Whitecat18
diff --git a/‎AMSI BYPASS/Amsi_simple_patch/Cargo.lock‎
Lines changed: 0 additions & 156 deletions b/‎AMSI BYPASS/Amsi_simple_patch/Cargo.lock‎
Lines changed: 0 additions & 156 deletions
diff --git a/‎Dynamic_Resolver/Cargo.lock‎
Lines changed: 0 additions & 156 deletions b/‎Dynamic_Resolver/Cargo.lock‎
Lines changed: 0 additions & 156 deletions
diff --git a/‎KiUserExceptionDispatcherStepOver/Cargo.lock‎
Lines changed: 0 additions & 7 deletions b/‎KiUserExceptionDispatcherStepOver/Cargo.lock‎
Lines changed: 0 additions & 7 deletions
diff --git a/‎KiUserExceptionDispatcherStepOver/README.md‎
Lines changed: 12 additions & 6 deletions b/‎KiUserExceptionDispatcherStepOver/README.md‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎KiUserExceptionDispatcherStepOver/img/debug_print.png‎
101 KB b/‎KiUserExceptionDispatcherStepOver/img/debug_print.png‎
101 KB
@@ -1,4 +1,4 @@
-## Bypassing EDR Syscall Hooks with a **Custom Early Exception Handler**
+## Bypassing EDR Syscall Hooks with a Early Exception Handler
 
 The problem with the (VEH, SEH, etc..) are themselves **hooked and monitored heavily by modern EDRs**
 
@@ -9,17 +9,24 @@ Modern EDRs monitor **syscalls** by placing **inline hooks** (usually a `jmp` at
 
 so when you call hooked funcitons like `NtAllocateVirtualMemory`, `NtProtectVirtualMemory`, … the EDR gets the first chance to inspect the arguments and block the call.
 
-So we are developing our own exception handler without relying on VEH or SEH to manipulate exception handling before the VEH is called
+So to avoid detection, we can develop our own exception handler without relying on VEH or SEH to manipulate exception handling before the VEH is called.
+
+To know more about this, the Example poc has been described in detail in this blog: [Early Exception Handling](https://kr0tt.github.io/posts/early-exception-handling/)
+
+> Note: Please note that this poc uses hardcoded SSN just for demonstration of the PoC. in your practices you can extract and use SSN using syscall techniques using Hells/halos/tartarus gate: For Syscall technique you can visit this seciton: [Indirect Syscall]()
 
-The Amazing PoC has been described in-detail in this blog: []()
 ## PoC 
 
-We are going to test it on EDR Products. 
+We are going to test it on EDR Products. [Release Mode]
 
 ![image_1](./img/bypass_hooks1.png)
 
 ![image_2](./img/bypass_hooks2.png)
 
+Debug print that explains how this PoC works step by step [Debug Mode]
+
+![image_3](./img/debug_print.png)
+
 ## Usage
 
 To compile and run in debug mode. [To understand How this works]
@@ -40,12 +47,11 @@ To compile on release mode [Final]:
 cargo b -r 
 ```
 
-
 ## Credits / Resoucres
 
 - https://kr0tt.github.io/posts/early-exception-handling/
 - https://www.ibm.com/think/x-force/using-veh-for-defense-evasion-process-injection
 - https://mannyfreddy.gitbook.io/ya-boy-manny#fun-with-exception-handlers
 - https://revers.engineering/applied-re-exceptions/
+- https://github.com/joaoviictorti/dinvk/tree/main?tab=readme-ov-file#retrieving-module-addresses-and-exported-apis
 - https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html
-