Edr Bypass Re

Name: Edr Bypass Re
Author: zhaoxuya520

zhaoxuya520/reverse-skill

Quick-reference major EDR/AV user-mode and kernel monitoring surfaces during authorized adversary simulation or product self-tests.

Overview

edr-bypass-re is an agent skill for the Ship phase that summarizes mainstream EDR and AV hook and callback surfaces for authorized red-team reconnaissance.

Install

npx skills add https://github.com/zhaoxuya520/reverse-skill --skill edr-bypass-re

What is this skill?

Vendor matrix covering CrowdStrike, MDE, SentinelOne, Elastic Defend, ESET, Sophos, Kaspersky, Trend Micro, and Carbon B
Documents user-mode components, kernel drivers, and primary monitoring planes (ETW-TI, AMSI, ntdll hooks, callbacks)
Includes PowerShell EDR fingerprint script patterns for rapid environment identification
Explicitly scoped to authorized red team, purple team, and owned-product testing only
9+ named EDR/AV vendor rows in the monitoring matrix

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1 installs on skills.sh; 1.3k GitHub stars; trending (+100% hot-view momentum).

What problem does it solve?

You are on an approved exercise and need a fast map of which EDR hooks which syscalls and drivers without opening a dozen vendor docs.

Who is it for?

Authorized red-team or purple-team engineers and security researchers validating detection coverage on systems you own or have written permission to test.

Skip if: Unauthorized targets, indie builders with no security practice, or anyone expecting a turnkey bypass tool instead of a reference sheet.

When should I use this skill?

User needs EDR hook/monitoring orientation during authorized security research or product hardening discussions.

What do I get? / Deliverables

You get a vendor-by-vendor monitoring fingerprint table and scripting cues so the next step can target the right layer (user hook vs kernel callback vs ETW).

Vendor-to-hook mapping context for agent answers
Fingerprint script patterns referenced in the skill doc

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Security hardening and adversary-assumption work sit in Ship so teams know what telemetry and hooks exist before release or exercise. The skill is a recon cheat sheet for hook/callback patterns—core security assessment material, not general app build.

How it compares

Reference recon notes for EDR surfaces—not a substitute for formal threat modeling or vendor-supported security configuration guides.

Common Questions / FAQ

Who is edr-bypass-re for?

Security practitioners doing authorized adversary simulation, internal purple-team drills, or testing how your own agent or loader interacts with commercial EDR.

When should I use edr-bypass-re?

During Ship security work when scoping detection assumptions, before deep RE on a target EDR stack, or when writing test plans that must account for AMSI, ETW-TI, or ntdll inline hooks.

Is edr-bypass-re safe to install?

It is sensitive security content—confirm your legal authorization, review the Security Audits panel on this Prism page, and do not point agents at systems you do not own.

SKILL.md

READMESKILL.md - Edr Bypass Re

# EDR Hook 调研速查

> 仅限授权红队 / 对抗演练 / 自有产品测试，禁止用于未授权目标。

本文档汇总主流 EDR / AV 在用户态与内核态的监控点，供红队侦察阶段快速定位"该处理什么"。

## 1. 主流 EDR 指纹与 hook 模式速查

| 厂商 / 产品 | 用户态组件 | 内核驱动 | 主要监控面 |
|------------|-----------|---------|-----------|
| CrowdStrike Falcon | `CSFalconService.exe`, `CSAgent.sys` 注入到目标进程 | `CSAgent.sys`, `CSBoot.sys` | 重内核 callback + ETW-TI；用户态 hook 较少（云查) |
| Microsoft Defender for Endpoint (MDE) | `MsMpEng.exe`, `MpClient.dll` | `WdFilter.sys`, `WdBoot.sys`, `WdNisDrv.sys` | AMSI + ETW-TI + ntdll inline hook + kernel callback 全面 |
| SentinelOne | `SentinelAgent.exe`, `SentinelHelperService.exe` | `SentinelMonitor.sys`, `SentinelDeviceControl.sys` | ntdll 用户态 hook 重 + 内核 callback + 自有 ETW provider |
| Elastic Defend (原 Endpoint Security) | `elastic-endpoint.exe` | `elastic-endpoint-driver.sys` | 主要 ETW + 少量 ntdll hook，配合 Elastic Agent 上传 |
| ESET | `ekrn.exe`, `eamsi.dll` | `eamonm.sys`, `epfwwfp.sys` | 用户态 hook 非常多（NtCreateFile / NtOpenProcess 等） |
| Sophos Intercept X | `SophosFileScanner.exe`, `SophosNtpService.exe` | `SophosED.sys`, `hmpalert.sys` | ntdll hook + HMPA 内存防护 + 内核 callback |
| Kaspersky | `avp.exe`, `klif.sys` | `klif.sys`, `klhk.sys` | 重用户态 hook + KLIF 自有微过滤 + 网络过滤驱动 |
| Trend Micro Apex One | `TmListen.exe`, `TmCCSF.dll` | `tmcomm.sys`, `tmactmon.sys` | 用户态 hook + 行为监控驱动 |
| Carbon Black | `RepMgr.exe`, `RepWAV.exe` | `ParityDriver.sys` | 偏内核 callback + ETW |

### 快速指纹脚本

```powershell
$edrSigs = @{
    'CSAgent'           = 'CrowdStrike Falcon'
    'SentinelAgent'     = 'SentinelOne'
    'elastic-endpoint'  = 'Elastic Defend'
    'ekrn'              = 'ESET'
    'MsMpEng'           = 'Microsoft Defender'
    'SophosFileScanner' = 'Sophos Intercept X'
    'avp'               = 'Kaspersky'
    'TmListen'          = 'Trend Micro Apex One'
    'cb'                = 'Carbon Black'
}

Get-Process | ForEach-Object {
    foreach ($k in $edrSigs.Keys) {
        if ($_.ProcessName -match $k) {
            "[+] $($edrSigs[$k]) detected: $($_.ProcessName) (PID $($_.Id))"
        }
    }
}

Get-ChildItem 'C:\Windows\System32\drivers\*.sys' |
    Where-Object { $_.Name -match 'CSAgent|Sentinel|elastic|eam|WdFilter|Sophos|klif|tmcomm|Parity' } |
    Select-Object Name, VersionInfo
```

## 2. 用户态 ntdll hook 重点函数

EDR 几乎一定 hook 的 `ntdll.dll` 导出（按 ATT&CK 行为分组）：

| 函数 | 监控的行为 | ATT&CK |
|------|-----------|--------|
| `NtCreateThreadEx` | 远程线程注入、QueueUserAPC 注入 | T1055.002 / T1055.004 |
| `NtAllocateVirtualMemory` | shellcode 申请 RWX 内存 | T1055 |
| `NtAllocateVirtualMemoryEx` | 跨进程内存申请（Win10+ 新 API） | T1055 |
| `NtProtectVirtualMemory` | 改页面权限 RW→RX | T1055 |
| `NtWriteVirtualMemory` | 跨进程写 shellcode | T1055.012 |
| `NtMapViewOfSection` | section-based 注入（Process Doppelganging / Ghosting） | T1055.013 |
| `NtCreateSection` | 配合 MapViewOfSection | T1055.013 |
| `NtOpenProcess` | 打开目标进程拿 handle | T1057 |
| `NtQueueApcThread` / `NtQueueApcThreadEx` | APC 注入 | T1055.004 |
| `NtCreateProcess` / `NtCreateProcessEx` / `NtCreateUserProcess` | 创建子进程（含 PPID spoof） | T1106 |
| `NtSetContextThread` | 改线程上下文（线程劫持注入） | T1055.003 |
| `NtResumeThread` | 注入完后恢复线程 | T1055 |
| `NtQuerySystemInformation` | 枚举进程 / 驱动 / handle | T1057 / T1082 |
| `NtAdjustPrivilegesToken` | 提权获取 SeDebugPrivilege 等 | T1134 |
| `NtLoadDriver` | 加载内核驱动（BYOVD） | T1543.003 |

### 验证 hook 是否存在

```powershell
# 简单：把磁盘 ntdll 和当前进程的 ntdll 反汇编 diff
# 1. 拿磁盘 ntdll
copy C:\Windows\System32\ntdll.dll C:\temp\ntdll_clean.dll

# 2. 在 windbg 中 attach 任意进程，导出当前 ntdll 的 .text 段
# .writemem c:\temp\ntdll_live.bin ntdll!.text L?<size>

# 3. 用 IDA / radare2 反汇编 NtAllocateVirtualMemory，正常应该是：
#    mov r10, rcx
#    mov eax, <SSN>
#    test byte ptr [...]
#    jne ...
#    syscall
#    ret
# 如果第一条变成 jmp <某地址>，那就是 hook
```

## 3. 内核 callback 监控点

EDR 注册的常见内核回调（一律可被 `attack-chain` 中的 BYOVD 路线 unregister，但代价高）：

| API | 注册的回调时机 | 防御方用途 |
|-----|--------------|-----------|
| `PsSetCreateProcessNotifyRoutineEx` | 进程创建 / 退出 | 拦截可疑 child process |
| `PsSetCreateThreadNotifyRoutine` | 线程创建 / 退出 | 检测

What is this skill?

Vendor matrix covering CrowdStrike, MDE, SentinelOne, Elastic Defend, ESET, Sophos, Kaspersky, Trend Micro, and Carbon B

Documents user-mode components, kernel drivers, and primary monitoring planes (ETW-TI, AMSI, ntdll hooks, callbacks)

Includes PowerShell EDR fingerprint script patterns for rapid environment identification

Explicitly scoped to authorized red team, purple team, and owned-product testing only

9+ named EDR/AV vendor rows in the monitoring matrix

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1 installs on skills.sh; 1.3k GitHub stars; trending (+100% hot-view momentum).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Edr Bypass Re

# EDR Hook 调研速查

> 仅限授权红队 / 对抗演练 / 自有产品测试，禁止用于未授权目标。

本文档汇总主流 EDR / AV 在用户态与内核态的监控点，供红队侦察阶段快速定位"该处理什么"。

## 1. 主流 EDR 指纹与 hook 模式速查

| 厂商 / 产品 | 用户态组件 | 内核驱动 | 主要监控面 |
|------------|-----------|---------|-----------|
| CrowdStrike Falcon | `CSFalconService.exe`, `CSAgent.sys` 注入到目标进程 | `CSAgent.sys`, `CSBoot.sys` | 重内核 callback + ETW-TI；用户态 hook 较少（云查) |
| Microsoft Defender for Endpoint (MDE) | `MsMpEng.exe`, `MpClient.dll` | `WdFilter.sys`, `WdBoot.sys`, `WdNisDrv.sys` | AMSI + ETW-TI + ntdll inline hook + kernel callback 全面 |
| SentinelOne | `SentinelAgent.exe`, `SentinelHelperService.exe` | `SentinelMonitor.sys`, `SentinelDeviceControl.sys` | ntdll 用户态 hook 重 + 内核 callback + 自有 ETW provider |
| Elastic Defend (原 Endpoint Security) | `elastic-endpoint.exe` | `elastic-endpoint-driver.sys` | 主要 ETW + 少量 ntdll hook，配合 Elastic Agent 上传 |
| ESET | `ekrn.exe`, `eamsi.dll` | `eamonm.sys`, `epfwwfp.sys` | 用户态 hook 非常多（NtCreateFile / NtOpenProcess 等） |
| Sophos Intercept X | `SophosFileScanner.exe`, `SophosNtpService.exe` | `SophosED.sys`, `hmpalert.sys` | ntdll hook + HMPA 内存防护 + 内核 callback |
| Kaspersky | `avp.exe`, `klif.sys` | `klif.sys`, `klhk.sys` | 重用户态 hook + KLIF 自有微过滤 + 网络过滤驱动 |
| Trend Micro Apex One | `TmListen.exe`, `TmCCSF.dll` | `tmcomm.sys`, `tmactmon.sys` | 用户态 hook + 行为监控驱动 |
| Carbon Black | `RepMgr.exe`, `RepWAV.exe` | `ParityDriver.sys` | 偏内核 callback + ETW |

### 快速指纹脚本

```powershell
$edrSigs = @{
    'CSAgent'           = 'CrowdStrike Falcon'
    'SentinelAgent'     = 'SentinelOne'
    'elastic-endpoint'  = 'Elastic Defend'
    'ekrn'              = 'ESET'
    'MsMpEng'           = 'Microsoft Defender'
    'SophosFileScanner' = 'Sophos Intercept X'
    'avp'               = 'Kaspersky'
    'TmListen'          = 'Trend Micro Apex One'
    'cb'                = 'Carbon Black'
}

Get-Process | ForEach-Object {
    foreach ($k in $edrSigs.Keys) {
        if ($_.ProcessName -match $k) {
            "[+] $($edrSigs[$k]) detected: $($_.ProcessName) (PID $($_.Id))"
        }
    }
}

Get-ChildItem 'C:\Windows\System32\drivers\*.sys' |
    Where-Object { $_.Name -match 'CSAgent|Sentinel|elastic|eam|WdFilter|Sophos|klif|tmcomm|Parity' } |
    Select-Object Name, VersionInfo
```

## 2. 用户态 ntdll hook 重点函数

EDR 几乎一定 hook 的 `ntdll.dll` 导出（按 ATT&CK 行为分组）：

| 函数 | 监控的行为 | ATT&CK |
|------|-----------|--------|
| `NtCreateThreadEx` | 远程线程注入、QueueUserAPC 注入 | T1055.002 / T1055.004 |
| `NtAllocateVirtualMemory` | shellcode 申请 RWX 内存 | T1055 |
| `NtAllocateVirtualMemoryEx` | 跨进程内存申请（Win10+ 新 API） | T1055 |
| `NtProtectVirtualMemory` | 改页面权限 RW→RX | T1055 |
| `NtWriteVirtualMemory` | 跨进程写 shellcode | T1055.012 |
| `NtMapViewOfSection` | section-based 注入（Process Doppelganging / Ghosting） | T1055.013 |
| `NtCreateSection` | 配合 MapViewOfSection | T1055.013 |
| `NtOpenProcess` | 打开目标进程拿 handle | T1057 |
| `NtQueueApcThread` / `NtQueueApcThreadEx` | APC 注入 | T1055.004 |
| `NtCreateProcess` / `NtCreateProcessEx` / `NtCreateUserProcess` | 创建子进程（含 PPID spoof） | T1106 |
| `NtSetContextThread` | 改线程上下文（线程劫持注入） | T1055.003 |
| `NtResumeThread` | 注入完后恢复线程 | T1055 |
| `NtQuerySystemInformation` | 枚举进程 / 驱动 / handle | T1057 / T1082 |
| `NtAdjustPrivilegesToken` | 提权获取 SeDebugPrivilege 等 | T1134 |
| `NtLoadDriver` | 加载内核驱动（BYOVD） | T1543.003 |

### 验证 hook 是否存在

```powershell
# 简单：把磁盘 ntdll 和当前进程的 ntdll 反汇编 diff
# 1. 拿磁盘 ntdll
copy C:\Windows\System32\ntdll.dll C:\temp\ntdll_clean.dll

# 2. 在 windbg 中 attach 任意进程，导出当前 ntdll 的 .text 段
# .writemem c:\temp\ntdll_live.bin ntdll!.text L?<size>

# 3. 用 IDA / radare2 反汇编 NtAllocateVirtualMemory，正常应该是：
#    mov r10, rcx
#    mov eax, <SSN>
#    test byte ptr [...]
#    jne ...
#    syscall
#    ret
# 如果第一条变成 jmp <某地址>，那就是 hook
```

## 3. 内核 callback 监控点

EDR 注册的常见内核回调（一律可被 `attack-chain` 中的 BYOVD 路线 unregister，但代价高）：

| API | 注册的回调时机 | 防御方用途 |
|-----|--------------|-----------|
| `PsSetCreateProcessNotifyRoutineEx` | 进程创建 / 退出 | 拦截可疑 child process |
| `PsSetCreateThreadNotifyRoutine` | 线程创建 / 退出 | 检测

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is edr-bypass-re for?

When should I use edr-bypass-re?

Is edr-bypass-re safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is edr-bypass-re for?

When should I use edr-bypass-re?

Is edr-bypass-re safe to install?

SKILL.md