Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR in the Evolving Cyber Threat Landscape

Attackers and malware authors constantly adapt their tactics to bypass XDR and EDR solutions, aiming to achieve their malicious objectives.

This dynamic landscape of cyber threats extends beyond commodity malware and ransomware, with targeted attacks focusing on specific individuals, organizations, or industries.

This discussion centers on techniques that exploit ""Vectored Exception Handling"" mechanisms, which have become prevalent among malicious actors and Red teaming and Post Exploitation tools. These techniques allow forceful jumps to inject malicious code, discreetly bypass security products functions, like circumventing hooks and Windows' AMSI security feature.

By selectively evading EDR monitoring capabilities, this approach not only evades traditional security measures but also poses challenges for cybersecurity researchers and professionals conducting in-depth analysis.

When exceptions occur in a program, they are typically handled by catch blocks, managed by the Structured Exception Handler (SEH) on Windows.
Starting with Windows XP, Microsoft introduced Vectored Exception Handlers (VEH): an unframed exception handler mechanism enabling developers to override SEH at a higher level in their code.

Due to the priority in exception handling, researchers and actors have found ways to exploit VEH to alter command flow, bypass monitoring, and execute malicious code.
In this talk, we will explore Exception Handling internals, the VEH abuse and its effectiveness in bypassing EDR. We will Demo a bypass for AMSI mechanism, by crafting multiple VEH, in a technique we call VEH².

Additionally, we will discuss other potential uses of VEH code and provide insights into the detection of this bypass technique.