CyberSecurity SEE

SindriKit 1.3.0 Exploits Call Stack Spoofing to Evade EDR Detection

SindriKit 1.3.0 Exploits Call Stack Spoofing to Evade EDR Detection

SindriKit 1.3.0: A Major Leap in Evasion Techniques Against EDR Systems

The recent release of SindriKit version 1.3.0 marks a considerable advancement in the realm of evading Endpoint Detection and Response (EDR) systems. This latest update utilizes a sophisticated technique known as dynamic call stack spoofing, which effectively exploits vulnerabilities in how EDR systems inspect kernel-transition call chains. This development goes beyond merely addressing user-mode hooks, targeting the deeper mechanisms of kernel-level invocation processes.

Prior to the introduction of version 1.3.0, SindriKit 1.2.0 had already made significant strides in evading traditional defenses by separating syscall invocations through indirect syscalls. This approach rerouted calls to legitimate syscall return instructions embedded within the ntdll.dll file. While effective, this tactic was increasingly rendered less impactful by modern EDR engines, which have evolved to integrate Event Tracing for Windows (ETW) with thread suspension techniques. These enhancements allow for a more rigorous analysis of the call stack and a thorough verification of return addresses against expected module layouts.

As a result, even if an instruction pointer derives from a trusted NTDLL gadget, the returning address on the stack frequently directs back to memory that holds unverified payloads. This discrepancy creates a detectable anomaly for virtual unwinders, particularly the RtlVirtualUnwind function, which examines the call stack for legitimacy.

Innovations in Version 1.3.0

According to a report by Sibouzitoun, SindriKit 1.3.0 addresses this vulnerability by incorporating native call stack spoofing through a new C-based engine named snd_syscall_find_spoof_scan. This engine effectively parses the Exception Directory (.pdata) of kernel32.dll, meticulously inspecting RUNTIME_FUNCTION and UNWIND_INFO structures to determine precise stack allocations for every function.

This engine then conducts a search for “Fat Frames”—functions that allocate a minimum of 120 bytes of stack space. These frames provide adequate shadow space for syscall arguments and trampoline gadgets while maintaining the integrity of adjacent stack frames and keeping the unwinder in sync.

To mitigate exposure to deterministic telemetry systems, SindriKit employs various techniques involving entropy and randomization. This includes utilizing an SSN hash, a static counter, and ASLR‑dependent base addresses. By introducing randomness to the processes, SindriKit ensures that the spoofed call stack diverges across different executions, complicating detection efforts.

A comprehensive overview of these techniques can be encapsulated in a data table intended for analysts, detailing each element’s role in the spoofing process:

Element Role in Spoofing
Fat Frame (≥120 bytes) Provides shadow stack space for arguments and trampoline gadget
Trampoline Gadget (RET) Legitimate RET inside Fat Frame; first return target
SyscallCleanup address True payload return point hidden in spoofed frame
Original caller return addr Baseline anchor for EDR’s reconstructed call chain

Within each syscall operation, SindriKit’s MASM stub creates a JMP-Trampoline designed to satisfy both the physical CPU and the EDR’s virtual unwinder. This system arranges the stack in a highly strategic manner:

; Top-of-stack spoofing layout
mov [rsp+0], r8 ; Trampoline Gadget (RET in Fat Frame)
lea rax, SyscallCleanup
mov [rsp+8], rax ; True return address (payload cleanup)
mov rax, [rbp+16] ; Original caller return address
mov [rsp+r12+8], rax ; r12 = spoof_frame_size

Upon returning from the syscall gadget, the CPU first lands on the Trampoline Gadget, which immediately executes the RET instruction. This action transfers control to the SyscallCleanup function residing within the payload.

Simultaneously, the RtlVirtualUnwind function references the .pdata section, adds the Fat Frame size to its imaginary stack pointer, and retrieves the original caller’s return address from the stack. This mechanism enables the reconstruction of a clean, legitimate call chain.

This dynamic approach offers a complete decoupling of resolution, invocation, and spoofing strategies on x64 architectures. Conversely, on x86 systems, where the .pdata structure is absent and exceptions are primarily managed through structured exception handling (SEH) chains and EBP frames, SindriKit resorts to using well-known functions like BaseThreadInitThunk and other nearby RET gadgets as a pragmatic fallback.

In summary, SindriKit 1.3.0 represents a critical evolution in evasion techniques aimed at circumventing EDR detection measures. By leveraging advanced methodologies like dynamic call stack spoofing and utilizing tactical randomness, this tool further complicates the landscape for cybersecurity professionals, presenting new challenges for effective defense against potential exploits.

Source link

Exit mobile version