{"id":21469898,"url":"https://github.com/dobin/rededr","last_synced_at":"2025-07-15T06:32:21.916Z","repository":{"id":251398333,"uuid":"837091528","full_name":"dobin/RedEdr","owner":"dobin","description":"Collect Windows telemetry for Maldev","archived":false,"fork":false,"pushed_at":"2024-10-23T20:08:16.000Z","size":1403,"stargazers_count":14,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-10-24T05:30:34.114Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dobin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-02T07:37:35.000Z","updated_at":"2024-10-23T20:08:20.000Z","dependencies_parsed_at":"2024-09-13T08:08:15.329Z","dependency_job_id":"b02f53b1-c7bc-4231-9ed4-a7b5708c96a1","html_url":"https://github.com/dobin/RedEdr","commit_stats":null,"previous_names":["dobin/rededr"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2FRedEdr","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2FRedEdr/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2FRedEdr/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2FRedEdr/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dobin","download_url":"https://codeload.github.com/dobin/RedEdr/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226023402,"owners_count":17561453,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-23T09:19:20.473Z","updated_at":"2025-07-15T06:32:21.901Z","avatar_url":"https://github.com/dobin.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# RedEdr\n\nDisplay events from Windows to see the detection surface of your malware.\n\nSame data as an EDR sees. \n\n* Find the telemetry your malware generates\n* Verify your anti-EDR techniques work\n* Debug and analyze malware\n\nRedEdr will observe one process, and identify malicious patterns. \nA normal EDR will observe all processes, and identify malicious processes. \n\nIt generates [JSON files](https://github.com/dobin/RedEdr/tree/master/Data)\ncollecting [the telemetry](https://github.com/dobin/RedEdr/blob/master/Doc/captured_events.md) \nof your RedTeaming tools. \n\nTry it online at [rededr.r00ted.ch](https://rededr.r00ted.ch)\n\n\n## Screenshots\n\nThe following shellcode execution:\n```c\n\tPVOID shellcodeAddr = VirtualAlloc(NULL, payloadSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\n\tmemcpy(shellcodeAddr, payload, payloadSize);\n\tVirtualProtect(shellcodeAddr, payloadSize, PAGE_EXECUTE_READWRITE, \u0026dwOldProtection));\n\tHANDLE hThread = CreateThread(NULL, 0, shellcodeAddr, shellcodeAddr, 0, \u0026threadId);\n```\n\nCan be detected in the RedEdr events by looking at\nthe RW-\u003eRWX VirtualProtect and following CreateThread invocation.\n\nWith ntdll.dll hooking:\n![RedEdr Screenshot ntdll.dll hooking](https://raw.github.com/dobin/RedEdr/master/Doc/screenshot-web-rwx-dll.png)\n\n\nETW events:\n![RedEdr Screenshot ETW](https://raw.github.com/dobin/RedEdr/master/Doc/screenshot-web-rwx-etw.png)\n\n\n## Implemented Telemetry Consumers\n\n* ETW\n * Microsoft-Windows-Kernel-Process\n * Microsoft-Windows-Kernel-Audit-API-Calls\n * Microsoft-Windows-Security-Auditing\n * needs SYSTEM\n * restrictions apply, configure group policy\n * And defender\n * Microsoft-Antimalware-Engine\n * Microsoft-Antimalware-RTP\n * Microsoft-Antimalware-AMFilter\n * Microsoft-Antimalware-Scan-Interface\n * Microsoft-Antimalware-Protection\n* ETW-TI (Threat Intelligence) with a PPL service via ELAM driver\n\n* Kernel Callbacks\n * PsSetCreateProcessNotifyRoutine\n * PsSetCreateThreadNotifyRoutine\n * PsSetLoadImageNotifyRoutine\n * (ObRegisterCallbacks, not used atm)\n\n* AMSI-style ntdll.dll hooking \n * from kernelspace (KAPC from LoadImage callback)\n * from userspace (ETW based, unreliable)\n\n* Callstacks\n * On ntdll.dll hook invocation\n * On several ETW events\n \n* process query:\n * PEB\n * Loaded DLL's (and their regions)\n\n\n## Installation\n\nUse a dedicated VM for RedEdr. Tested on unlicensed (no Defender) Win10 Pro. \nInstall VS2022 as we need it's debug libraries.\n\nChange Windows boot options to enable self-signed kernel drivers and reboot.\nAs admin cmd:\n```\nbcdedit /set testsigning on\nbcdedit -debug on\n```\n\nIf you use Hyper-V, uncheck \"Security -\u003e Enable Secure Boot\". \n\nExtract release.zip into `C:\\RedEdr`. **No other directories are supported.**\n\nWhitelist `C:\\RedEdr\\RedEdr.exe` in your AV (Defender).\n\nStart terminal as local admin.\n\nChange into `C:\\RedEdr` and run `.\\RedEdr.exe`:\n```\nPS C:\\rededr\u003e .\\RedEdr.exe\nMaldev event recorder\nUsage:\n RedEdr [OPTION...]\n -t, --trace arg Process name to trace\n -e, --etw Input: Consume ETW Events\n -g, --etwti Input: Consume ETW-TI Events\n -m, --mplog Input: Consume Defender mplog file\n -k, --kernel Input: Consume kernel callback events\n -i, --inject Input: Consume DLL injection\n -w, --web Output: Web server\n...\n```\n\nTry: `.\\RedEdr.exe --all --trace otepad`, and then start notepad \n(will be `notepad.exe` on Windows 10, `Notepad.exe` on Windows 11).\nThe log should be printed as stdout.\n\n\n## Standard Usage\n\nRedEdr will trace all processes containing by process image name (exe path).\n\nEnable all consumers, and provide as web on [http://localhost:8080](http://localhost:8080), \nand disable output logging for performance:\n```\nPS \u003e .\\RedEdr.exe --all --web --hide --trace notepad.exe\n```\n\nBe aware ETW-TI (and possibly other ETW) will record the DLL hooking events if used together\nlike this. Better use one of the following.\n\n\n### ntdll.dll hooking\n\nKAPC DLL injection for ntdll.dll hooking. Thats what many EDR's depend on:\n```\nPS \u003e .\\RedEdr.exe --kernel --inject --trace notepad.exe\n```\n\nThis requires self-signed kernel modules to load. \n\n\n### ETW \u0026 ETW-TI\n\nETW is mostly useful for MDE and Elastic.\n\nETW-TI requires an ELAM driver to start `RedEdrPplService`, \nand therefore requires self signed kernel driver option.\nMake a snapshot of your VM before doing this. Currently its \nnot possible to remove the PPL service ever again. \n\n```\nPS \u003e .\\RedEdr.exe --etw --etwti --trace notepad.exe\n```\n\nIf you want ETW Microsoft-Windows-Security-Auditing, start as SYSTEM (`psexec -i -s cmd.exe`). \nSee `gpedit.msc -\u003e Computer Configuration -\u003e Windows Settings -\u003e Security Settings -\u003e Advanced Audit Policy Configuration -\u003e System Audit Policies - Local Group Policy object`\nfor settings to log.\n\n\n## Detections\n\n* RWX allocation\n* RW-\u003eRX protection change\n* Callstack from non-image\n\n\n## Example Output\n\nSee `Data/` directory:\n* [Data](https://github.com/dobin/RedEdr/tree/master/Data)\n\n\n## Hacking\n\nArch:\n```\n ┌─────┐ ┌────────┐ ┌─────────┐ ┌──────┐ \n │ ETW │ │ ETW-TI │ │ Kernel │ │ DLL │ \n └──┬──┘ └───┬────┘ └────┬────┘ └──┬───┘ \n │ │ │ │ \n └─────────┴─────────┬─┴──────────┘ \n │ \n │ \n ▼ \n ┌────────────────┐ \n │ │ \nEvent as JSON string │ Event │ \n │ Aggregator │ \n │ │ ┌──────────┐ \n └───────┬────────┘ │ Process │ \n │ └──────────┘ \n │ ▲ \n ▼ │query \n ┌────────────────┐ │ \n │ │ ┌──────────┴────┐ \nEvent as JSON in C++ │ Event ├────────►│ Process Query │ \n │ Processor │ └─────────────┬─┘ \n │ │ │add \n └┬───────────────┘ ▼ \n │ ┌──────────────┐\n │ ┌────────────────────────┐query │ │\n ├─┤Event Augment ├────────►┤ Mem Static │\n │ └────────────────────────┘ │ │\n │ ┌────────────────────────┐add └──────────────┘\n ├─┤Event Mem Tracker ├──────┐ \n │ └────────────────────────┘ │ ┌──────────────┐\n │ ┌────────────────────────┐query └─►│ │\n ├─┤Event Detection ├───┐ │ Mem Dynamic │\n │ └────────────────────────┘ └────►│ │\n ▼ ┌────────────────────────┐ └──────────────┘\n └─┤Event Storage \u0026 Output │ \n └────────────────────────┘ \n```\n\nIPC:\n```\n RedEdr.exe \n┌────────────┐ ┌─────────────────┐ \n│ │ KERNEL_PIPE │ │ KERNEL_PIPE: Events (wchar) \n│ │◄───────────────────┤ Kernel Module │ \n│ Pipe Server│ │ │ IOCTL: Config (MY_DRIVER_DATA): \n│ ├───────────────────►│ │ filename \n│ │ IOCTL └─────────────────┘ enable \n│ │ \n│ │ \n│ │ \n│ │ \n│ │ ┌─────────────────┐ \n│ │ DLL_PIPE │ │ DLL_PIPE: 1: Config (wchar) RedEdr -\u003e DLL\n│ Pipe Server│◄───────────────────┤ Injected DLL │ \"callstack:1;\" \n│ │ │ │ \n│ │ │ │ \u003e1: Events (wchar) RedEdr \u003c- DLL\n│ │ └─────────────────┘ \n│ │ \n│ │ \n│ │ \n│ │ ┌─────────────────┐ \n│ │ PPL_PIPE │ │ DLL_PIPE: Events (wchar) \n│ Pipe Server│◄───────────────────┤ ETW-TI Service │ \n│ │ │ PPL │ \n│ │ SERVICE_PIPE │ │ SERVICE_PIPE: Config (wchar) \n│ Pipe Client├───────────────────►│ │ \"start:\u003cprocess name\u003e\" \n│ │ └─────────────────┘ \n│ │ \n│ │ ┌─────────────────┐ \n│ │◄───────────────────┤ │ \n│ │ │ ETW │ \n│ │ │ │ \n│ │ │ │ \n│ │ └─────────────────┘ \n│ │ \n│ │ \n└────────────┘ \n```\n\n\n## Compiling \n\nGood luck.\n\nUse VS2022. Compile as DEBUG.\n\nTo compile the kernel driver: \n* Install WDK (+SDK): https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk\n\nIt should deploy everything into `C:\\RedEdr\\`.\n\n\n## Based on\n\nBased on MyDumbEdr\n* GPLv3\n* https://sensepost.com/blog/2024/sensecon-23-from-windows-drivers-to-an-almost-fully-working-edr/\n* https://github.com/sensepost/mydumbedr\n* patched https://github.com/dobin/mydumbedr\n* which seems to use: https://github.com/CCob/SylantStrike/tree/master/SylantStrike\n\nWith KAPC injection from:\n* https://github.com/0xOvid/RootkitDiaries/\n* No license\n\nTo run as PPL: \n* https://github.com/pathtofile/PPLRunner/\n* No license\n\n\n## Libraries used\n\n* https://github.com/jarro2783/cxxopts, MIT\n* https://github.com/yhirose/cpp-httplib, MIT\n* https://github.com/nlohmann/json, MIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdobin%2Frededr","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdobin%2Frededr","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdobin%2Frededr/lists"}