Mirrors/netero1010-edrsilencer
1
0
Fork 0
mirror of https://github.com/netero1010/EDRSilencer.git synced 2026-06-08 17:07:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Mirrors/netero1010-edrsilencer:1.3
Branches Tags
Mirrors/netero1010-edrsilencer:main
Mirrors/netero1010-edrsilencer:1.4 Mirrors/netero1010-edrsilencer:1.3 Mirrors/netero1010-edrsilencer:1.2 Mirrors/netero1010-edrsilencer:1.1 Mirrors/netero1010-edrsilencer:1.0
...
compare: Mirrors/netero1010-edrsilencer:main
Branches Tags
Mirrors/netero1010-edrsilencer:main
Mirrors/netero1010-edrsilencer:1.4 Mirrors/netero1010-edrsilencer:1.3 Mirrors/netero1010-edrsilencer:1.2 Mirrors/netero1010-edrsilencer:1.1 Mirrors/netero1010-edrsilencer:1.0

6 Commits
1.3 ... main

Author SHA1 Message Date
netero1010 0e73a7037e Verion 1.4: bug fixes 2024-11-03 23:52:18 +08:00
Chris Au dde9400fa9 Merge pull request #23 from danikdanik/patch-2 
checking the SID structure for TokenIntegrityLevel
 2024-11-03 23:43:54 +08:00
Dani Kamanovsky 5cb185b22f merge https://github.com/netero1010/EDRSilencer/pull/22 2024-11-03 15:52:39 +02:00
Dani Kamanovsky 73b18abe6f checking the SID structure for TokenIntegrityLevel 
if the SID for TokenIntegrityLevel isn't the expected structure, GetSidSubAuthority might produce UB.
 2024-11-03 15:43:31 +02:00
Chris Au 9863ce4193 Merge pull request #22 from danikdanik/patch-1 
memory leak in GetProviderGUIDByDescription
 2024-11-03 21:42:48 +08:00
Dani Kamanovsky c8eebc0d98 memory leak in GetProviderGUIDByDescription 
memory allocation is not freed if a match is found in the loop, leading to a memory leak
 2024-11-03 15:29:25 +02:00
2 changed files with 20 additions and 5 deletions
Expand all files Collapse all files
EDRSilencer.c
+7 -1
View File
@@ -172,6 +172,9 @@ void BlockEdrProcessTraffic() {
filter.flags = FWPM_FILTER_FLAG_PERSISTENT; filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
filter.action.type = FWP_ACTION_BLOCK; filter.action.type = FWP_ACTION_BLOCK;
UINT64 weightValue = 0xFFFFFFFFFFFFFFFF;
filter.weight.type = FWP_UINT64;
filter.weight.uint64 = &weightValue;
cond.fieldKey = FWPM_CONDITION_ALE_APP_ID; cond.fieldKey = FWPM_CONDITION_ALE_APP_ID;
cond.matchType = FWP_MATCH_EQUAL; cond.matchType = FWP_MATCH_EQUAL;
cond.conditionValue.type = FWP_BYTE_BLOB_TYPE; cond.conditionValue.type = FWP_BYTE_BLOB_TYPE;
@@ -277,6 +280,9 @@ void BlockProcessTraffic(char* fullPath) {
filter.flags = FWPM_FILTER_FLAG_PERSISTENT; filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
filter.action.type = FWP_ACTION_BLOCK; filter.action.type = FWP_ACTION_BLOCK;
UINT64 weightValue = 0xFFFFFFFFFFFFFFFF;
filter.weight.type = FWP_UINT64;
filter.weight.uint64 = &weightValue;
cond.fieldKey = FWPM_CONDITION_ALE_APP_ID; cond.fieldKey = FWPM_CONDITION_ALE_APP_ID;
cond.matchType = FWP_MATCH_EQUAL; cond.matchType = FWP_MATCH_EQUAL;
cond.conditionValue.type = FWP_BYTE_BLOB_TYPE; cond.conditionValue.type = FWP_BYTE_BLOB_TYPE;
@@ -428,7 +434,7 @@ void UnblockWfpFilter(UINT64 filterId) {
void PrintHelp() { void PrintHelp() {
printf("Usage: EDRSilencer.exe <blockedr/block/unblockall/unblock>\n"); printf("Usage: EDRSilencer.exe <blockedr/block/unblockall/unblock>\n");
printf("Version: 1.3\n"); printf("Version: 1.4\n");
printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of all detected EDR processes:\n"); printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of all detected EDR processes:\n");
printf(" EDRSilencer.exe blockedr\n\n"); printf(" EDRSilencer.exe blockedr\n\n");
printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of a specific process (full path is required):\n"); printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of a specific process (full path is required):\n");
utils.c
+12 -3
View File
@@ -41,6 +41,13 @@ BOOL CheckProcessIntegrityLevel() {
return FALSE; return FALSE;
} }
if (pTIL->Label.Sid == NULL || *GetSidSubAuthorityCount(pTIL->Label.Sid) < 1) {
printf("[-] SID structure is invalid.\n");
LocalFree(pTIL);
CloseHandle(hToken);
return FALSE;
}
dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid, (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid) - 1)); dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid, (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid) - 1));
if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID) { if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID) {
@@ -134,7 +141,7 @@ ErrorCode ConvertToNtPath(PCWSTR filePath, wchar_t* ntPathBuffer, size_t bufferS
return CUSTOM_FAILED_TO_GET_DOS_DEVICE_NAME; return CUSTOM_FAILED_TO_GET_DOS_DEVICE_NAME;
} }
swprintf(ntPathBuffer, bufferSize, L"%S%S", ntDrivePath, filePath + wcslen(driveName)); swprintf(ntPathBuffer, bufferSize, L"%ls%ls", ntDrivePath, filePath + wcslen(driveName));
for (size_t i = 0; ntPathBuffer[i] != L'\0'; ++i) { for (size_t i = 0; ntPathBuffer[i] != L'\0'; ++i) {
ntPathBuffer[i] = towlower(ntPathBuffer[i]); ntPathBuffer[i] = towlower(ntPathBuffer[i]);
@@ -218,11 +225,13 @@ BOOL GetProviderGUIDByDescription(PCWSTR providerDescription, GUID* outProviderG
return FALSE; return FALSE;
} }
BOOL found = FALSE;
for (UINT32 i = 0; i < numProviders; i++) { for (UINT32 i = 0; i < numProviders; i++) {
if (providers[i]->displayData.description != NULL) { if (providers[i]->displayData.description != NULL) {
if (wcscmp(providers[i]->displayData.description, providerDescription) == 0) { if (wcscmp(providers[i]->displayData.description, providerDescription) == 0) {
*outProviderGUID = providers[i]->providerKey; *outProviderGUID = providers[i]->providerKey;
return TRUE; found = TRUE;
break;
} }
} }
} }
@@ -233,5 +242,5 @@ BOOL GetProviderGUIDByDescription(PCWSTR providerDescription, GUID* outProviderG
FwpmProviderDestroyEnumHandle0(hEngine, enumHandle); FwpmProviderDestroyEnumHandle0(hEngine, enumHandle);
FwpmEngineClose0(hEngine); FwpmEngineClose0(hEngine);
return FALSE; return found;
} }