[0:11]Hey everyone, welcome to the first coding part of the building an EDR from scratch series. So in this video what we're going to do is, I know in the intro video I mentioned that we would start with the agent. But after thinking about it, I think it would be better to start with the hooking DLL. So in this video we're going to first take a look at what a a hooking DLL is in the context of an EDR. And then we will dive into some coding and and code out our hooking DLL. Our goal in this video is to just build out an MVP or minimum viable product. So that will be the the basics of the DLL and over time once we get all of the components built out, we'll go through, we'll come back and add more to it. Okay, so now let's take a look at what a hooking DLL looks like from a technical perspective. Anytime you have a process spawn, the EDR will inject a DLL. That DLL is the EDR's hooking DLL. This DLL allows the EDR to intercept uh API calls. So, in this example here, we have NtProtectVirtualMemory that is hooked. And when NtProtectVirtualMemory is called, it sends that call over to the hooking DLL prior to actually executing it. So once it reaches the hooking DLL, we have a couple of options. The EDR can inspect the function call, inspect the arguments, log that activity, or block the activity if it deems it malicious. If it's not malicious then generally the function call will be passed through. If it is malicious then the application may be blocked or closed or the activity will be blocked. Okay, so now that we have a basic understanding of how the hooking DLL works, let's go ahead and dive into some code.
[2:30]Before we dive into the code really quick, I wanted to talk about a project that I'm working on called Evasion Games. Evasion Games is where I I want to keep the content kind of a surprise, but the ultimate goal is to have competitors in a competition competing to evade and bypass EDR. So if you think you have the skills to evade EDR, then definitely sign up and as I come out with more information, I will send it to you. Thanks for the support. All right, so I have just created a new solution in Visual Studio and created a blank executable named DLL loader. We'll just create a main.cpp. And this is going to be used to load our DLL, our hooking DLL and test it. So we'll just include windows.h and include iostream. And then we'll do a a little bit different of a entry point. So normally, we would uh use int main as our entry point, but we're going to do a little bit different this time. We're going to use Win Main and that is to create a form application. And this will allow us to kick off uh kick off this executable or this application without a window.
[4:17]And you'll see why that's important later on. But you'll head over to the linker settings and and system, change the subsystem to windows. And uh once the subsystem is set to windows, then it will look for Win Main as the entry point. So now we want to create a new variable of type H module. This will be the handle to our our hooking DLL. So we'll use LoadLibraryA and eventually once we create our DLL, we will put the file name here. And we just want to do a quick check. So we'll do an if uh the handle to our DLL is equal to null, that means we did not get a handle to it for whatever reason, so we'll just return from the application.
[6:55]Okay, so now we want to create our hooking DLL. So we're going to head over to properties. We'll change protect to new protect.
[28:46]And should be good to go. Simple as that. We'll change protect to new protect. We don't really need to make changes there.
