Alex as usually made perfect work to bypass even paranoid EDRs
The main problem is detection of duplicated sockets. There is a hint however:
We need disasm 2 functions to write simple script. First - we need back offset from afd!AfdEndpointListHead to read endpoint. It can be extracted from AfdIsAddressInUse:
Then we need offset to EPROCESS - it can be extracted for example from AfdFreeEndpointResources:
Now we have all parts of this puzzle. Let`s see what we can do in windbg
...
The main problem is detection of duplicated sockets. There is a hint however:
all ownership of the socket still belongs to the original creator – even when the creator exists (and actually, because Netio.sys is still referencing the original EPROCESS, the creator and the PID become “zombies” and leak resources).o`k, reason is true, but reference holds by afd.sys. Lets see why
We need disasm 2 functions to write simple script. First - we need back offset from afd!AfdEndpointListHead to read endpoint. It can be extracted from AfdIsAddressInUse:
mov [rsp+arg_0], rbx
mov [rsp+arg_8], rbp
mov [rsp+arg_10], rsi
push rdi
sub rsp, 30h
mov rsi, rcx
xor ebx, ebx
mov rcx, cs:AfdGlobalData
call cs:__imp_ExEnterCriticalRegionAndAcquireResourceShared
nop dword ptr [rax+rax+00h]
mov rdi, cs:AfdEndpointListHead
lea rbp, AfdEndpointListHead
jmp short loc_1C003C0D3
; ---------------------------------------------------------------------------
loc_1C003C054: ; CODE XREF: AfdIsAddressInUse+BE
lea rdx, [rdi-120h]
...
loc_1C003C0D3
cmp rdi, rbp
jnz loc_1C003C054
Then we need offset to EPROCESS - it can be extracted for example from AfdFreeEndpointResources:
mov rcx, [rbx+28h]
mov edx, 200h
call cs:__imp_PsReturnPoolQuota
nop dword ptr [rax+rax+00h]
mov rcx, [rbx+28h] ; Object
call cs:__imp_ObfDereferenceObject
Now we have all parts of this puzzle. Let`s see what we can do in windbg
kd> ? afd!AfdEndpointListHead
Evaluate expression: -8772979362448 = fffff805`61ae7570
kd> r $t0 = 0xfffff805`61ae7570; .for( r $t1 = poi(@$t0) ; (@$t1 != @$t0) ; r $t1 = poi(@$t1) ) { !process poi(@$t1-120+28) 0 }
PROCESS ffffe50f664e0080
SessionId: 1 Cid: 0bf4 Peb: 8c93382000 ParentCid: 02d8
DirBase: 6ceb6000 ObjectTable: ffff818ffd8744c0 HandleCount:
Image: SkypeApp.exe
...