[portable] — Kshared Bypass

Because step 1 may require a syscall (e.g., NtQuerySystemInformation ), many “pure” bypasses fail. However, advanced implementations use the PsActiveProcessHead exported via KdDebuggerDataBlock to walk the process list and retrieve the DirectoryTableBase (CR3) from the EPROCESS structure — all via physical reads.

Abstract: Traditional userland memory scanners (e.g., EDRs using NtReadVirtualMemory ) rely on accurate translation of virtual addresses to physical frames. The KShared Bypass technique exploits a specific feature of the Windows Kernel (the KUSER_SHARED_DATA structure) to read physical memory without conventional API calls, thereby evading hooking and introspection. This paper examines the architectural mechanism, implementation methodology, and detection vectors associated with this bypass. 1. Introduction Endpoint Detection and Response (EDR) systems commonly place hooks in userland APIs (e.g., ntdll!NtProtectVirtualMemory , kernel32!ReadProcessMemory ) to monitor memory access. To bypass these hooks, adversaries have developed direct or indirect system calls. However, even direct syscalls can be monitored via kernel callbacks ( PsSetCreateProcessNotifyRoutine , ObRegisterCallbacks ). kshared bypass

// 3. Map the physical page containing remoteAddr (requires kernel RW) // This is the actual bypass – no NtReadVirtualMemory used. Because step 1 may require a syscall (e