Using Memory Analysis to Detect EDR-Nullifying Malware

Volexity describes how the AVBurner tool (attributed to the SnakeCharmer/Earth Longzhi actor) disables EDR/AV by patching Windows kernel process-creation callback entries so security drivers appear loaded but are neutered. The post shows how to detect this tampering via memory analysis with Volatility 3 (Volshell) or Volexity Volcano and provides indicators and mitigations. #AVBurner #SnakeCharmer

Keypoints

AVBurner uses a vulnerable driver (RTCore64.sys) to read/write kernel memory and locate the PspCreateProcessNotifyRoutine callback array.
The malware parses the callback array and replaces targeted callback addresses with 0x0000000000000000 to disable EDR/AV process-creation monitoring.
The sample targeted drivers matching metadata (e.g., containing “360”), demonstrating selective removal of specific security callbacks (Cisco AMP used in the demo).
Volatility 3’s windows.callbacks and Volshell symbol queries (PspCreateProcessNotifyRoutineCount/ExCount) can reveal discrepancies (expected count vs. listed callbacks) indicating tampering.
Volexity Volcano automates detection, highlighting disabled AV/EDR callbacks, affected kernel modules, and recently unloaded vulnerable drivers (e.g., RTCore64.sys dropped as a.sys).
Recommended defenses: monitor for creation of known vulnerable drivers (RTCore64.sys and others from KDU), apply Microsoft mitigations where possible, and use available YARA rules to detect AVBurner.

MITRE Techniques

[T1562.001] Disable or Modify Tools – Patching the PspCreateProcessNotifyRoutine entries to nullify security product callbacks so they appear present but do not execute. (‘replace the callback address with “0x00000000`00000000” which effectively disables the callback’)
[T1068] Exploitation for Privilege Escalation – Abusing a vulnerable signed kernel driver (RTCore64.sys) to obtain kernel read/write and modify protected kernel structures. (‘abuse RTCore64.sys to identify the PspCreateProcessNotifyRoutine array’ / ‘abuse RTCore64.sys to replace the callback address’)
[T1562] Impair Defenses – Targeted removal of callback entries for process/thread/image notifications to blind EDR/AV monitoring and allow further attacker actions. (‘the security software would appear to be running fine, but in reality, it was neutered and rendered useless’)

Indicators of Compromise

[File hash] AVBurner sample – MD5: 494cc48a9856cf5b46fb13bcd68c256f, SHA256: 4b1b1a1293ccd2c0fd51075de9376ebb55ab64972da785153fcb0a4eb523a5eb
[File name / dropped driver] Vulnerable driver used for BYOVD – RTCore64.sys (dropped as a.sys)
[Malicious binary] AVBurner executable – execute.exe (Win64 EXE sample referenced)
[Kernel modules affected] Targeted security drivers – CiscoAMPCEFWDriver.sys, CiscoAMP.sys (affected callbacks shown by Volcano)

AVBurner manipulates Windows kernel process-creation callbacks by locating the PspCreateProcessNotifyRoutine array (which holds up to 64 callback entries) and setting selected entries to NULL. Because userland cannot directly modify kernel memory, the malware bundles and abuses a vulnerable signed driver (RTCore64.sys, often used in BYOVD attacks) to read kernel memory, parse the callback array according to OS-dependent byte patterns, and overwrite callback addresses with 0x00000000`00000000. The sample demonstrated targeted removal of callbacks tied to specific drivers (the sample looked for metadata containing “360”; Volexity patched the sample to target Immunet/Cisco AMP for demonstration), and AVBurner can also manipulate thread-creation and image-load callbacks in addition to process-creation monitoring.

Detection via memory analysis relies on comparing the expected number of callbacks (PspCreateProcessNotifyRoutineCount + PspCreateProcessNotifyRoutineExCount) to the callbacks enumerated by tools. With Volatility 3 you can list callbacks using windows.callbacks and query the kernel variables via Volshell to detect mismatches (example: sum = 13 but only 11 listed). Automated tooling like Volexity Volcano highlights “Disabled AV/EDR Callbacks,” identifies affected kernel modules (including their full on-disk path), and surfaces recently unloaded vulnerable drivers (showing RTCore64.sys dropped as a.sys and unload timestamps) to support timelines and incident response.

Mitigations and hunting suggestions: monitor for creation or loading of known vulnerable drivers (RTCore64.sys and other KDU-listed drivers), apply Microsoft-recommended mitigations where possible, use the published YARA rule to detect AVBurner, and incorporate memory-based checks (callback counts vs. listed callbacks) into forensic workflows to reveal EDR/AV tampering even when products report healthy status.