Detect EDR's exceptions by inspecting processes' loaded modules

Overview

Description

This tool looks for either the processes that have a certain binary loaded or the processes that don't. This is useful in the following scenarios:

  • It allows to detect processes where an specific EDR/AV dll is not loaded. This could lead to EDR's exception detection.
  • It allows to obtain the PID of an specific process with a minimum cross process activity (e.g. looking for processes with c:\windows\sytem32\lsass.exe loaded will give us the Lsass' PID).
  • It allows to obtain the PID of a service or a RPC/COM server withouth iterating over each running svchost process.

Maybe you can find other valuable ways to use this tools. These results are obtained avoiding to iterate over all the processes in the system and with a reduced noise.

The tool obtains all the processes where a certain binary is loaded by calling NtQueryInformationFile with the flag FileProcessIdsUsingFileInformation. Then and only if required, EnumProcesses is called to obtain all processes' PID, and finally both results are compared in order to obtain a final PID list. If the tool is not running on quiet mode, the final PIDs are translated into the process main module's fully qualified path.

If you want to reduce the cross process activity, use the quiet mode (--quiet or -q). In this case, no process handle will be opened, but the tool will only retrieve the PIDs and not the fully qualified paths.

The tool is fully compatible with Win10 and later and Windows Server 2016 and later. For older OS versions,the call to OpenProcess (line src::main.rs:108) requires PROCESS_QUERY_INFORMATION and PROCESS_VM_READ instead of just PROCESS_QUERY_LIMITED_INFORMATION (or you can just stick to the quiet mode which doesn't open any process handle).

Compilation

Since we are using LITCRYPT plugin to obfuscate string literals, it is required to set up the environment variable LITCRYPT_ENCRYPT_KEY before compiling the code:

C:\Users\User\Desktop\bin_finder\bin_finder> set LITCRYPT_ENCRYPT_KEY="yoursupersecretkey"

After that, simply compile the code and execute the tool:

C:\Users\User\Desktop\Bin-Finder> cargo build --release
C:\Users\User\Desktop\Bin-Finder\target\release> bin_finder.exe -h

Usage

Bin-finder has two different usage modes. The default mode will look for all the processes that don't have loaded the specified binary. For example, we can search for all the processes that do not have loaded the CrowdStrike dll:

All processes without CS.

This is pretty useful when you are looking for directories/processes within the EDR's exception list.

If you want to reduce the cross process activity, it can be used the quiet mode to retrieve only the PIDs:

All processes without CS.

Also, if you dont know the name or the path of the dll that you are looking for, you can try listing the modules loaded on a regular process using the flag -l or --list (this is also useful to spot whether or not there is an EDR in place):

List modules.

The second usage mode is the reverse lookup (flags -r or --reverse), which will look for all the processes that have currently loaded the specified binary. For example, maybe you are interested in getting the PID of the process that is running the StorSvc service. In that case, just make a reverse lookup for the dll that implements the RPC server used by that service:

Reverse lookup.

This reverse lookup can also be used to directly obtain a process' PID by specifying its main module's full path (usually an .exe file) without the need to iterate over all processes in the system. This is how you would obtain all running chrome.exe's PID:

Exe reverse lookup.

Credits

You might also like...
Firecracker takes your HTTP logs and uses them to map your API flows and to detect anomalies in them.
Firecracker takes your HTTP logs and uses them to map your API flows and to detect anomalies in them.

Who is BLST and what do we do? BLST (Business Logic Security Testing) is a startup company that's developing an automatic penetration tester, replacin

fast rust implementation of online nonnegative matrix factorization as laid out in the paper "detect and track latent factors with online nonnegative matrix factorization"

ONMF status: early work in progress. still figuring this out. code still somewhat messy. api still in flux. fast rust implementation of online nonnega

Rust library to detect bots using a user-agent string

Rust library to detect bots using a user-agent string

A rust program to try and detect some types of Hardware Keyloggers.
A rust program to try and detect some types of Hardware Keyloggers.

Hardware Keylogger Detection Warning: Certain Types of Hardware keyloggers can not be detected by this program, Passive Hardware Keyloggers are imposs

A rust interval arithmetic library which provides flags that detect domain errors.

intervals-good A Rust interval arithmetic library which provides flags that detect domain errors, supports more functions than any other interval arit

A mini CLI tool to detect secrets & credentials in source code
A mini CLI tool to detect secrets & credentials in source code

Fencer Fencer is a mini-CLI tool that can used to scan various kind of secrets/credentials that are hardcoded into a project source code files Feature

A additional Rust compiler pass to detect memory safe bugs of Rust programs.

SafeDrop A additional Rust compiler pass to detect memory safe bugs of Rust programs. SafeDrop performs path-sensitive and field-sensitive inter-proce

Detect polymer contaminants in mass spectra.
Detect polymer contaminants in mass spectra.

🦨 mzsniffer 👃 Detect polymer contaminants in mass spectra. Introduction Mzsniffer is a command line application to quickly detect common polymer con

Detect and remove unused dependencies from Cargo.toml

Cargo Shear ✂️ 🐑 Detect and remove unused dependencies from Cargo.toml in Rust projects. Installation cargo binstall cargo-shear # OR cargo install c

Execution of and interaction with external processes and pipelines

subprocess The subprocess library provides facilities for execution of and interaction with external processes and pipelines, inspired by Python's sub

a Rust library for running child processes

duct.rs Duct is a library for running child processes. Duct makes it easy to build pipelines and redirect IO like a shell. At the same time, Duct help

A programming language somewhat resembling cellular processes.

cytosol An embeddable programming language somewhat resembling cellular processes. State of the implementation tokenising parsing semantic analysis an

A system handler to get information and interact with processes written in Rust

A system handler to get information and interact with processes written in Rust

Node.js bindings to the ripgrep library, for fast file searching in JavaScript without child processes!

ripgrepjs ripgrepjs: Node.js bindings to the ripgrep library, for direct integration with JS programs without spawning an extra subprocess! This proje

Cross-platform library for reading/writing memory in other processes for Rust

vmemory Rust library for reading/writing memory in other processes for Windows, macOS, Linux, and in the future potentially, BSD variants. Rationale A

procs makes it easy to find and manage system processes

procs procs makes it easy to find and manage system processes. Right now, the main usage is finding processes by the ports it is listening on, but mor

wait-for-pid -- Wait for processes to exit

wait-for-pid -- Wait for processes to exit wait-for-pid PID is similar to the bash built-in command wait, except it works even when the processes star

A command-line tool to easily kill processes running on a specified port.

killport killport is a command-line utility for killing processes listening on specific ports. It's designed to be simple, fast, and effective. The to

Kill processes protected by antivirus during offensive activities.
Kill processes protected by antivirus during offensive activities.

superman Kill everything. usage Options: -p, --pid PID Pid to kill -r Recursive kill process -t, --time TIME Kill interv

Comments
  • quality of life changes

    quality of life changes

    @Kudaes

    Mainly focused around:

    • cargo fmt
    • Clippy
    • Fixing warning around struct definitions
    • General patterns like lifting return out of match statements

    This PR is (maybe) precursor to removing winapi dependency and completely shifting to windows-rs.

    opened by sn99 0
Owner
Kurosh Dabbagh Escalante
nt authority\kurosh
Kurosh Dabbagh Escalante
Rust library for building and running BPF/eBPF modules

RedBPF A Rust eBPF toolchain. Overview The redbpf project is a collection of tools and libraries to build eBPF programs using Rust. It includes: redbp

foniod 1.5k Jan 1, 2023
Attempts to suspend all known AV/EDRs processes on Windows using syscalls and the undocumented NtSuspendProcess API. Made with <3 for pentesters. Written in Rust.

Ronflex Attempts to suspend all known AV/EDRs processes on Windows using syscalls and the undocumented NtSuspendProcess API. Made with <3 for penteste

null 5 Apr 17, 2023
Freeze.rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST

Freeze.rs More Information If you want to learn more about the techniques utilized in this framework, please take a look at SourceZero Blog and the or

Optiv Security 385 May 9, 2023
Enable floating point exceptions with backtraces.

Batman Have you ever written a function like this that was hard to debug? fn main() { let signal = [""; 16].join(&format!("{}", f64::sqrt(50.3 - 5

Jay Oster 2 Nov 15, 2022
Command line tool for inspecting Parquet files

pqrs pqrs is a command line tool for inspecting Parquet files This is a replacement for the parquet-tools utility written in Rust Built using the Rust

Manoj Karthick 127 Dec 23, 2022
Parsing and inspecting Rust literals (particularly useful for proc macros)

litrs: parsing and inspecting Rust literals litrs offers functionality to parse Rust literals, i.e. tokens in the Rust programming language that repre

Lukas Kalbertodt 31 Dec 26, 2022
Traits for inspecting memory usage of Rust types

memuse This crate contains traits for measuring the dynamic memory usage of Rust types. About Memory-tracking is a common activity in large applicatio

null 13 Dec 23, 2022
Detect if code is running inside a virtual machine (x86 and x86-64 only).

inside-vm Detect if code is running inside a virtual machine. Only works on x86 and x86-64. How does it work Measure average cpu cycles when calling c

null 34 Oct 3, 2022
Detect whether the current terminal supports rendering hyperlinks

Detects whether the current terminal supports hyperlinks in terminal emulators. It tries to detect and support all known terminals and terminal famili

Kat Marchán 19 Sep 14, 2022
Detect timestamp of all scene changes in video

detect-scene-change detect timestamp of all scene changes in video Usage

soruly 6 Feb 26, 2022