Listen to this Post
Introduction:
Endpoint Detection and Response (EDR) solutions rely on a deep hooking architecture within the Windows kernel – including callback routines, minifilters, and Event Tracing for Windows (ETW) – to monitor process creation, memory allocation, and network activity. EDR Eclipse is a premium kernel‑mode extension for BallisKit ShellcodePack that surgically suppresses these telemetry sources without terminating the EDR process itself, enabling stealthy post‑exploitation and red‑team operations. This article dissects the core techniques behind kernel callback removal, ETW‑TI suppression, and minifilter neutralization, providing hands‑on commands and configuration steps to understand and defend against such advanced tradecraft.
Learning Objectives:
- Understand how kernel callbacks, ETW‑TI, and minifilters are used by EDRs to detect malicious activity.
- Learn step‑by‑step methods to enumerate and suppress telemetry using Windows internals and BallisKit-like techniques.
- Acquire defensive strategies to detect kernel-assisted telemetry suppression in enterprise environments.
You Should Know:
- Kernel Callback Removal: Locating and Disarming EDR Hooks
Kernel callbacks are notification routines registered by EDR drivers via functions like PsSetCreateProcessNotifyRoutineEx, ObRegisterCallbacks, and CmRegisterCallback. EDR Eclipse removes these callbacks dynamically using offset resolution and direct kernel object manipulation.
Step‑by‑step guide to enumerate kernel callbacks:
On a Windows test system (requires administrative privileges and WinDbg or a kernel debugger), you can list active process creation callbacks:
Using PowerShell with WinDbg (live kernel debugging) First, enable kernel debugging bcdedit /set debug on bcdedit /set dbgsettings serial debugport:1 baudrate:115200 Reboot, then attach WinDbg and run: !process 0 0 Then dump callback lists (advanced, use !callbacks)
Linux alternative (for cross‑platform red team training):
While EDR techniques are Windows‑specific, Linux uses `auditd` and kprobes. To simulate callback suppression on Linux:
List current kprobes (kernel probes used by monitoring tools) sudo cat /sys/kernel/debug/kprobes/list Remove a specific probe (requires kernel module) echo "-:probe_name" > /sys/kernel/debug/kprobes/blacklist conceptual only
Using a custom kernel driver (educational) to remove a process callback:
// Simplified pseudo-code for Windows (not for malicious use)
NTSTATUS RemoveCallback(PVOID CallbackRecord) {
// Locate PsSetCreateProcessNotifyRoutine's internal list
PLIST_ENTRY callbackList = GetCallbackList();
RemoveEntryList((PLIST_ENTRY)CallbackRecord);
return STATUS_SUCCESS;
}
What this does and how to use it defensively:
EDR Eclipse resolves the kernel’s internal callback arrays by pattern‑scanning ntoskrnl.exe. Defenders can detect this by monitoring for anomalies in callback registration – using tools like `Autoruns` (check for “Drivers” tab) or Sysinternals `WinObj` to view object manager callbacks. Deploy `Windows Defender Advanced Threat Protection` with kernel‑mode integrity monitoring to alert when registered callbacks suddenly disappear.
- ETW‑TI Suppression: Blocking Event Tracing for Windows – Threat Intelligence
ETW‑TI is a built‑in Windows telemetry channel that logs critical security events (processes, threads, image loads). EDR Eclipse disables ETW‑TI by patching the `EtwEventWrite` function or unregistering the ETW provider GUID `{f4f1d1c3-4f3a-4b7e-8a3c-8b9e7c8a6f1d}` used by Microsoft Defender for Endpoint.
Step‑by‑step guide to suppress ETW‑TI (for red team practice):
Using a simple user‑land tool (requires SeDebugPrivilege) to disable ETW for the current process:
PowerShell script to disable ETW for a given PID (using NtSetInformationProcess)
$process = Get-Process -1ame "notepad"
$kernel32 = Add-Type -MemberDefinition @'
[DllImport("kernel32.dll")]
public static extern IntPtr GetCurrentProcess();
[DllImport("ntdll.dll")]
public static extern int NtSetInformationProcess(IntPtr ProcessHandle, int ProcessInformationClass, ref int ProcessInformation, int ProcessInformationLength);
'@ -1ame "Win32" -1amespace Win32Functions -PassThru
$infoClass = 0x3E ProcessInstrumentationCallback
$disable = 0
$kernel32::NtSetInformationProcess($kernel32::GetCurrentProcess(), $infoClass, [bash]$disable, 4)
Windows native command to query ETW sessions:
logman query -ets
To block ETW‑TI globally (defensive, requires administrative rights):
Disable Microsoft‑Windows‑ThreatIntelligence ETW provider wevtutil sl Microsoft-Windows-Threat-Intelligence/Operational /e:false
Step‑by‑step for detection:
Blue teams should monitor for `NtSetInformationProcess` calls with `ProcessInstrumentationCallback` (class 0x3E) – a known ETW suppression technique. Use Sysmon event ID 10 (ProcessAccess) and ID 16 (Sysmon config change) to log these calls. Deploy `SilkETW` (by @0x4D31) to forward ETW events to a SIEM and alert on missing expected telemetry from critical processes.
- EDR Minifilter Neutralization: Bypassing File System and Registry Monitoring
Minifilters sit in the I/O stack and inspect file create, write, and rename operations. EDR Eclipse neutralizes minifilters by issuing `FltDetachVolume` or directly corrupting the filter’s communication port.
Step‑by‑step guide to enumerate and detach minifilters (Windows):
List registered minifilters:
fltmc filters fltmc instances
Simulated detachment (requires signed driver – for research only):
// Unload a minifilter by its altitude (e.g., 328000 for some EDRs)
HRESULT UnloadMinifilter(LPCWSTR FilterName) {
HRESULT hr = FilterUnload(FilterName, 0);
return hr;
}
Defensive alternative:
To prevent minifilter neutralization, enable `Driver Lockdown` via Windows Defender Application Control (WDAC) or use Hypervisor-protected Code Integrity (HVCI). Also monitor Event ID 5145 (filter driver unload) and use `Process Monitor` with filter on “Operation” = “Load Image” and “Path” containing “fltMgr.sys”.
Linux equivalent (auditd suppression for cross‑reference):
Stop auditd (red team simulation) sudo systemctl stop auditd List active audit rules sudo auditctl -l Remove all rules sudo auditctl -D
- Dynamic Offset Resolution: Finding Kernel Structures Without Hardcoding
Modern EDRs use non‑exported kernel structures with offsets that change per Windows build. EDR Eclipse dynamically resolves offsets by scanning ntoskrnl.exe’s `.data` section for signatures (e.g., callback list heads). This technique is also used in rootkits like Carberp.
Step‑by‑step guide to resolve kernel offsets using Python and WinDbg (forensic use):
Python script using pefile to locate patterns in ntoskrnl.exe
import pefile
pe = pefile.PE(r"C:\Windows\System32\ntoskrnl.exe")
for section in pe.sections:
if b'.data' in section.Name:
data = section.get_data()
Pattern for PsActiveProcessHead (unique byte sequence)
pattern = b'\x48\x8D\x0D\x00\x00\x00\x00' lea rcx, [rip+offset]
offset = data.find(pattern)
print(f"Potential offset at {hex(offset)}")
On a live system using WinDbg:
Find PsCreateProcessNotifyRoutine array dt nt!_PSP_CALLBACK_ENTRY Scan memory for callback list !poolfind nt!PspCreateProcessNotifyRoutine 0
Defensive detection:
Monitor for kernel debugging flags (KdDebuggerEnabled) or unexpected access to \Device\PhysicalMemory. Deploy Microsoft’s `Driver Verifier` with special pool and random low‑resource simulation to catch malformed memory scans. Use `PatchGuard` (Kernel Patch Protection) on 64‑bit Windows – it will crash the system if critical structures like SSDT or callback lists are tampered with (though sophisticated bypasses exist).
5. Registry and Object Callback Removal: Disabling ObRegisterCallbacks
EDRs often register callbacks via `ObRegisterCallbacks` to monitor process handle opening (e.g., ObpPreOperationCallback). EDR Eclipse finds and removes these from `ObTypeIndexTable` for `PsProcessType` and PsThreadType.
Step‑by‑step to list object callbacks:
Using Nirsoft’s `ObjMon` tool:
objmon.exe /stext object_callbacks.txt
Manual enumeration via kernel debugger:
List object type index for process (usually 0x7) dt nt!_OBJECT_TYPE ObTypeIndexTable Dump callback list for that type dt nt!_OB_CALLBACK_ENTRY
Simulated removal (research VM only):
POB_CALLBACK_ENTRY pEntry = GetCallbackEntry(PsProcessType); RemoveEntryList(&pEntry->CallbackListEntry);
Defense against this:
Enable `Protected Process Light (PPL)` for critical monitoring processes (e.g., MsMpEng.exe). Monitor kernel `ExRegisterCallback` calls via `Event Tracing for Windows` (kernel session Microsoft-Windows-Kernel-Registry). Use `Sysmon` event ID 24 (Driver load) combined with memory scanning for `ObRegisterCallbacks` imports.
6. Process, Thread, and Image-Load Callback Suppression
These callbacks (registered via PsSetCreateProcessNotifyRoutineEx, PsSetCreateThreadNotifyRoutine, PsSetLoadImageNotifyRoutine) are the EDR’s eyes into every new process and DLL load. EDR Eclipse suppresses them by overwriting the function pointers in `PspCallbackRoutine` arrays.
Step‑by‑step guide to test suppression (using Windows Performance Toolkit):
First, baseline image load events with `xperf`:
xperf -start LoadMonitor -on PROC_THREAD+LOADER xperf -stop LoadMonitor -d baseline.etl
After simulating suppression (e.g., by unloading a test driver), capture again:
xperf -start LoadMonitor -on PROC_THREAD+LOADER Execute your test binary xperf -stop LoadMonitor -d after.etl
Windows command to view loaded drivers (potential callback sources):
Get-WindowsDriver -Online | Where-Object {$_.Driver -like "edr"}
Defensive detection:
Blue teams can deploy `Velociraptor` with custom VQL to monitor callback arrays or use `PowerShell` with `Get-WinEvent` to query for suspicious driver unloads (Event ID 4652). For real‑time protection, enable `Microsoft Defender for Endpoint’s kernel-mode sensors` which have fallback telemetry via SMBIOS and virtualisation‑based security (VBS) that survive callback tampering.
What Undercode Say:
- Key Takeaway 1: EDR Eclipse represents a paradigm shift from “kill the EDR” (which triggers immediate alerts) to “blind the EDR” – a much stealthier approach that maintains security product presence while suppressing all actionable telemetry. This forces defenders to rely on memory forensics and micro‑architectural side‑channels.
- Key Takeaway 2: Dynamic offset resolution makes signature‑based detection of the suppression module nearly impossible. However, combining kernel patchguard, HVCI, and integrity monitoring of callback arrays (e.g., using Microsoft’s `Code Integrity` policies) can still catch modifications before they become operational.
Analysis (10 lines):
The commercialisation of kernel‑assisted telemetry suppression tools like EDR Eclipse signals that enterprise red teams now expect EDRs to be partially blind during post‑exploitation. While the tool is restricted to “eligible customers,” its techniques are already being reverse‑engineered and incorporated into open‑source projects (e.g., PPLdump, SharpBlock). Defenders must pivot from solely relying on EDR alerts to proactive hunting for missing telemetry – e.g., comparing kernel callback lists against known baselines. Additionally, Microsoft’s Pluton security processor and Secured‑Core PCs that enforce DMA remapping could mitigate some direct kernel manipulations, but user‑land suppression vectors (like ETW patching) will remain. Expect future EDRs to move more telemetry into the Secure Kernel (VTL1) and use hardware‑assisted tracing (Intel PT) that cannot be disabled by the OS itself. The cat‑and‑mouse game escalates, but organisations with mature SOC teams and memory forensics (like using `Volatility 3` for callback detection) will maintain visibility.
Prediction:
- +1 EDR Eclipse will drive innovation in cloud‑based EDR solutions where kernel‑level telemetry is supplemented by network‑level and hypervisor‑level introspection (e.g., AWS Nitro Enclaves), making local suppression less effective.
- -1 Script kiddies will attempt to replicate these techniques using leaked drivers, leading to a wave of “silent” ransomware that blinds EDRs before encrypting – forcing Microsoft to tighten driver signing and enforce HVCI by default on all new Windows installations.
- -1 Over the next 18 months, we will see a rise in “callback trojan” malware that not only removes callbacks but also injects fake telemetry events (replay attacks) to keep the EDR dashboard looking normal while the breach unfolds.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Emeric Nasi – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
