How to Ruin Your Weekend: Building a DIY EDR We’ve all been there. A simple question pops into your head. “I wonder how that works?” Before you know it, your browser has 50 tabs open, your …

InfoSecWriteUps' platform is  dedicated to providing insights and resources for cybersecurity professionals and enthusiasts. Through articles, tutorials, and security research, InfoSecWriteUps offers insights into cybersecurity vulnerabilities, attack techniques, and defense strategies. Readers can learn about penetration testing, threat intelligence, and incident response to enhance their cybersecurity knowledge and skills.

InfoSec Write-ups

A detailed walkthrough of building a custom Endpoint Detection and Response (EDR) system called 'RottenTomato' from scratch. The project demonstrates kernel driver development, process monitoring through Windows callbacks, static analysis of executables, and DLL injection techniques for runtime monitoring. The implementation includes a kernel driver that intercepts process creation events, a static analyzer that examines binaries for suspicious characteristics, and a remote injector that performs user-space hooking to detect malicious memory allocations.

How to Ruin Your Weekend: Building a DIY EDR

I. Entering the VIP Section: Kernel Space

II. The Old “Hacky” Way: Messing with the SSDT

III. The New “Official” Way: Kernel Callbacks

IV. Let’s Get Our Hands Dirty: The Setup

VI. Implementing Callbacks: The EDR’s Eyes and Ears

Get Itz.sanskarr’s stories in your inbox