Listen to this Post
Introduction
Modern endpoint detection and response (EDR) systems scrutinize direct system call execution, making traditional shellcode injection techniques easily detectable. HellsVectoredGate introduces a novel evasion method by combining Vectored Exception Handling (VEH) with indirect syscalls, allowing attackers to execute system calls without triggering common detection mechanisms.
Learning Objectives
- Understand how VEH-based syscall execution evades EDR monitoring.
- Learn how to trigger and handle ACCESS_VIOLATION exceptions for stealthy code execution.
- Implement HellsVectoredGate in offensive security operations.
You Should Know
1. Vectored Exception Handling (VEH) Basics
VEH allows developers to register custom exception handlers that intercept and process exceptions before structured exception handling (SEH).
Code Snippet (C++):
include <windows.h>
LONG CALLBACK VectoredHandler(PEXCEPTION_POINTERS ExceptionInfo) {
if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) {
// Handle the exception (e.g., execute shellcode)
return EXCEPTION_CONTINUE_EXECUTION;
}
return EXCEPTION_CONTINUE_SEARCH;
}
int main() {
AddVectoredExceptionHandler(1, VectoredHandler);
// Trigger ACCESS_VIOLATION
int ptr = nullptr;
ptr = 1;
return 0;
}
Step-by-Step Explanation:
- Register VEH: `AddVectoredExceptionHandler` sets up a custom handler.
- Trigger Exception: Dereferencing a null pointer (
ptr = 1) forces anACCESS_VIOLATION. - Handler Execution: The registered function processes the exception, enabling controlled code execution.
2. Indirect Syscalls for EDR Evasion
Direct `syscall` instructions are often flagged. Indirect syscalls retrieve the syscall stub from `ntdll.dll` dynamically.
Code Snippet (x64 Assembly):
mov r10, rcx mov eax, [bash] jmp [bash]
Step-by-Step Explanation:
- Locate
ntdll: Parse PEB to find `ntdll.dll` in memory. - Extract Syscall: Retrieve the syscall ID and address.
- Execute Indirectly: Jump to the syscall stub instead of calling it directly.
3. Combining VEH and Indirect Syscalls
HellsVectoredGate merges these techniques to execute syscalls via exceptions.
Workflow:
1. Register a VEH handler.
2. Trigger an `ACCESS_VIOLATION`.
- Inside the handler, use indirect syscalls to perform privileged operations.
4. Defensive Mitigations
- Monitor VEH Registrations: EDRs should log `AddVectoredExceptionHandler` calls.
- Analyze Exception Patterns: Frequent `ACCESS_VIOLATION` followed by syscalls is suspicious.
5. Practical Use in Red Teaming
- Payload Execution: Deploy beacon stagers without direct syscalls.
- Persistence: Use exception-based execution for fileless implants.
What Undercode Say
- Key Takeaway 1: HellsVectoredGate demonstrates how exception handling can be weaponized for stealthy syscall execution.
- Key Takeaway 2: Traditional EDRs relying on direct syscall monitoring may miss this technique.
Analysis:
This method highlights the evolving cat-and-mouse game between attackers and defenders. As EDRs improve at detecting direct syscalls, attackers shift to exception-based execution, forcing defenders to scrutinize VEH registrations and unusual exception flows. Future detection may involve behavioral analysis of exception handling rather than static syscall inspection.
Prediction
Within the next two years, VEH-based attacks will become more prevalent, pushing EDR vendors to integrate exception flow analysis into their detection engines. Meanwhile, offensive toolkits will refine indirect execution methods, making runtime detection even harder.
For more details, check the HellsVectoredGate GitHub repo.
IT/Security Reporter URL:
Reported By: Magzhan Shelldon – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
