Rededr Maldev Analysis

Creating RedEdr which receives all inputs a normal EDR would do too, to analyze the detection surface of malware.

Notes

  • Memory map string is about 100'000 bytes to be embedded into json

    • notepad win11
    • without IMAGE: 700 lines, 40'000 bytes
    • just private: 344 lines, 15'000 bytes

  • when to get process info?

    • from kernel?
    • from userspace? (SYSTEM process), after some time

EDR Input

ETW

ETW Kernel Process

ETW-TI

Kernel Callbacks

DLL Injection w/ KAPC

Analysis: Metasploit

autoload

noautoload

nonstaged

2024-09-11