Summary
SR71 already has strong user-mode and kernel-assisted visibility, but it still has instability around direct syscall activity and post-hook control flow due to the kernel hooks being IRQL-dependant & heavy work not being possible within their hotpaths. A Process Instrumentation Callback as another runtime visibility layer would be a valuable addition to Blackbird,
Modern malware can (and does) avoid normal API interception by jumping directly into syscalls, using clean syscall stubs, generating syscall instructions dynamically, or bypassing patched export paths entirely. A process instrumentation callback gives Blackbird a chance to observe user/kernel return transitions from inside the target process without relying solely on kernel hooks.
A lot of malware also uses their own PIC's, since SR71 early-injects the possibilties surrounding PIC creation denial or fakeout PIC's is also super valuable. The already existing kernel hooks could be leveraged to prevent PIC-overwrites and detecting the attempt to register another.
Benefits
- Adds visibility into direct syscall behavior.
- Gives SR71 another angle when hooks are bypassed, removed, or avoided.
- Can help correlate suspicious syscall returns with user-mode call stacks, memory state, and loaded modules.
- A place to detect tampering attempts against instrumentation state.
- Improves confidence when running advanced samples that deliberately avoid common API surfaces.
Summary
SR71 already has strong user-mode and kernel-assisted visibility, but it still has instability around direct syscall activity and post-hook control flow due to the kernel hooks being IRQL-dependant & heavy work not being possible within their hotpaths. A Process Instrumentation Callback as another runtime visibility layer would be a valuable addition to Blackbird,
Modern malware can (and does) avoid normal API interception by jumping directly into syscalls, using clean syscall stubs, generating syscall instructions dynamically, or bypassing patched export paths entirely. A process instrumentation callback gives Blackbird a chance to observe user/kernel return transitions from inside the target process without relying solely on kernel hooks.
A lot of malware also uses their own PIC's, since SR71 early-injects the possibilties surrounding PIC creation denial or fakeout PIC's is also super valuable. The already existing kernel hooks could be leveraged to prevent PIC-overwrites and detecting the attempt to register another.
Benefits