Abusing exception handlers to hook and bypass user mode EDR hooks.

MalwareTech

Marcus Hutchins explores two novel techniques to bypass EDR (Endpoint Detection and Response) user-mode hooks without triggering callstack-based detections. The first method uses hardware breakpoints placed on the syscall and return instructions of hooked Nt functions, allowing an exception handler to swap benign parameters for malicious ones after the EDR has already inspected them. The second method intentionally passes an invalid memory address to trigger a CPU exception inside the EDR's hook handler, then uses an exception handler to fix the stack and redirect the EDR's pointer inspection to a fake empty context structure. Both techniques are demonstrated against Sophos Intercept X's process hollowing detection, with a working proof-of-concept published on GitHub.

Silly EDR Bypasses and Where To Find Them