Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR in the Evolving Cyber Threat Landscape
Cyber attackers and malware authors constantly adapt their tactics to bypass XDR (Extended Detection and Response) and EDR (Endpoint Detection and Response) solutions, aiming to achieve their malicious objectives. This dynamic landscape of cyber threats extends beyond commodity malware and ransomware, with targeted attacks focusing on specific individuals, organizations, or industries.
This discussion centers on techniques that exploit “Vectored Exception Handling” mechanisms, which have become prevalent among malicious actors and Red teaming and Post Exploitation tools. These techniques allow forceful jumps to inject malicious code, discreetly bypass security products functions, like circumventing hooks and Windows’ AMSI security feature.
By selectively evading EDR monitoring capabilities, this approach not only evades traditional security measures but also poses challenges for cybersecurity researcher and professionals conducting in-depth analysis. When exceptions occur in a program, they are typically handled by catch blocks, managed internally by the Structured Exception Handler (SEH). Starting with Windows XP, Microsoft introduced Vectored Exception Handlers (VEH): an unframed exception handler mechanism enabling developers to override SEH at a higher level in their code. Due to the priority in exception handling, researchers and malicious actors have found ways to exploit VEH to alter command flow, bypass monitoring, and execute malicious code.
In this presentation, we will explore Exception Handling internals and the functions executed to handle User Space Exceptions. We will also delve into Vectored Exception Handling Abuse and its effectiveness in bypassing EDR. We will Demo a bypass for AMSI mechanism, by crafting multiple VEH, in a technique we call VEH2. Additionally, we will discuss other potential uses of VEH code and provide insights into the detection of this bypass technique.
Mr. Donato Onofri
Donato Onofri is a seasoned Red Team Engineer. With over a decade of experience, his activities include Reverse Engineering, Red Team, Threat Research and Penetration Testing.
Passionate about both the Offensive and Defensive sides of Cyber Security, Donato has worked with industry leaders like CrowdStrike and Hewlett-Packard Enterprise and as an advisor and engineer for Governments and Financial institutions. His research delves into state-of-the-art security techniques, malware analysis, and internals. Holder of GREM, GXPN, OSCP, OSCE, and OSWE certifications, his expertise is underscored by multiple recognitions for vulnerability discovery.
He is also the co-author of the book “Attacking and Exploiting Modern Web Applications“.
Mr. Sarang Popat Sonawane
Sarang Sonawane currently holds the role of Security Researcher within Crowdstrike’s Malware Research Team, he boasts an 7+ years of experience with a primary focus on reverse engineering. His significant contributions to the field can be observed through his few published blogs, available on Crowdstrike’s official website, where he shares insights and findings related to emerging malware threats. In recognition of his expertise, he has also presented poster at the AVAR 2022 Conference held in Singapore. Beyond his dedication to cybersecurity, he thrives on intellectual challenges and is an accomplished participant in Capture The Flag (CTF) competitions, including his successful completion of the Flare-On 9 challenge in the previous year. Outside of his malware analysis pursuits, Sarang passionately engages in cricket matches and eagerly ventures out on explorations to uncover new destinations.