A running application can be hooked by an EDR. So it can validate the actions performed. Most of the time this happens on the ntdll.dll or kernel32.dll. If it detects something fishy, it can try and stop those unwanted activities. Before real damage can take place.
One method to limit the EDR’s possibility to hook the process is by only allowing DLLs that are signed by Microsoft. This can be accomplished by setting a mitigation on the executable. Per default all applications have two mitigations in place: DEP and ASLR as can be seen when running the old NativeApiWithEvasion executable from my previous blogs.
In short: vData Execution Prevention (DEP) is a security feature that helps prevent code execution from certain non-executable memory regions. It works by marking specified areas of memory as non-executable, thereby making it more difficult for an attacker to execute their malicious code from these regions.
Address Space Layout Randomization (ASLR) is a security technique that involves randomly arranging the positions of key data areas, such as the base of the executable and the positions of the stack, heap, and libraries in a process’s address space. This randomization makes it harder for attackers to predict the memory layout, reducing the likelihood of successful exploitation of memory-related vulnerabilities.
Interestingly it misses the SEHOP protection. From Microsoft:
Structured Exception Handling Overwrite Protection (SEHOP) is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they’ve been compiled with the latest improvements. For more information, see Structured Exception Handling Overwrite Protection.
However, with the use of the _PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY structure, we can define some policy settings for loading of images depending on the signatures for the image.
Looking at the structure. It looks like we can have 3 real mitigation options
struct {
DWORD MicrosoftSignedOnly : 1;
DWORD…