Updated on 2 Nov 2021 with new SentinelOne version 220.127.116.112
A very small little post, of a little experiment I did in my lab.
I’ve used the nice and interesting code of Ausurusrex ( https://github.com/asaurusrex/Probatorum-EDR-Userland-Hook-Checker ) which is a C++ code that will show you all the functions that are hooked by your EDR.
Then I modified it a little bit, to accept loading a DLL.
Here is my result under a SentinelOne which uses Userland Hooking.
Test 1 : 42 Functions are hooked in ntdll.dll by SentinelOne (49 but 7 are already detected even do they are not see README of Hook_Checker)
Test 2 : All functions have been unhooked in ntdll.dll by loading the disposable shellycoat dll ! Nice 🙂
I was wandering why some EDR we couldn’t see the hook. Like Cortex XDR and Ensilo (FortiEDR).
The answer is simple. The hooks are Kernel based.
Thanks to @MrUn1k0d3r who kindly answered some of my questions and he published the hooks of XDR here : https://github.com/Mr-Un1k0d3r/EDRs/blob/main/cortex.txt
So why sometimes unhooking isn’t enough ?
So if the theory was complete. If my executable unhooked SentinelOne in Userland I should be able to run procdump or any other LSASS dumper tool.
Why does it fail ?
Next Article here <=
https://github.com/asaurusrex/Probatorum-EDR-Userland-Hook-Checker by Asaurusrex and shared by netbiosX
my modified version here : https://github.com/k4nfr3/Probatorum-EDR-Userland-Hook-Checker/
You can also use hook_finder from Mr-Un1k0d3r : https://github.com/Mr-Un1k0d3r/EDRs0