Blue team must-read｜Technical analysis of using hardware breakpoints to avoid EDR detection

1 Technical Introduction

The technology of “using hardware breakpoints to evade EDR detection” is also known as Blindside technology, which loads an unmonitored and unhooked
DLL files, without hooking specific functions, and using debugging techniques that allow running arbitrary code to avoid EDR detection. This debugging technique is generally widely used in debuggers.

2 Blindside Technology Principle

? 2.1 Hardware breakpoint

Knowledge of hardware breakpoints is required in Blindside technology, and hardware breakpoints are closely related to CPU. Next, introduce hardware breakpoints and hardware breakpoint registers. OS/CPU provides 8 registers for hardware breakpoints, among which DR0-DR7 are hardware breakpoint registers provided by the system. Unlike software breakpoints, hardware breakpoints can be used to set “memory breakpoints” or breakpoints that fire when any instruction attempts to read, write, or execute a specific memory address (depending on the breakpoint configuration).
The number of hardware breakpoints is limited, allowing up to 4 hardware breakpoints to be set at one time. The hardware breakpoint register, also called the debug register, is shown in the figure below.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-1w63gXHb-1690253736869)(https://image.3001.net/images/20230106/1672991512_63b7d31816833ecd81531.png!small )]

Among them, DR0 – DR3 are used to save the linear address of the breakpoint, also called “debug address register”. When the address in one of the registers matches the instruction, the breakpoint is triggered. DR4-
DR5 is a reserved debug register.

DR6 register analysis

DR6 is the debug status register. Its main function is to pass the detailed information of the breakpoint exception to the breakpoint exception handler of the debugger when the CPU detects a breakpoint matching the breakpoint condition or other debugging events occur. This register is only updated when an exception is generated.

[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-GLqCs2f2-1690253736871)(https://image.3001.net/images/20230106/1672991529_63b7d3292eb26f22a7d99.png!small )]

This register is used to indicate the reason for entering the trap, and the meanings of each bit are as follows:

● B0~B3 bits: if any one of them is set, it means the debug trap caused by the corresponding DR0 – DR3 breakpoint

● BD bit: indicates the trap caused by accessing the debug register when the GD (DR7) bit is set

● BT bit: Indicates that when the TSS task is switched, if the T flag bit is set, it will cause a debugging exception and set the BT bit

● BS bit: indicates the breakpoint caused by single-step interrupt. That is, the debugging trap caused when the TF of EFLAGS is set. The exception thrown by the hardware breakpoint is also a single-step exception

DR7 register analysis

DR7 is called the “Debug Control Register”. Among them, L0, L1, L2, and L3 respectively represent whether DR0, DR1, DR2, and DR3 are enabled, and G0-G3 can be ignored.

L/G: local/global.

GD: Protection flag.

LE and GE: For compatibility, Intel recommends setting both LE and GE to 1 when using precise breakpoints. (Use precise breakpoint flag, P6 and later CPUs do not support this flag)

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-DfMwLyra-1690253736872)(https://image.3001.net/images/20230106/1672991538_63b7d332d0f0c9de7554c.png!small )]

R/W0 and LEN0 – R/W3 and LEN3 describe the type and length information of the hardware breakpoint.

R/W0 to R/W3: Specify trigger conditions for each breakpoint. They correspond to the addresses in DR0 to DR3 and the 4 breakpoint condition flags in DR6.

// 00 execute only
// 01 write data breakpoint
// 10 I/O port breakpoints (only for pentium +, need to set the DE bit of CR4, DE is the third bit of CR4)
// 11 read or write data breakpoint

LEN0 to LEN3: Specifies the size of the address location specified in the debug address registers DR0 to DR3.
Notes:

* If the R/Wx bits are 0, the LENx bits must also be 0, otherwise undefined behavior occurs. A R/Wx bit of 0 is a hardware execution breakpoint.

* The set address should be aligned with the length.

// 00 1 byte
// 01 2 bytes
// 10 reserved
// 11 4 bytes

For the Blindside technique, DR7 is the most critical register because it controls each breakpoint and sets the breakpoint conditions.

? 2.2 Debugging exceptions

When it comes to hardware breakpoint exceptions, there are two cases: debug exceptions (#DB) and breakpoint exceptions (#BP).

Debug Exception (#DB): This exception is caused when a debug event other than an INT 3 instruction occurs
Breakpoint exception (#BP): This exception will be caused when the INT 3 instruction is executed, and the CPU goes to the exception handling routine. The exception handling routine further dispatches the exception to the debugger software

For Blindside technology, debug exceptions (#DB) are the most important. When a breakpoint is triggered, execution will be redirected to the handler. Blindside
Exceptions in the technique are only triggered when a single-step exception occurs.

First you need to create a handler for the breakpoint.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-NqQuHvBs-1690253736873)(https://image.3001.net/images/20230106/1672991555_63b7d34353df8b616f067.png!small )]

The handler function first checks whether the ExceptionCode in the ExceptionRecord member of the EXCEPTION_POINTERS structure is EXCEPTION_SINGLE_STEP (single-step exception). If it is a single-step exception, the ExceptionInfo structure’s
Whether the instruction pointer (Rip) in the ContextRecord member is equal to the value of Dr0. If so, the function will perform some operations, such as printing exception information and so on.

Finally, the function sets the resume flag (RF) and returns
EXCEPTION_CONTINUE_EXECUTION
to indicate that execution should continue. If ExceptionCode is not EXCEPTION_SINGLE_STEP, the function returns
EXCEPTION_CONTINUE_SEARCH to indicate that the search handler should continue.

Next you need to set a hardware breakpoint.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-PLRmBtBI-1690253736874)(https://image.3001.net/images/20230106/1672991578_63b7d35a393252d4e5166.png!small )]

3 Blindside implementation process

? 3.1 Blindside Implementation Principle

The implementation principle of Blindside technology is to create a process in debug mode, set a hardware breakpoint in LdrLoadDll, and force the load
ntdll.dll, without loading other dll files, the forced loaded ntdll.dll is not hooked, and finally the forced loaded ntdll.dll
Memory is copied to the existing process and all hooked function calls are offloaded.

By using the Blindside technique, use hardware breakpoints to hook LdrLoadDLL to prevent loading additional dll files, and create a ntdll-only
Processes that have not been hooked.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-Ee5LPSQP-1690253736874)(https://image.3001.net/images/20230106/1672991589_63b7d365eb73353e93a9f.png!small )]

? 3.2 Blindside implementation process

Create process in debug mode

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-gyKi7WPL-1690253736876)(https://image.3001.net/images/20230106/1672991618_63b7d382a3d2be8494c63.png!small )]

Locate LdrLoadDll process address

The new process created is a child process of the target process, and has the same base address of ntdll and the same address of LdrLoadDll as the target process.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-MD3sRK8m-1690253736877)(https://image.3001.net/images/20230106/1672991629_63b7d38d289210900ba90.png!small )]

Set hardware breakpoint

Set a hardware breakpoint after locating to the address of LdrLoadDll.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-55tZf07f-1690253736878)(https://image.3001.net/images/20230106/1672991640_63b7d39837e406a10e0da.png!small )][External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-bospEpcX-1690253736879)(https://image.3001.net/images/20230106/1672991651_63b7d3a3b4feae7eddbc8.png !small)]

Wait for breakpoint to trigger

Next, the function calls the SetThreadContext() function to set the updated context to the thread. Then it goes into an infinite loop, using WaitForDebugEvent()
Function waits for debug events.

When a debug event is received, the function will check whether the ExceptionCode is an exception debug event of EXCEPTION_SINGLE_STEP. If so, the function will use
The GetThreadContext() function retrieves the thread’s current context and checks whether the exception address matches the specified address.

If the exception address matches the specified address, the function resets the Dr0, Dr6 and Dr7 registers and returns nothing, this is done to prevent LdrLoadDll from loading other
DLL. Otherwise, it resets the breakpoint and calls the ContinueDebugEvent() function with the DBG_CONTINUE parameter to continue execution. This cycle continues until
WaitForDebugEvent() returns
0, meaning no more debug events. [External link image transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the image and upload it directly (img-oag0sLlD-1690253736880) (https://image.3001.net/images/20230106/1672991686_63b7d3c640fa8238484c2.png!small )]

Load memory and override hook

Copy ntdll’s memory into the target process and unhook any syscalls.

First get the address of NtReadVirtualMemory function and VirtualProtect function, read the ntdll memory that has not been hooked through the NtReadVirtualMemory function, and then traverse to find the virtual address of the .text segment of ntdll, change the protection to PAGE_EXECUTE_READWRITE, and change the new mapping buffer (freshNtdll) The .text section is copied to the hooked version of ntdll, which will cause the hook to be overwritten.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-eZ9oPn80-1690253736880)(https://image.3001.net/images/20230106/1672991696_63b7d3d0b9572a3906287.png!small )][External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-K4fHKgKu-1690253736881)(https://image.3001.net/images/20230106/1672991707_63b7d3db610dfba4c0ec7.png !small)]

Clean and restore

Restore memory protection and kill unused processes.

4 Combine other technologies to implement dump lsass

? 4.1 Combining RPC technology

RPC technology principle

RPC, the full name of “Remote Procedure Call”, that is, remote procedure call, the design of RPC on Windows is a powerful, robust, efficient and “safe” inter-process communication
(IPC) mechanism that supports data exchange and calls to functions residing in different processes.

The RPC technology mainly uses RPC to control the lsass process to load the SSP DLL to implement dump lsass. Among them, SSP (Security Support
Provider) is a DLL that allows developers to provide some callback functions to be called during specific authentication and authorization events, and by simulating the AddSecurityPackage function call, it is possible to let RPC send a signal to lsass to load our own defined SSP
DLL file, dump lsass memory through a custom SSP DLL file.

When using RPC technology, you need to use an API function, that is, the AddSecurityPackage function. The main function of this function is to send an RPC call signal to lsass to load a new SSP
DLL. The specific process of registering SSP with the AddSecurityPackage function is completed in the Secur_32.dll and sspcli.dll files. In the AddSecurityPackage function, the RPC call is mainly implemented through the NdrClientCall3 function.

The following is a detailed analysis of the real calling process: [External link picture transfer failed, the source site may have an anti-leech mechanism, it is recommended to save the picture and upload it directly (img-FpduT8sm-1690253736882)(https://image.3001.net/ images/20230106/1672991777_63b7d421aa5427450d96c.png!small)]

The sub_1800141D0 function calls the sub_180004304 function.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-VWhwUqPV-1690253736883)(https://image.3001.net/images/20230106/1672991786_63b7d42a2f6cb6a3a3d21.png!small )]

The sub_180004304 function calls the sub_180006760 function.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-mP896Fg1-1690253736884)(https://image.3001.net/images/20230106/1672991794_63b7d432cf4cba4506144.png!small )]

Finally, the NdrClientCall3 function called by the sub_180006760 function, the parameter information of the NdrClientCall3 function can be seen from the figure below.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-d4Wxk1Fy-1690253736885) (https://image.3001.net/images/20230106/1672991807_63b7d43f5c57f7dc3bd62.png!small )]

The following code is used to construct the SecurityPackage package. [External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-rXII353736886)(https://image.3001.net/images/20230106/1672991861_63b7d4758b6ea92320420.png!small )]

Used to create RPC connection strings and RPC handles. which requires SSPI
The specific endpoint used by the RPC server in the LSASS process. This string is the exported function of SspiSrvInitialize() stored in the sspisrv.dll file.

The SspiSrvInitialize function calls the RpcServerUseProtseqEpW and RpcServerUseProtseqEp functions to tell the RPC runtime library to use the specified protocol sequence with the specified endpoint combination, mainly for receiving remote procedure calls, as shown in the figure below, lsasspirpcSSPI
The specific endpoint used by the RPC server in the LSASS process is lsasspirpc.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-6buqNOLd-1690253736887)(https://image.3001.net/images/20230106/1672991877_63b7d48555b68ef13371b.png!small )]

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-phZAABTG-1690253736887) (https://image.3001.net/images/20230106/1672991889_63b7d4917d06d88f12d96.png!small )]

The direct call to the AddSecurityPackage function is completed by calling the Proc0_SspirConnectRpc and Proc3_SspirCallRpc functions.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-znoqldGD-1690253736888)(https://image.3001.net/images/20230106/1672991897_63b7d4999fd6e8bf05636.png!small )]

Among them, the Proc0_SspirConnectRpc and Proc3_SspirCallRpc functions are the encapsulation of the NdrClientCall3 function, and the NdrClientCall3 function is mainly responsible for the RPC call. [External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-PvpUuQ0c-1690253736889)(https://image.3001.net/images/20230106/1672991918_63b7d4ae103961ebb713e.png!small )]

The custom SSP DLL file uses two different functions to test separately

The first type: MiniDump function

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-tHTtTGP0-1690253736889)(https://image.3001.net/images/20230106/1672991931_63b7d4bbab6265f919c5f.png!small )]

The second type: MiniDumpWriteDump function

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-m7OWHKh5-1690253736890)(https://image.3001.net/images/20230106/1672991943_63b7d4c74bd32f6ec875f.png!small )]

Anti-kill test

Huorong and 360 Security Guard are the latest versions.

There is no alarm for static killing and dynamic execution of Tinder.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-RSK3NwaE-1690253736891)(https://image.3001.net/images/20230106/1672991951_63b7d4cfc2da627444348.png!small )]

There was no alarm for static scanning and dynamic execution of Huorong, and there was no alarm for cloud scanning.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-YdlnsrSj-1690253736891)(https://image.3001.net/images/20230106/1672991960_63b7d4d88d02c7c51de83.png!small )]

The test did not use Blindside technology, and directly using RPC technology will directly intercept and kill.

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-1yjcQ0ok-1690253736892)(https://image.3001.net/images/20230106/1672991968_63b7d4e0549fdae08d750.png!small )]

5 Mitigations

? 5.1 SetThreadContext function

Monitor the use of the SetThreadContext function. To determine if a hardware breakpoint has been abused, check if an attacker has written an address into the debug address registers (DR0 – DR3).

? 5.2 Detection and debugging function

When using the debug function, the debug registers (DR0 – DR3) can be detected for suspicious functions. If there are both debug functions and data content in the debug registers, there may be malicious behavior.

It is necessary to monitor multiple behaviors to determine whether to use Blindside technology, rather than simply determining maliciousness through a certain behavior.

6 Update of simulated attack library

The Celent Security Measurement Verification Platform has incorporated this technology into the simulated attack database. Search for “Blindside” in the platform to obtain relevant attack simulation experiments, so as to verify whether the security defense system can effectively deal with this attack method.

Network security engineer (white hat) enterprise-level learning route

Phase 1: Security Basics (Getting Started)

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-3ueuxg3h-1690253736893)(https://picd.zhimg.com/80/v2-4f9b78990c8004842766b3e478b185b8_720w.png?source =d16d100b)]

The second stage: Web penetration (junior network security engineer)

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-uCxDddbA-1690253736894)(https://picd.zhimg.com/80/v2-977cbb066f1236207ceff161b22edd0d_720w.png?source =d16d100b)]

Third stage: advanced part (intermediate network security engineer)

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-pZ2lzDMt-1690253736895)(https://picd.zhimg.com/80/v2-43f03949b09dcf75169640b7ede64fa2_720w.png?source =d16d100b)]

If you are interested in getting started with network security, you can click here if you need it Network security heavy benefits: Getting Started & Advanced A full set of 282G learning resource packages is free to share!

Learning resource sharing

[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-thpZNpjJ-1690253736895) (C:\Users\Administrator\Desktop\
etwork Security Data Map\WeChat Screenshot_20230201105953. png)]