Exploiting Windows Extension Tables: Bypassing EDR Process Monitoring

By /

Listen to this Post

Featured Image

Introduction

Endpoint Detection and Response (EDR) and antivirus (AV) solutions often rely on `nt!PsSetCreateProcessNotifyRoutineEx2` to monitor process creation and termination. However, attackers can evade detection by clearing the `nt!PspCreateProcessNotifyRoutine` array. This article explores a lesser-known Windows internal mechanism—the Extension Table—and demonstrates how it can be hijacked to maintain stealthy process monitoring even after traditional callbacks are disabled.

Learning Objectives

  • Understand how EDR/AV products use process notify routines for monitoring.
  • Learn how attackers bypass these protections by manipulating kernel callbacks.
  • Explore the Windows Extension Table mechanism and its role in process monitoring.
  • Implement a proof-of-concept (PoC) driver to hijack bam!BampCreateProcessCallback.
  • Analyze defensive strategies to detect and mitigate such techniques.

You Should Know

1. Hijacking the Extension Table for Persistence

Command/Code Snippet:

// Locate the BampCreateProcessCallback function in bam.sys 
PVOID BampCreateProcessCallback = FindPatternInModule("bam.sys", "\x48\x89\x5C\x24\x10\x48\x89\x74\x24\x18", "xxxxxxxxxx");

// Overwrite the callback pointer in the Extension Table 
(PVOID)ExtensionTableEntry = (PVOID)MaliciousCallback;

Step-by-Step Guide:

  1. Locate `bam.sys` in memory: Use kernel debugging or pattern scanning to find the base address of bam.sys.
  2. Identify BampCreateProcessCallback: Search for the function signature using byte patterns.
  3. Modify the Extension Table: Overwrite the callback pointer to redirect execution to a malicious function.
  4. Verify persistence: Confirm that the malicious callback triggers even after clearing nt!PspCreateProcessNotifyRoutine.

2. Disabling Standard Process Notify Callbacks

Command/Code Snippet:

// Clear the PspCreateProcessNotifyRoutine array 
for (int i = 0; i < 64; i++) { 
(PVOID)(PspCreateProcessNotifyRoutine + i  sizeof(PVOID)) = NULL; 
}

Step-by-Step Guide:

  1. Locate PspCreateProcessNotifyRoutine: Use `kd> x nt!PspCreateProcessNotifyRoutine` in WinDbg.
  2. Iterate through the array: Set each entry to `NULL` to disable registered callbacks.
  3. Verify EDR bypass: Check if the EDR fails to detect new process creation.

3. Defensive Detection: Monitoring Extension Table Modifications

Command/Code Snippet (PowerShell):

 Scan for unsigned or anomalous kernel drivers 
Get-WmiObject Win32_PnPSignedDriver | Where-Object { $<em>.DeviceName -like "bam.sys" -and $</em>.IsSigned -eq $false }

Step-by-Step Guide:

  1. Audit loaded drivers: Use PowerShell or Sysinternals’ `autoruns` to list kernel modules.
  2. Check driver signatures: Validate the integrity of `bam.sys` and other critical drivers.
  3. Monitor callback installations: Use ETW or kernel hooks to detect unusual Extension Table activity.

4. Exploiting bam.sys for Stealthy Execution

Command/Code Snippet:

// Register a malicious process creation callback via bam.sys 
NTSTATUS status = PsSetCreateProcessNotifyRoutineEx(MaliciousCallback, FALSE);

Step-by-Step Guide:

  1. Load a vulnerable driver: Exploit a signed but outdated driver to gain kernel access.
  2. Register a custom callback: Use `PsSetCreateProcessNotifyRoutineEx` to inject into the Extension Table.
  3. Maintain persistence: Ensure the callback survives system reboots or EDR remediation.
    1. Mitigation: Hardening the Kernel Against Callback Hijacking

Command/Code Snippet (Windows Defender ATP):

 Enable kernel-mode attack protection 
Set-MpPreference -AttackSurfaceReductionRules_Ids "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" -AttackSurfaceReductionRules_Actions Enabled

Step-by-Step Guide:

  1. Enable Kernel ASR: Use Windows Defender to block unsigned driver loads.
  2. Patch vulnerable drivers: Ensure `bam.sys` and similar components are up-to-date.
  3. Deploy EDR with kernel integrity checks: Use solutions that monitor Extension Table modifications.

What Undercode Say

  • Key Takeaway 1: The Windows Extension Table is a powerful but under-documented mechanism that attackers can abuse to bypass EDR/AV monitoring.
  • Key Takeaway 2: Defenders must expand their focus beyond standard callback arrays to include Extension Table integrity checks.

Analysis:

This technique highlights the cat-and-mouse game between attackers and defenders in kernel space. While EDR products have evolved to detect callback manipulation, the Extension Table remains a blind spot for many. Future Windows updates may restrict access to this mechanism, but for now, organizations must proactively monitor for anomalous driver behavior and enforce strict kernel-mode code signing policies. The PoC demonstrates that even advanced EDR solutions can be bypassed with sufficient kernel expertise, underscoring the need for layered defenses.

Prediction

As EDR solutions improve their detection of traditional callback manipulation, attackers will increasingly turn to obscure kernel mechanisms like the Extension Table. Microsoft may respond by locking down these APIs or introducing new ETW events to log their usage. In the long term, hardware-enforced security features like Intel CET and Microsoft Pluton could mitigate such attacks by preventing unauthorized kernel modifications altogether.

IT/Security Reporter URL:

Reported By: Activity 7347880216544886784 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin

Related Posts: