;\nif (mypos > 40) {\nif (mywindow.scrollTop() > mypos) {\n$('#header--sticky').addClass('headerup');\n} else {\n$('#header--sticky').removeClass('headerup');\n}\n}\nmypos = mywindow.scrollTop();\n}\n}, 300);\n});\n});\n\n<\/script>\n<style>\n#header--sticky{\ntransition : transform 0.34s ease;\n}\n.headerup{\ntransform: translateY(-110px); \/*adjust this value to the height of your header*\/\n}\n<\/style>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/header>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5e8b0516 elementor-reverse-mobile elementor-section-height-min-height elementor-section-items-stretch elementor-section-boxed elementor-section-height-default\" data-id=\"5e8b0516\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-no\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-9566aa0\" data-id=\"9566aa0\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-492f789 pill__std elementor-widget__width-auto elementor-hidden-desktop elementor-hidden-tablet elementor-hidden-mobile elementor-widget elementor-widget-heading\" data-id=\"492f789\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h5 class=\"elementor-heading-title elementor-size-default\">Blog article<\/h5>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ef2b232 elementor-widget elementor-widget-post-info\" data-id=\"ef2b232\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-inline-items elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575 elementor-inline-item\" itemprop=\"about\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-terms\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-post-info__terms-list\">\n\t\t\t\t<span class=\"elementor-post-info__terms-list-item\">Blog<\/span>, <span class=\"elementor-post-info__terms-list-item\">Blog<\/span>, <span class=\"elementor-post-info__terms-list-item\">Red Teaming<\/span>, <span class=\"elementor-post-info__terms-list-item\">Red Teaming<\/span>\t\t\t\t<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4fbcbc30 elementor-widget elementor-widget-heading\" data-id=\"4fbcbc30\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">Loader Dev. 3 &#8211; Evading userspace hooks<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2a195f16 elementor-widget elementor-widget-post-info\" data-id=\"2a195f16\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-99447c9\" itemprop=\"datePublished\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-date\">\n\t\t\t\t\t\t\t\t\t\t<time>April 10, 2024<\/time>\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5fd1418f elementor-widget elementor-widget-spacer\" data-id=\"5fd1418f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-57702a6b\" data-id=\"57702a6b\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b67fbea elementor-widget elementor-widget-spacer\" data-id=\"b67fbea\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1d5621b6 elementor-reverse-mobile elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"1d5621b6\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-1ad0fc3e\" data-id=\"1ad0fc3e\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-874aeab elementor-widget elementor-widget-text-editor\" data-id=\"874aeab\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"color: var( --e-global-color-f834da0 ); font-size: 18px;\">In this post, we will go over techniques to avoid hooks placed into memory by an EDR.<\/span><\/p><h2>Disclaimer<\/h2><p>These posts are written to provide information to other professionals of the discussed topics.<\/p><p>The techniques used here are not novel and were documented by other people before. Therefore, the benefits of these posts for threat actors will likely be minimal. Nonetheless, we decided against releasing a full PoC implementation and will instead only provide code snippets as part of the posts. All credit should go to the people who did the original research on the techniques used.<\/p><p>There will also be an accompanying blog post on detecting or hunting for malware using the discussed techniques to enable readers to protect their environment.<\/p><h2>Hooks<\/h2><p>We will start by discussing how hooks work. This information will serve as background knowledge for the later sections in which we will explain how to circumvent these hooks.<\/p><h3>IAT Hooks<\/h3><p>One way to hook functions is to replace the address of the function in the Import Address Table (IAT) with the address of the hooking logic. If our executable then uses the IAT to resolve a function, it will invoke the hooking logic instead. However, this is not that relevant for our purposes here, as we are not using the IAT for our function resolution. Our understanding is that most EDRs are preferring trampoline hooks over IAT hooks. We will discuss trampoline hooks in the next section.<\/p><h3>Inline\/Trampoline hooks<\/h3><p>Instead of hooking the IAT, we can also overwrite the start of a function with a jump to our hooking logic. If the function is then called, the jump to our logic is executed first and we can analyze the function call before handing over the execution to the original logic. This is shown in the following figure:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-34120b48 elementor-widget-tablet_extra__width-initial elementor-widget elementor-widget-image\" data-id=\"34120b48\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"556\" height=\"361\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild1-4.png\" class=\"attachment-large size-large wp-image-7226\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild1-4.png 556w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild1-4-300x195.png 300w\" sizes=\"(max-width: 556px) 100vw, 556px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2514e71c elementor-widget elementor-widget-text-editor\" data-id=\"2514e71c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3>Hooks in the real world<\/h3><p>So let\u2019s have a short look at how this looks in the real world. For this, we will use an unnamed EDR, which hooks certain functions. One hooked function is NtCreateThread. Let us first look at this function without the hook in place:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-73843eb7 elementor-widget elementor-widget-image\" data-id=\"73843eb7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"560\" height=\"134\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild2-3.png\" class=\"attachment-large size-large wp-image-7228\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild2-3.png 560w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild2-3-300x72.png 300w\" sizes=\"(max-width: 560px) 100vw, 560px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-7aee84ed\" data-id=\"7aee84ed\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6cd120a elementor-widget elementor-widget-image-box\" data-id=\"6cd120a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image-box-wrapper\"><div class=\"elementor-image-box-content\"><div class=\"elementor-image-box-title\">Kolja Grassmann<\/div><p class=\"elementor-image-box-description\">Consultant<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-171798f1 elementor-widget elementor-widget-heading\" data-id=\"171798f1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Category<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-605c2548 elementor-widget elementor-widget-post-info\" data-id=\"605c2548\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575\" itemprop=\"about\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-terms\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-post-info__terms-list\">\n\t\t\t\t<span class=\"elementor-post-info__terms-list-item\">Blog<\/span>, <span class=\"elementor-post-info__terms-list-item\">Blog<\/span>, <span class=\"elementor-post-info__terms-list-item\">Red Teaming<\/span>, <span class=\"elementor-post-info__terms-list-item\">Red Teaming<\/span>\t\t\t\t<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-74f8b92c elementor-widget elementor-widget-heading\" data-id=\"74f8b92c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Date<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5ed21355 elementor-widget elementor-widget-post-info\" data-id=\"5ed21355\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575\" itemprop=\"datePublished\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-date\">\n\t\t\t\t\t\t\t\t\t\t<time>April 10, 2024<\/time>\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9634ae1 elementor-widget elementor-widget-heading\" data-id=\"9634ae1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Navigation<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6df4413 elementor-widget elementor-widget-table-of-contents\" data-id=\"6df4413\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;headings_by_tags&quot;:[&quot;h2&quot;,&quot;h3&quot;],&quot;exclude_headings_by_selector&quot;:[],&quot;marker_view&quot;:&quot;bullets&quot;,&quot;icon&quot;:{&quot;value&quot;:&quot;fas fa-chevron-right&quot;,&quot;library&quot;:&quot;fa-solid&quot;},&quot;no_headings_message&quot;:&quot;No headings were found on this page.&quot;,&quot;hierarchical_view&quot;:&quot;yes&quot;,&quot;min_height&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]}}\" data-widget_type=\"table-of-contents.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div id=\"elementor-toc__6df4413\" class=\"elementor-toc__body\">\n\t\t\t<div class=\"elementor-toc__spinner-container\">\n\t\t\t\t<i class=\"elementor-toc__spinner eicon-animation-spin eicon-loading\" aria-hidden=\"true\"><\/i>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-12454e14 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"12454e14\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-641d6bba\" data-id=\"641d6bba\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-9728c26 elementor-widget elementor-widget-text-editor\" data-id=\"9728c26\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>With the hook in place the function looks as follows:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-45759c9 elementor-widget elementor-widget-image\" data-id=\"45759c9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"560\" height=\"163\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/loader-dev-3-evading-userspace-hooks.png\" class=\"attachment-large size-large wp-image-7230\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/loader-dev-3-evading-userspace-hooks.png 560w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/loader-dev-3-evading-userspace-hooks-300x87.png 300w\" sizes=\"(max-width: 560px) 100vw, 560px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9c8066c elementor-widget elementor-widget-text-editor\" data-id=\"9c8066c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>As we can see, there is an unconditional jump added at the start of the functions. In this case, the remaining space is filled with int3 instructions. Note that there are more instructions in the second screenshot, as instructions can differ in size on Intel architectures. The jump will allow the EDR to analyze our function call and its argument before doing the actual NtCreateThread syscall.<\/p><h2>Avoiding hooks<\/h2><p>Now that we have covered how EDR products might hook certain functions, we will start discussing how to avoid these hooks.<\/p><h3>Moving to lower-level functions<\/h3><p>In many cases, the functions documented by Microsoft and used by most programmers like VirtualProtect are a wrapper to lower-level functions and provide a more convenient and stable interface for them. With VirtualProtect, the actual call stack when interacting with the kernel, which changes the protections, is as follows:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8c90e4f elementor-widget elementor-widget-image\" data-id=\"8c90e4f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"315\" height=\"444\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild4-1.png\" class=\"attachment-large size-large wp-image-7232\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild4-1.png 315w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild4-1-213x300.png 213w\" sizes=\"(max-width: 315px) 100vw, 315px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d70d9f8 elementor-widget elementor-widget-text-editor\" data-id=\"d70d9f8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>As we can see, we could also use the NtProtectVirtualMemory function directly instead of VirtualProtect. Note that we are sacrificing some convenience here and that undocumented functions might be changed by Microsoft at any point.<\/p><p>In the past, some EDRs did only hook functions at a higher level. Therefore, it was possible to avoid hooks by calling lower-level functions directly. By now, in most cases, hooks are also placed in ntdll.dll, which is the interface between user space and the kernel. Therefore, it is generally no longer possible to avoid hooks by moving to lower-level functions.<\/p><h3>Loading a second copy<\/h3><p>Another strategy to avoid hooks is to load another copy of the used DLL into memory and then use the second copy for our calls. However, this has the disadvantage that loading the copy into memory alone could be detected and deemed malicious. Therefore, if we do not have a way to do it without encountering hooks, this might not work. It also leaves the obvious indicator of compromise, that there are two loaded copies of ntdll.dll.<\/p><h3>Direct syscalls<\/h3><p>Functions in ntdll.dll are mostly just a wrapper to syscall instructions, which place the appropriate syscall number into the rax register and hand over control to the kernel. We can see this in the following screenshot, which shows the NtProtectVirtualMemory function:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-90a1371 elementor-widget elementor-widget-image\" data-id=\"90a1371\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"560\" height=\"119\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild5-1.png\" class=\"attachment-large size-large wp-image-7237\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild5-1.png 560w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild5-1-300x64.png 300w\" sizes=\"(max-width: 560px) 100vw, 560px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f6065f5 elementor-widget elementor-widget-text-editor\" data-id=\"f6065f5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>We can replicate this by using our syscall instruction with the right syscall number. Therefore, our next step will be finding the syscall number for the syscall we want to do.<\/p><h4>1. Hardcoding the syscall numbers<\/h4><p>One way to gather the syscall numbers is to look at the ntdll.dll file and create a mapping between the function we want to invoke and the syscall number. Unfortunately, the syscall numbers depend on the build of Windows and we can therefore only hardcode them if we know the specific version of Windows we are targeting. This approach is used e.g.\u00a0by <span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/jthuraisamy\/SysWhispers\" target=\"_blank\" rel=\"noopener\">SysWhispers<\/a>.<\/span><\/p><h4>2. Parsing ntdll.dll dynamically<\/h4><p>We could also parse the syscall numbers from the ntdll.dll present on the system, which would then be the correct numbers for the targeted build version. One way to do this is to use the copy already mapped into memory to retrieve the syscall number, as is done by <a href=\"https:\/\/github.com\/vxunderground\/VXUG-Papers\/tree\/main\/Hells%20Gate\" target=\"_blank\" rel=\"noopener\"><span style=\"text-decoration: underline;\">HellsGate<\/span><\/a>. Here, however, we again face the problem that this copy might be hooked and therefore might no longer contain our syscall numbers.<\/p><p>We could also retrieve a clean copy of ntdll.dll from disk. However, opening a fresh copy of ntdll.dll might be suspicious and could be detected by the EDR, as we are using the hooked logic to open the file.<\/p><p>As with unhooking, at which we will take a closer look later in this post, an alternative way here could be to create a suspended process and read the clean copy of e.g.\u00a0ntdll.dll from its memory before an EDR had the opportunity to place its hooks. Again, the main issue here is that the functions we would use are potentially hooked, which could lead to us being detected.<\/p><h4>3. Using function order in memory<\/h4><p>Fortunately, we can also find the syscall numbers dynamically by relying on the order of the syscalls in memory. The syscall numbers are sequential in memory, as can be seen in the following screenshot:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-91a2db1 elementor-widget elementor-widget-image\" data-id=\"91a2db1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild6.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Bild6\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6NzI0MiwidXJsIjoiaHR0cHM6XC9cL2Npcm9zZWMuZGVcL3dwLWNvbnRlbnRcL3VwbG9hZHNcLzIwMjNcLzEyXC9CaWxkNi5wbmcifQ%3D%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"560\" height=\"592\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild6.png\" class=\"attachment-large size-large wp-image-7242\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild6.png 560w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/12\/Bild6-284x300.png 284w\" sizes=\"(max-width: 560px) 100vw, 560px\" \/>\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4ed0c4d elementor-widget elementor-widget-text-editor\" data-id=\"4ed0c4d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>As you can see, the functions following each other in memory also have sequential syscall numbers (0x4c-0x50).<\/p><p>There are two strategies, that we are aware of, that use this order to retrieve the syscall numbers. The first one is Halo&#8217;s Gate, which we learned about in the course material from <span style=\"text-decoration: underline;\"><a href=\"https:\/\/institute.sektor7.net\/rto-win-evasion\" target=\"_blank\" rel=\"noopener\">Sektor7<\/a><\/span>. This strategy is basically the same as with <span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/vxunderground\/VXUG-Papers\/tree\/main\/Hells%20Gate\" target=\"_blank\" rel=\"noopener\">HellsGate<\/a><\/span>, but instead of parsing the syscall number from the copy in memory and stopping if a hook overwrote the syscall number, we are continuing our search in the function above and below the function for which we want to retrieve the syscall number. The offset to these functions is always 32 bytes and if we find their syscall numbers, we can use the current overall offset used in our search to calculate the syscall number we are searching for.<\/p><p>One disadvantage of Halo&#8217;s Gate is that we still need to find a syscall number in memory. While this is likely possible as not all functions will be hooked, it could still be prevented by an EDR that hooks all functions in ntdll.dll. Instead, we can use the method used by <span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/crummie5\/FreshyCalls\" target=\"_blank\" rel=\"noopener\">FreshyCalls<\/a><\/span> (this is a fork as we did not find the original repo). The basic idea here is that we sort all function names by their address. Afterward, we can search this list for our function name and will be able to use the index into our list of sorted function as the syscall number. As we are not relying on reading the syscall address from memory, this should work even if they have all been removed from memory as long as the order does not change (which is not a given, as Microsoft could change this with every update). As this is one method we decided to port to C, we will cover this in more detail here.<\/p><p>Like FreshyCalls, I defined a struct that contains the mapping between the syscall name and address:<\/p><pre>\/\/ Struct holding the syscall name and its address<br \/>struct SYSCALL_ENTRY {<br \/>\u00a0\u00a0\u00a0 char* name;<br \/>\u00a0\u00a0\u00a0 DWORD address;<br \/>};<\/pre><pre>\/\/ Struct holding the number of found syscalls, as well as the ntdll.dll base address and an array of SYSCALL_ENTRY structs<br \/>struct SYSCALL_LIST {<br \/>\u00a0\u00a0\u00a0 DWORD size;<br \/>\u00a0\u00a0\u00a0 char* pBaseAddress;<br \/>\u00a0\u00a0\u00a0 struct SYSCALL_ENTRY entries[MAX_SYSCALL_ENTRIES];<br \/>};<\/pre><p>We initially fill this with all functions in ntdll.dll (see part 2 for a more detailed description) that start with nt, but not with ntdll (ignoring case):<\/p><pre>DWORD* Functions = (DWORD*)(pBaseAddr + pExportDirAddr-&gt;AddressOfFunctions);<br \/>DWORD* Names = (DWORD*)(pBaseAddr + pExportDirAddr-&gt;AddressOfNames);<br \/>WORD* Ordinals = (WORD*)(pBaseAddr + pExportDirAddr-&gt;AddressOfNameOrdinals);<\/pre><pre>DWORD j = 0;<br \/>for (DWORD i=0; i &lt; pExportDirAddr-&gt;NumberOfNames; i++) {<br \/>\u00a0\u00a0\u00a0 char* FunctionName = pBaseAddr + Names[i];<br \/>\u00a0\u00a0\u00a0 if([...]) { \/\/ Starts with nt, but not ntdll<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 syscall_list.entries[j].name = FunctionName;<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 syscall_list.entries[j].address = Functions[Ordinals[i]];<br \/>\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0j++;<br \/>\u00a0\u00a0\u00a0 }<br \/>}<br \/>syscall_list.size = j;<br \/>syscall_list.pBaseAddress = pBaseAddr;<\/pre><p>Finally, we will sort all the entries by their address:<\/p><pre>for (unsigned long i = 0; i &lt; syscall_list.size - 1; i++) {<br \/>\u00a0\u00a0\u00a0 for (unsigned long j = 0; j &lt; syscall_list.size - i - 1; j++) {<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 if (syscall_list.entries[j].address &gt; syscall_list.entries[j + 1].address) {<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ Swap entries.<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 struct SYSCALL_ENTRY TempEntry = {};<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TempEntry.name = syscall_list.entries[j].name;<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TempEntry.address = syscall_list.entries[j].address;<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 syscall_list.entries[j].name = syscall_list.entries[j + 1].name;<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 syscall_list.entries[j].address = syscall_list.entries[j + 1].address;<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 syscall_list.entries[j + 1].name = TempEntry.name;<br \/>\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0syscall_list.entries[j + 1].address = TempEntry.address;<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<br \/>\u00a0\u00a0\u00a0 }<br \/>}<\/pre><p>The index at which our function is located is the syscall number that we are searching. \u00a0Therefore, we can iterate over our structure as follows and return the syscall number when we find our function:<\/p><pre>for (DWORD i=0; i &lt; syscall_list.size; i++) {<br \/>\u00a0\u00a0\u00a0 if ( strcmp(syscall_name, syscall_list.entries[i].name)== 0) {<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 return i;<br \/>\u00a0\u00a0\u00a0 }<br \/>}<\/pre><h4>4. Using Vectored Exception Handling<\/h4><p>Another option would be to call our syscall using non-malicious arguments with the hooks in place so that no detection is triggered. Before doing the call, we set a breakpoint at the syscall instruction and use Vectored Exception Handling to handle this breakpoint. Even if the EDR has removed the syscall number from the ntdll.dll memory, it will be placed in EAX before the syscall. So, when our exception is triggered the right syscall number will be in EAX and we can retrieve it in our exception logic. This is described by <span style=\"text-decoration: underline;\"><a href=\"https:\/\/twitter.com\/rad9800\" target=\"_blank\" rel=\"noopener\">rad98<\/a><\/span> in <span style=\"text-decoration: underline;\"><a href=\"https:\/\/fool.ish.wtf\/2022\/08\/tamperingsyscalls.html\" target=\"_blank\" rel=\"noopener\">this blog post<\/a>.<\/span><\/p><h4>5. Doing the syscall<\/h4><p>Using the syscall number, we can replicate the behavior of the function present in ntdll.dll. For this, SysWhispers does ship a syscall instruction. This, however, seems like an easy pattern that AV software could check for, as there is no reason to use this instruction in an executable. In our understanding, it should only be present in ntdll.dll. Instead, we can use a gadget from ntdll.dll, which our code jumps to when performing the actual syscall as done by FreshyCalls. This has the additional advantage that the call originates from ntdll.dll, which could be beneficial if the call stack is checked by an EDR in the kernel.<\/p><p>For this purpose, we implemented logic that searches ntdll.dll for a syscall instruction. We can start at the address of our target function and then search for a syscall instruction as follows:<\/p><pre>for(int i = 0; i &lt; 200; i++) {<br \/>\u00a0\u00a0\u00a0 if(*( function_base_address + i) == 0x0F &amp;&amp; *(function_base_address + i +1) == 0x05) {<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 return (unsigned char*) (function_base_address + i);<br \/>\u00a0\u00a0\u00a0 }<br \/>}<\/pre><p>This is not a clean solution, as we are relying on the fact that the instructions are present either in our function or in one of the functions located directly afterwards. It would be cleaner to search specifically within our function and then start at the beginning of the .text segment in order to find a syscall instruction if there is one present. Changing this is still on our TODO list.<\/p><p>As the loader uses MinGW, we can use the following code to store our syscall gadget and the syscall number in the required registries:<\/p><pre>register unsigned char* syscall_gadget asm(\"r11\") = tmp_syscall_gadget;<br \/>register unsigned int syscall_number asm(\"rax\") = tmp_syscall_number;<\/pre><p>Afterward, we can use the following assembly stub to execute the syscall:<\/p><pre>\/\/ At the beginning of our function we ensure, that all arguments are saved on the stack (assuming stdcall calling convention)<br \/>\/\/ Here we put them into registers again, as our logic will likely have clobbered the original values<br \/>movq 0x10(%rbp), %rcx \/\/ restore first argument<br \/>movq 0x18(%rbp), %rdx \/\/ restore second argument<br \/>movq 0x20(%rbp), %r8 \/\/ restore third argument<br \/>movq 0x28(%rbp), %r9 \/\/ restore fourth argument. Everything after this is passed on the stack anyway.<br \/><br \/>mov %rcx, %r10 \/\/ replicate normal syscall stub behaviour<br \/>mov %rbp,%rsp \/\/ get rid of local variables, which we no longer need<br \/>pop %rbp\u00a0 \/\/ restore base pointer<br \/>jmp %r11\u00a0 \/\/ jmp to our gadget<\/pre><p>This logic makes some assumptions on how our compiler implements the function (e.g. that rbp is stored on the stack). We verified that this is indeed the case in our implementation. However, future versions of the compiler or different implementations might need some adjustments here.<\/p><p>As we are directly calling the syscall from our code, which will not have been hooked by the EDR, this avoids any hooks that might have been placed in user space.<\/p><h3>Unhooking<\/h3><p>Using direct syscalls is often inconvenient and might lead to a lot of maintenance, as these interfaces might change at any time. Therefore, we should keep our usage of direct syscalls to a minimum. Furthermore, the payload we load will likely use the Windows APIs, which an EDR will still have hooked at this point.<\/p><p>The hooks will likely be placed by the EDR during the initialization of our process or when a new library is loaded. As discussed before, these hooks are most likely trampoline hooks, which are placed at the beginning of the targeted functions. As the functions reside in userspace, we can overwrite them ourselves, too. This means, that we can revert the changes made by the EDR to the function instruction, which is basically what we will be doing when unhooking our process.<\/p><h3>IAT Unhooking<\/h3><p>As discussed initially, one way to hook functions is by overwriting function addresses in the IAT. Because this seemed less relevant, we decided against integrating this for now. If you are searching for inspiration, have a look at <span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/xalicex\/Unhook-Import-Address-Table\" target=\"_blank\" rel=\"noopener\">this<\/a><\/span> project, which implements IAT unhooking. There is also an accompanying<span style=\"text-decoration: underline;\"> <a href=\"https:\/\/alice.climent-pommeret.red\/posts\/how-and-why-to-unhook-the-import-address-table\/\" target=\"_blank\" rel=\"noopener\">blog post<\/a><\/span>, which we highly recommend, that explains what we are doing. To summarize the post: We would iterate over the IAT and recalculate the function addresses by looking at the Export Address Table (EAT) of the DLL implementing the function. If the function address differs, we then overwrite the presumably hooked address with our newly calculated one.<\/p><h2>Removing inline hooks<\/h2><p>To remove inline hooks, we first need access to a clean version of the DLL. We can retrieve a clean version of the DLL from the original file on disk, as the DLLs are only hooked during runtime. Another option would be to start a suspended process and retrieve a clean version of the loaded DLLs before the EDR had the opportunity to hook them. For DLLs included as \\KnownDlls\\, it is also an option to call NtOpenSection to get a section handle, which can then be used to map the DLL into our process. The \\KnownDlls\\ entries are a caching mechanism for the more important DLLs used by the system, this technique works e.g.\u00a0for ntdll.dll.<\/p><p>After we have a clean copy of our target DLL, we then use it to remove any hooks from the .text section of the DLL loaded by our process. The simplest way to do this is to overwrite the complete text section with the clean version. This works well for ntdll.dll; however, I am not sure if it is the best approach for other DLLs. A more fine-grained approach is to check if a hook is in place for each function and then only overwrite the hook if that is the case.<\/p><p>In our case, the implementation was heavily inspired by <span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/cube0x0\/SyscallPack\/blob\/main\/SyscallPack\/unhook-PIC.c\" target=\"_blank\" rel=\"noopener\">this code<\/a><\/span>, as this seemed to be the simplest way to archieve the unhooking using only direct syscalls. It uses the \\KnownDlls\\ path and checks for a jmp at the beginning of each function to evaluate if a certain function is hooked. If this is the case, the start of the function is overwritten with the instructions from the clean version of the DLL. I decided to only unhook kernel32.dll, kernelbase.dll and ntdll.dll. In a future version of the loader, it might be nice to unhook all loaded DLLs. However, we suspect that with these three DLLs, most of the hooks encountered in practice should be covered.<\/p><p>After we have executed this, we should no longer have hooks in our loaded DLLs and should therefore be harder to detect even when using functions provided by the loaded DLLs instead of direct syscalls. Note, however, that the removal of hooks itself might be an indicator of malicious intent and therefore we need to evaluate whether unhooking makes sense in our use case.<\/p><h3>Dynamic unhooking<\/h3><p>While looking into this topic, we found an <span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/mgeeky\/UnhookMe\" target=\"_blank\" rel=\"noopener\">implementation of dynamic unhooking<\/a><\/span> by <a href=\"https:\/\/twitter.com\/mariuszbit\" target=\"_blank\" rel=\"noopener\"><span style=\"text-decoration: underline;\">@mgeeeky<\/span><\/a>. The idea here is that instead of unhooking the DLLs we consider relevant at the beginning of our execution, we integrate the unhooking logic into our dynamic function resolution logic (see<span style=\"text-decoration: underline;\"> <a href=\"Blogpost_2022-Loader_Implementation_Part_2_Dynamic_Function_Resolution.md\" target=\"_blank\" rel=\"noopener\">part 2<\/a><\/span> of this series). This way we can dynamically unhook only the functions we use, which should be much stealthier. This will make it harder to check if the hooks are still in place, as most hooks will indeed be. Therefore, this seems like a great idea; however, as our payload is not aware of our dynamic function resolution logic, this seems less relevant for developing a loader than e.g.\u00a0for a custom C2 framework. To make this work within a loader, we would need to ensure that the payload uses this dynamic function resolution logic, which does not seem trivial and which we therefore decided against.<\/p><h2>Kernel level detections<\/h2><p>The hooks placed by the EDR, which we discussed previously, are located in user space. There is, however, also the possibility that the logic detecting us resides in kernel space. This logic could then e.g.\u00a0detect our direct syscalls or our function call after we removed the hooks.<\/p><h3>Kernel Callbacks<\/h3><p>Drivers can register callbacks for some events in the kernel, like the creation of a new process. An EDR that ships with a kernel driver could register such a callback and react to the event. There was a <span style=\"text-decoration: underline;\"><a href=\"https:\/\/codemachine.com\/articles\/kernel_callback_functions.html\" target=\"_blank\" rel=\"noopener\">non-comprehesive list<\/a><\/span> of kernel callbacks linked in <span style=\"text-decoration: underline;\"><a href=\"https:\/\/pre.empt.dev\/posts\/maelstrom-edr-kernel-callbacks-hooks-and-callstacks\/\" target=\"_blank\" rel=\"noopener\">this<\/a><\/span> awesome series on C2 development.<\/p><h3>ETW TI<\/h3><p>Another component in the kernel that might still lead to detection is ETW TI. This is a component implemented by Microsoft and therefore heavily used by their EDR, while other EDRs are, to the best of my knowledge, just starting to use it. It is a version of ETW that is implemented in the kernel and logs information about events triggered by a process. I found <span style=\"text-decoration: underline;\"><a href=\"https:\/\/undev.ninja\/introduction-to-threat-intelligence-etw\/\" target=\"_blank\" rel=\"noopener\">this blog post<\/a><\/span> helpful for gaining a bit more insight into ETW TI.<\/p><h3>Call Stack Spoofing<\/h3><p>One thing an EDR could look at to detect direct syscalls or the malicious use of functions is the call stack of the call. If the call stack does not contain the expected calls or contains suspicious addresses that, for example, are not backed by a file, this could lead to detection.<\/p><p>There are multiple projects to avoid this: There is, for example, <span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/mgeeky\/ThreadStackSpoofer\" target=\"_blank\" rel=\"noopener\">an implementation<\/a><\/span> by <span style=\"text-decoration: underline;\"><a href=\"https:\/\/twitter.com\/mariuszbit\" target=\"_blank\" rel=\"noopener\">mgeeky<\/a><\/span>, that places a 0 into the call stack of a sleeping thread to stop the unwinding process. There is also this<span style=\"text-decoration: underline;\"> <a href=\"https:\/\/labs.withsecure.com\/blog\/spoofing-call-stacks-to-confuse-edrs\" target=\"_blank\" rel=\"noopener\">blog post<\/a><\/span>, which discusses spoofing a call stack using a new thread to make an unsuspicious syscall. An other implementation is a part of <span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/kyleavery\/AceLdr\" target=\"_blank\" rel=\"noopener\">AceLdr<\/a><\/span>, which uses a jmp gadget to avoid calls from a suspicious location.<\/p><h3>EDR Sandblast<\/h3><p><span style=\"text-decoration: underline;\"><a href=\"https:\/\/github.com\/wavestone-cdt\/EDRSandblast\" target=\"_blank\" rel=\"noopener\">EDR Sandblast<\/a><\/span> is a tool that uses a vulnerable driver to execute code in the kernel. It can then remove any kernel callbacks and also deactivate ETW TI. This tool is quite powerful and has other features as well. However, Microsoft is starting to lock down the loading of drivers by requiring them to be signed and by introducing a blacklist for vulnerable drivers. Therefore, if the target system is sufficiently hardened, we might need a custom signed driver or an exploitable zero-day in another driver to use a similar approach.<\/p><h2>Summary<\/h2><p>In this post, we took a quick look at how hooks work. We then discussed how to evade them using direct syscalls. Here we covered different options for resolving syscall numbers. Afterwards, we discussed unhooking, which will be useful to ensure that our payload stays undetected during execution, as these hooks would likely allow an EDR solution to recognize some of our payloads by their call patterns. In the next post, we will discuss evading AMSI and ETW to ensure that our payload is even harder to detect during runtime.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-3426ab2e\" data-id=\"3426ab2e\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1435da9e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"1435da9e\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-1a085cc1\" data-id=\"1a085cc1\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-806d534 elementor-widget__width-initial elementor-widget elementor-widget-heading\" data-id=\"806d534\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Further blog articles<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-21779d27\" data-id=\"21779d27\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-68b4a523 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"68b4a523\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-53c36f2d\" data-id=\"53c36f2d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d9b8167 elementor-grid-3 elementor-grid-tablet-2 elementor-grid-mobile-1 elementor-posts--thumbnail-top elementor-card-shadow-yes elementor-posts__hover-gradient load-more-align-center elementor-widget elementor-widget-posts\" data-id=\"d9b8167\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;pagination_type&quot;:&quot;load_more_on_click&quot;,&quot;cards_columns&quot;:&quot;3&quot;,&quot;cards_columns_tablet&quot;:&quot;2&quot;,&quot;cards_columns_mobile&quot;:&quot;1&quot;,&quot;cards_row_gap&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:35,&quot;sizes&quot;:[]},&quot;cards_row_gap_tablet_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_mobile_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;load_more_spinner&quot;:{&quot;value&quot;:&quot;fas fa-spinner&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"posts.cards\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-posts-container elementor-posts elementor-posts--skin-cards elementor-grid\" role=\"list\">\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-9031 post type-post status-publish format-standard has-post-thumbnail hentry category-blog category-red-teaming category-red-teaming-en tag-loader-dev\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-4-amsi-and-etw\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"203\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/web-applikationen-portale-services-300x203.jpg\" class=\"attachment-medium size-medium wp-image-12061\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/web-applikationen-portale-services-300x203.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/web-applikationen-portale-services-1024x692.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/web-applikationen-portale-services-768x519.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/web-applikationen-portale-services.jpg 1500w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Blog<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-4-amsi-and-etw\/\" >\n\t\t\t\tLoader Dev. 4 &#8211; AMSI and ETW\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>April 30, 2024 &#8211; In the last post, we discussed how we can get rid of any hooks placed into our process by an EDR solution. However, there are also other mechanisms provided by Windows, which could help to detect our payload. Two of these are ETW and AMSI.<br \/>\n<br \/>\nAuthor: Kolja Grassmann<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-4-amsi-and-etw\/\" aria-label=\"Read more about Loader Dev. 4 &#8211; AMSI and ETW\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-9032 post type-post status-publish format-standard has-post-thumbnail hentry category-blog-en category-blog category-red-teaming-en category-red-teaming tag-loader-dev\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen-300x200.jpg\" class=\"attachment-medium size-medium wp-image-12075\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen-768x512.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen.jpg 1500w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Blog<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/\" >\n\t\t\t\tLoader Dev. 3 &#8211; Evading userspace hooks\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>April 10, 2024 &#8211; In this post, we will go over techniques to avoid hooks placed into memory by an EDR.<br \/>\n<br \/>\nAuthor: Kolja Grassmann<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/\" aria-label=\"Read more about Loader Dev. 3 &#8211; Evading userspace hooks\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-9035 post type-post status-publish format-standard has-post-thumbnail hentry category-blog category-red-teaming category-red-teaming-en tag-loader-dev\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-2-dynamically-resolving-functions\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/aktive-directory-sicherheit-300x200.jpg\" class=\"attachment-medium size-medium wp-image-12083\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/aktive-directory-sicherheit-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/aktive-directory-sicherheit-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/aktive-directory-sicherheit-768x512.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/aktive-directory-sicherheit.jpg 1500w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Blog<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-2-dynamically-resolving-functions\/\" >\n\t\t\t\tLoader Dev. 2 &#8211; Dynamically resolving functions\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>March 10, 2024 &#8211; In this post, we discuss dynamically resolving functions, which help to avoid static detections based on the functions imported by our executable.<br \/>\n<br \/>\nAuthor: Kolja Grassmann<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-2-dynamically-resolving-functions\/\" aria-label=\"Read more about Loader Dev. 2 &#8211; Dynamically resolving functions\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-9036 post type-post status-publish format-standard has-post-thumbnail hentry category-blog category-red-teaming category-red-teaming-en tag-loader-dev\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-1-basics\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-300x200.jpg\" class=\"attachment-medium size-medium wp-image-18516\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-768x513.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-1536x1025.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/adi-goldstein-EUsVwEOsblE-unsplash-2048x1367.jpg 2048w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Blog<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-1-basics\/\" >\n\t\t\t\tLoader Dev. 1 &#8211; Basics\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>February 10, 2024 &#8211; This is the first post in a series of posts that will cover the development of a loader for evading AV and EDR solutions.<br \/>\n<br \/>\nAuthor: Kolja Grassmann<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-1-basics\/\" aria-label=\"Read more about Loader Dev. 1 &#8211; Basics\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<\/div>\n\t\t\t\t\t<span class=\"e-load-more-spinner\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-spinner\"><\/i>\t\t\t<\/span>\n\t\t\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t<div class=\"elementor-element elementor-element-1d4f4612 e-con-full e-flex e-con e-parent\" data-id=\"1d4f4612\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-2b61c64b elementor-widget elementor-widget-template\" data-id=\"2b61c64b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<div data-elementor-type=\"section\" data-elementor-id=\"6023\" class=\"elementor elementor-6023 elementor-2968 elementor-2968\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3920b242 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3920b242\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-61cde52c\" data-id=\"61cde52c\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7eba007 elementor-widget elementor-widget-spacer\" data-id=\"7eba007\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7346d88 elementor-widget elementor-widget-heading\" data-id=\"7346d88\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Do you want to protect your systems? Feel free to get in touch with us.<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1b0432b elementor-widget elementor-widget-spacer\" data-id=\"1b0432b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-5cdf3c58 elementor-section-content-middle elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5cdf3c58\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-40c99187\" data-id=\"40c99187\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4a1d7b6a elementor-align-right elementor-widget elementor-widget-button\" data-id=\"4a1d7b6a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/inquiry\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Send Enquiry<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-3b9d9ea6\" data-id=\"3b9d9ea6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7e7c4d9b elementor-widget elementor-widget-button\" data-id=\"7e7c4d9b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/contact-us\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Contact Details<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b935520 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b935520\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-43acb01\" data-id=\"43acb01\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-3ffa91f7 elementor-widget elementor-widget-template\" data-id=\"3ffa91f7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<footer data-elementor-type=\"footer\" data-elementor-id=\"6025\" class=\"elementor elementor-6025 elementor-945 elementor-945\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1e44cc2 elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"1e44cc2\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e9b41ce\" data-id=\"e9b41ce\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-51c0c74 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"51c0c74\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-8ac5cc6\" data-id=\"8ac5cc6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-af371ae elementor-widget elementor-widget-theme-site-logo elementor-widget-image\" data-id=\"af371ae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"theme-site-logo.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/en\/\">\n\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"626\" height=\"188\" src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png\" class=\"attachment-full size-full wp-image-5868\" alt=\"\" srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png 626w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent-300x90.png 300w\" sizes=\"(max-width: 626px) 100vw, 626px\" \/>\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-85f2a11 elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"85f2a11\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Competent IT security consulting, pentests, incident response and training<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5731ee0 elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"5731ee0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>cirosec GmbH<br \/>Ferdinand-Braun-Stra\u00dfe 4<br \/>74074 Heilbronn, Germany<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-c7c447f\" data-id=\"c7c447f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4826023 elementor-widget elementor-widget-heading\" data-id=\"4826023\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Quicklinks<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f26d479 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"f26d479\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-f26d479\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9132\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9133\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-item\">Services<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9134\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-item\">Trainings<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9139\"><a href=\"https:\/\/cirosec.de\/en\/secure-email-communication-with-cirosec\/\" class=\"elementor-item\">Secure Email Communication with cirosec<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-f26d479\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9132\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\" tabindex=\"-1\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9133\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-item\" tabindex=\"-1\">Services<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9134\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-item\" tabindex=\"-1\">Trainings<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9139\"><a href=\"https:\/\/cirosec.de\/en\/secure-email-communication-with-cirosec\/\" class=\"elementor-item\" tabindex=\"-1\">Secure Email Communication with cirosec<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-29e8304\" data-id=\"29e8304\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-14232af elementor-widget elementor-widget-heading\" data-id=\"14232af\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Social Media<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c23ea92 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"c23ea92\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-c23ea92\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-13039\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/cirosecgmbh\" class=\"elementor-item\">Instagram<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9136\"><a target=\"_blank\" href=\"https:\/\/www.xing.com\/pages\/cirosecgmbh\" class=\"elementor-item\">Xing<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9137\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/cirosec-gmbh\/\" class=\"elementor-item\">LinkedIn<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9138\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/cirosec\" class=\"elementor-item\">X (Twitter)<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-21563\"><a href=\"https:\/\/infosec.exchange\/@cirosec\" class=\"elementor-item\">Mastodon<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-c23ea92\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-13039\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/cirosecgmbh\" class=\"elementor-item\" tabindex=\"-1\">Instagram<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9136\"><a target=\"_blank\" href=\"https:\/\/www.xing.com\/pages\/cirosecgmbh\" class=\"elementor-item\" tabindex=\"-1\">Xing<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9137\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/cirosec-gmbh\/\" class=\"elementor-item\" tabindex=\"-1\">LinkedIn<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9138\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/cirosec\" class=\"elementor-item\" tabindex=\"-1\">X (Twitter)<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-21563\"><a href=\"https:\/\/infosec.exchange\/@cirosec\" class=\"elementor-item\" tabindex=\"-1\">Mastodon<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-871a164\" data-id=\"871a164\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a46aa52 elementor-widget elementor-widget-heading\" data-id=\"a46aa52\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Legal<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-50e6031 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"50e6031\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-50e6031\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9146\"><a href=\"https:\/\/cirosec.de\/en\/imprint\/\" class=\"elementor-item\">Imprint<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9147\"><a href=\"https:\/\/cirosec.de\/en\/privacy-policy\/\" class=\"elementor-item\">Privacy Policy<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9148\"><a href=\"https:\/\/cirosec.de\/en\/cirosec-responsible-disclosure-policy\/\" class=\"elementor-item\">cirosec Responsible Disclosure Policy<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-50e6031\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9146\"><a href=\"https:\/\/cirosec.de\/en\/imprint\/\" class=\"elementor-item\" tabindex=\"-1\">Imprint<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9147\"><a href=\"https:\/\/cirosec.de\/en\/privacy-policy\/\" class=\"elementor-item\" tabindex=\"-1\">Privacy Policy<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9148\"><a href=\"https:\/\/cirosec.de\/en\/cirosec-responsible-disclosure-policy\/\" class=\"elementor-item\" tabindex=\"-1\">cirosec Responsible Disclosure Policy<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/footer>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>April 10, 2024 &#8211; In this post, we will go over techniques to avoid hooks placed into memory by an EDR.<br \/>\n<br \/>\nAuthor: Kolja Grassmann<\/p>\n","protected":false},"author":43,"featured_media":12075,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"elementor_canvas","format":"standard","meta":{"footnotes":""},"categories":[41,7,36,34],"tags":[49],"class_list":["post-9032","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en","category-blog","category-red-teaming-en","category-red-teaming","tag-loader-dev"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Loader Dev. 3 - Evading userspace hooks - cirosec<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Loader Dev. 3 - Evading userspace hooks - cirosec\" \/>\n<meta property=\"og:description\" content=\"April 10, 2024 - In this post, we will go over techniques to avoid hooks placed into memory by an EDR. Author: Kolja Grassmann\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/\" \/>\n<meta property=\"og:site_name\" content=\"cirosec\" \/>\n<meta property=\"article:published_time\" content=\"2024-04-10T08:24:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-12-04T08:09:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1500\" \/>\n\t<meta property=\"og:image:height\" content=\"1000\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"ne@cirosec.de\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ne@cirosec.de\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"20 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/loader-dev-3-evading-userspace-hooks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/loader-dev-3-evading-userspace-hooks\\\/\"},\"author\":{\"name\":\"ne@cirosec.de\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/person\\\/a502baf6d9f9698b9b9236805b52fe73\"},\"headline\":\"Loader Dev. 3 &#8211; Evading userspace hooks\",\"datePublished\":\"2024-04-10T08:24:00+00:00\",\"dateModified\":\"2024-12-04T08:09:59+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/loader-dev-3-evading-userspace-hooks\\\/\"},\"wordCount\":3201,\"publisher\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/loader-dev-3-evading-userspace-hooks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/beratung-konzepte-reviews-und-analysen.jpg\",\"keywords\":[\"loader dev\"],\"articleSection\":[\"Blog\",\"Blog\",\"Red Teaming\",\"Red Teaming\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/loader-dev-3-evading-userspace-hooks\\\/\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/loader-dev-3-evading-userspace-hooks\\\/\",\"name\":\"Loader Dev. 3 - Evading userspace hooks - cirosec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/loader-dev-3-evading-userspace-hooks\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/loader-dev-3-evading-userspace-hooks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/beratung-konzepte-reviews-und-analysen.jpg\",\"datePublished\":\"2024-04-10T08:24:00+00:00\",\"dateModified\":\"2024-12-04T08:09:59+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/loader-dev-3-evading-userspace-hooks\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/loader-dev-3-evading-userspace-hooks\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/loader-dev-3-evading-userspace-hooks\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/beratung-konzepte-reviews-und-analysen.jpg\",\"contentUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/beratung-konzepte-reviews-und-analysen.jpg\",\"width\":1500,\"height\":1000},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/loader-dev-3-evading-userspace-hooks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/cirosec.de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Loader Dev. 3 &#8211; Evading userspace hooks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/\",\"name\":\"cirosec\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cirosec.de\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\",\"name\":\"cirosec\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/Logo_Cirosec_rgb_53x16mm-transparent.png\",\"contentUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/Logo_Cirosec_rgb_53x16mm-transparent.png\",\"width\":626,\"height\":188,\"caption\":\"cirosec\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/person\\\/a502baf6d9f9698b9b9236805b52fe73\",\"name\":\"ne@cirosec.de\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/author\\\/necirosec-de\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Loader Dev. 3 - Evading userspace hooks - cirosec","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/","og_locale":"en_US","og_type":"article","og_title":"Loader Dev. 3 - Evading userspace hooks - cirosec","og_description":"April 10, 2024 - In this post, we will go over techniques to avoid hooks placed into memory by an EDR. Author: Kolja Grassmann","og_url":"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/","og_site_name":"cirosec","article_published_time":"2024-04-10T08:24:00+00:00","article_modified_time":"2024-12-04T08:09:59+00:00","og_image":[{"width":1500,"height":1000,"url":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen.jpg","type":"image\/jpeg"}],"author":"ne@cirosec.de","twitter_card":"summary_large_image","twitter_misc":{"Written by":"ne@cirosec.de","Est. reading time":"20 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/#article","isPartOf":{"@id":"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/"},"author":{"name":"ne@cirosec.de","@id":"https:\/\/cirosec.de\/en\/#\/schema\/person\/a502baf6d9f9698b9b9236805b52fe73"},"headline":"Loader Dev. 3 &#8211; Evading userspace hooks","datePublished":"2024-04-10T08:24:00+00:00","dateModified":"2024-12-04T08:09:59+00:00","mainEntityOfPage":{"@id":"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/"},"wordCount":3201,"publisher":{"@id":"https:\/\/cirosec.de\/en\/#organization"},"image":{"@id":"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/#primaryimage"},"thumbnailUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen.jpg","keywords":["loader dev"],"articleSection":["Blog","Blog","Red Teaming","Red Teaming"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/","url":"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/","name":"Loader Dev. 3 - Evading userspace hooks - cirosec","isPartOf":{"@id":"https:\/\/cirosec.de\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/#primaryimage"},"image":{"@id":"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/#primaryimage"},"thumbnailUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen.jpg","datePublished":"2024-04-10T08:24:00+00:00","dateModified":"2024-12-04T08:09:59+00:00","breadcrumb":{"@id":"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/#primaryimage","url":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen.jpg","contentUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/02\/beratung-konzepte-reviews-und-analysen.jpg","width":1500,"height":1000},{"@type":"BreadcrumbList","@id":"https:\/\/cirosec.de\/en\/news\/loader-dev-3-evading-userspace-hooks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/cirosec.de\/"},{"@type":"ListItem","position":2,"name":"Loader Dev. 3 &#8211; Evading userspace hooks"}]},{"@type":"WebSite","@id":"https:\/\/cirosec.de\/en\/#website","url":"https:\/\/cirosec.de\/en\/","name":"cirosec","description":"","publisher":{"@id":"https:\/\/cirosec.de\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cirosec.de\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cirosec.de\/en\/#organization","name":"cirosec","url":"https:\/\/cirosec.de\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cirosec.de\/en\/#\/schema\/logo\/image\/","url":"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png","contentUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png","width":626,"height":188,"caption":"cirosec"},"image":{"@id":"https:\/\/cirosec.de\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/cirosec.de\/en\/#\/schema\/person\/a502baf6d9f9698b9b9236805b52fe73","name":"ne@cirosec.de","url":"https:\/\/cirosec.de\/en\/news\/author\/necirosec-de\/"}]}},"_links":{"self":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/9032","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/users\/43"}],"replies":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/comments?post=9032"}],"version-history":[{"count":0,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/9032\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/media\/12075"}],"wp:attachment":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/media?parent=9032"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/categories?post=9032"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/tags?post=9032"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}