From 73b18abe6fa59b80a9d318f8cb91425d914cfa3c Mon Sep 17 00:00:00 2001
From: Dani Kamanovsky <kamanovsky@gmail.com>
Date: Sun, 3 Nov 2024 15:43:31 +0200
Subject: [PATCH 1/2] checking the SID structure for TokenIntegrityLevel

if the SID for TokenIntegrityLevel isn't the expected structure, GetSidSubAuthority might produce UB.
---
 utils.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/utils.c b/utils.c
index c0ed715..ac0cf1e 100644
--- a/utils.c
+++ b/utils.c
@@ -41,6 +41,13 @@ BOOL CheckProcessIntegrityLevel() {
         return FALSE;
     }
 
+    if (pTIL->Label.Sid == NULL || *GetSidSubAuthorityCount(pTIL->Label.Sid) < 1) {
+        printf("[-] SID structure is invalid.\n");
+        LocalFree(pTIL);
+        CloseHandle(hToken);
+        return FALSE;
+    }
+	
     dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid, (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid) - 1));
 
     if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID) {
@@ -218,13 +225,11 @@ BOOL GetProviderGUIDByDescription(PCWSTR providerDescription, GUID* outProviderG
         return FALSE;
     }
 
-    BOOL found = FALSE;
     for (UINT32 i = 0; i < numProviders; i++) {
         if (providers[i]->displayData.description != NULL) {
             if (wcscmp(providers[i]->displayData.description, providerDescription) == 0) {
                 *outProviderGUID = providers[i]->providerKey;
-                found = TRUE;
-                break;
+                return TRUE;
             }
         }   
     }
@@ -235,5 +240,5 @@ BOOL GetProviderGUIDByDescription(PCWSTR providerDescription, GUID* outProviderG
 
     FwpmProviderDestroyEnumHandle0(hEngine, enumHandle);
     FwpmEngineClose0(hEngine);
-    return found;
+    return FALSE;
 }

From 5cb185b22f31504bbcc1e0248909e13dc8956edb Mon Sep 17 00:00:00 2001
From: Dani Kamanovsky <kamanovsky@gmail.com>
Date: Sun, 3 Nov 2024 15:52:39 +0200
Subject: [PATCH 2/2] merge https://github.com/netero1010/EDRSilencer/pull/22

---
 utils.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/utils.c b/utils.c
index ac0cf1e..ea2ae6a 100644
--- a/utils.c
+++ b/utils.c
@@ -225,11 +225,13 @@ BOOL GetProviderGUIDByDescription(PCWSTR providerDescription, GUID* outProviderG
         return FALSE;
     }
 
+    BOOL found = FALSE;
     for (UINT32 i = 0; i < numProviders; i++) {
         if (providers[i]->displayData.description != NULL) {
             if (wcscmp(providers[i]->displayData.description, providerDescription) == 0) {
                 *outProviderGUID = providers[i]->providerKey;
-                return TRUE;
+                found = TRUE;
+                break;
             }
         }   
     }
@@ -240,5 +242,5 @@ BOOL GetProviderGUIDByDescription(PCWSTR providerDescription, GUID* outProviderG
 
     FwpmProviderDestroyEnumHandle0(hEngine, enumHandle);
     FwpmEngineClose0(hEngine);
-    return FALSE;
+    return found;
 }