My learnings on how the different steps in EDR and Antivirus techniques are used in the field.

In this series, I will explore the techniques used in the field to bypass Antivirus and EDR systems. I am new in this field and the best way to start is to read, implement, and understand the subject, instead of immediately going to the advanced techniques. I like to start at the beginning and take you with me in exploring the techniques currently used in the field. Therefore we will start with Windows (native) api’s. Specifically this blog will go into depth on 3 items:

• Step 1: Introduction on system calls, where are they used for, What is User — and kernel mode?
• Step 2: High Level APIs -> How shellcode can be executed by making use of Windows APIs
• Step 3: Medium Level APIs -> How shellcode can be executed by making use of Windows native APIs.

Note the following items will be detected by almost all EDR’s. This series gives hopefully a better insight into the basics and the foundation of Windows. In the next chapters, we will dig deeper and deeper into the subject. In the end, I see it as a possibility to share my experience and “research” with the community and create some useful documentation for myself that I can reference in the future.

Before we can explain how antivirus and EDR’s could be evaded by making use of system calls it is good to understand what a system call is.

In one sentence:

A system call is a programmatic instruction that allows a temporary transition from user mode to kernel mode.

Before we delve deeper I think it is first important to take a step back even further and understand what user mode and kernel mode means.

But what are the user mode and kernel modes then?

A processor in a computer running Windows has two different modes: user mode and kernel mode.

The processor switches between the two modes depending on what type of code is running on the processor. Applications run in user mode, and core operating system components run in kernel mode. While many drivers run in kernel mode, some drivers may run in user mode.