Bypassing Image Load Kernel Callbacks

As security teams continue to advance, it has become essential for  attacker’s to have complete control over every part of their operation,  from the infrastructure down to individual actions that occur on the  endpoint. Even with this in mind, image load events have always been  something I’ve tried to ignore despite the extensive view they can give  into the actions on an endpoint. This was simply because they occur from  inside the kernel, so there’s nothing a low privileged process can do to bypass this, right?

The rest of this post can be found on the MDSec Active Breach blog. The related project can be found here.

/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu6rF4l1BuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA