EDRStartupHinder: A New Tool Disrupting Antivirus and EDR Services on Windows 11 25H2
Security researcher TwoSevenOneT, renowned for developing EDR evasion tools such as EDR-Freeze and EDR-Redir, has recently introduced a new tool named EDRStartupHinder. This innovative tool is designed to obstruct antivirus and Endpoint Detection and Response (EDR) services during system startup by redirecting essential System32 Dynamic Link Libraries (DLLs) through Windows Bindlink. The effectiveness of EDRStartupHinder has been demonstrated on Windows Defender operating within the Windows 11 25H2 environment.
Understanding the Mechanism of EDRStartupHinder
Antivirus and EDR services function similarly to standard Windows services but are fortified with additional protections provided by kernel drivers. These services operate with SYSTEM-level privileges, automatically initiate during the boot process, and employ Protected Process Light (PPL) to safeguard against user-mode tampering. Consequently, any attempts to modify configurations in user mode are typically unsuccessful, and processes are resistant to alterations without employing advanced techniques like EDR-Freeze.
The Role of Bindlink in Startup Disruption
Previous methods, such as EDR-Redir, focused on redirecting EDR folders after the system had started. However, vendors have since implemented measures to counteract these techniques. EDRStartupHinder addresses this challenge by proactively targeting the System32 directory, which is crucial for all processes, including EDRs.
The tool operates through the following steps:
1. Service Creation with Elevated Priority: EDRStartupHinder establishes a service with a higher priority to ensure it executes before other services during startup.
2. DLL Redirection via Bindlink: It utilizes Bindlink to redirect a core DLL to an unsigned, intentionally corrupted copy.
3. Leveraging PPL to Induce Failure: By exploiting PPL, the tool causes the EDR service to crash upon loading the corrupted DLL.
4. Post-Termination Cleanup: After the EDR service terminates, EDRStartupHinder performs cleanup operations to maintain system stability.
The service priority is determined by referencing the ServiceGroupOrder in the Windows registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder. The specific DLL targeted must not be part of the KnownDLLs preload list, which can be identified using tools like Process Monitor.
Implementation and Usage
EDRStartupHinder is available on GitHub and accepts several parameters for customization:
– OriginalLib: The System32 DLL to be redirected.
– FakeLib: The location of the corrupted copy of the DLL.
– ServiceName/Group: The name and group of the service to be created, which determines its startup priority.
– EDRProcess: The target EDR process, such as MsMpEng.exe for Windows Defender.
The tool operates by corrupting the Portable Executable (PE) header signature of the FakeLib, registering it as a service, monitoring for the launch of the EDR process, and dynamically applying or removing the Bindlink as needed. Users are advised to research specific DLLs and service groups associated with their target EDRs using tools like Process Explorer boot logs.
Demonstration on Windows 11 25H2
In a controlled laboratory environment running Windows 11 25H2, EDRStartupHinder was tested with the following configuration:
– Target EDR Process: MsMpEng.exe (the core process of Windows Defender).
– Target DLL: msvcp_win.dll, which is loaded during startup.
– Service Group Priority: TDI (Transport Driver Interface), which has a high startup priority.
The command executed was:
“`
EDRStartupHinder.exe msvcp_win.dll C:\TMP\FakeLib DusmSVC-01 TDI MsMpEng.exe
“`
Upon rebooting the system, the newly created service activated first, redirecting the DLL. As a result, the PPL-protected MsMpEng.exe attempted to load the unsigned, corrupted DLL and subsequently terminated itself due to the integrity check failure.
Defensive Measures and Recommendations
System administrators should implement the following measures to detect and prevent the exploitation of techniques like those used by EDRStartupHinder:
– Monitor Bindlink.dll Usage: Regularly check for the presence and usage of bindlink.dll, as its unexpected use may indicate malicious activity.
– Inspect High-Priority Services: Review services within high-priority groups for any unauthorized or suspicious entries.
– Audit System32 Directory: Conduct periodic audits of the System32 directory to identify anomalies or unauthorized modifications.
Implementing a defense-in-depth strategy is crucial. This includes expanding the KnownDLLs list to include critical DLLs, enforcing strict signature verification policies, and utilizing minifilter drivers to log and monitor file operations. Security vendors are encouraged to strengthen the integrity of their DLL dependencies and refine startup sequences to mitigate such attacks.
Conclusion
The emergence of EDRStartupHinder highlights the dual-use nature of Windows mechanisms, which can be exploited by both security professionals and malicious actors. In laboratory settings, the tool has proven effective against Windows Defender and various commercial EDR and antivirus solutions. This underscores the need for continuous vigilance and adaptation in cybersecurity practices to counteract evolving threats.
