Driver

Sensecon 23: from Windows drivers to an almost fully working EDR

31 January 2024 ~39 min By Aurelien Chalot

Callbacks Driver Edr Hooking Kernel Rootkit Shellcodes Ssdt Winapi Windows Rootkits Shellcode

TL;DR I wanted to better understand EDR’s so I built a dummy EDR and talk about it here. EDR (Endpoint Detection and Response) is a kind of security product that aims to detect abnormal activities being executed on a computer or a server. When looking for resources about how EDR’s work, I realised that, even if there is a lot of literature available about EDR’s, there aren’t many articles explaining how an EDR’s is architected and how the different components of a EDR are orchestrated. This article aims to demystify how EDR’s work while building a custom one that will implement a few techniques used by real EDR’s.

Callbacks
Driver
Edr
Hooking
Kernel
Rootkit
Shellcodes
Ssdt
Winapi
Windows
Rootkits
Shellcode

Page 1 of 1