From 43cea1f08b8c8cd41b5c8a78fbdc1ac93d9f4504 Mon Sep 17 00:00:00 2001 From: Maxime Meignan Date: Fri, 6 Oct 2023 16:12:52 +0200 Subject: [PATCH] small cleanup in header files --- EDRSandblast/Drivers/DriverDBUtil.c | 3 +- EDRSandblast/EDRSandblast.vcxproj | 2 +- EDRSandblast/EDRSandblast.vcxproj.filters | 6 ++-- .../Includes/KernelMemoryPrimitives.h | 7 ---- .../PrintFunctions.h} | 12 ------- EDRSandblast/Includes/RemotePEBBrowser.h | 1 - EDRSandblast/Includes/SyscallProcessUtils.h | 3 -- EDRSandblast/Includes/WindowsServiceOps.h | 5 --- .../KernellandBypass/ETWThreatIntel.c | 2 +- .../KernellandBypass/KernelCallbacks.c | 2 +- EDRSandblast/KernellandBypass/KernelDSE.c | 1 - EDRSandblast/KernellandBypass/KernelUtils.c | 2 +- .../KernellandBypass/ObjectCallbacks.c | 2 +- .../LSASSProtectionBypass/CredGuard.c | 2 +- EDRSandblast/LSASSProtectionBypass/RunAsPPL.c | 2 +- EDRSandblast/UserlandBypass/Firewalling.c | 3 +- .../ProcessDumpDirectSyscalls.c | 1 + EDRSandblast/UserlandBypass/UserlandHooks.c | 2 +- EDRSandblast/Utils/CiOffsets.c | 2 +- EDRSandblast/Utils/DriverOps.c | 2 +- EDRSandblast/Utils/FileVersion.c | 2 +- EDRSandblast/Utils/FirewallOps.cpp | 2 +- EDRSandblast/Utils/HttpClient.c | 3 +- EDRSandblast/Utils/IsEDRChecks.c | 3 +- EDRSandblast/Utils/KernelMemoryPrimitives.c | 1 - EDRSandblast/Utils/KernelPatternSearch.c | 3 +- EDRSandblast/Utils/NtoskrnlOffsets.c | 2 +- EDRSandblast/Utils/PEBBrowse.c | 2 +- EDRSandblast/Utils/PEParser.c | 4 ++- EDRSandblast/Utils/PdbSymbols.c | 2 +- EDRSandblast/Utils/ProcessDump.c | 2 +- EDRSandblast/Utils/RemotePEBBrowser.c | 1 + EDRSandblast/Utils/SignatureOps.c | 2 +- EDRSandblast/Utils/SyscallProcessUtils.c | 6 ++++ EDRSandblast/Utils/WdigestOffsets.c | 2 +- EDRSandblast/Utils/WindowsServiceOps.c | 9 ++++- EDRSandblast_CLI/EDRSandblast.c | 14 +++++++- EDRSandblast_CLI/EDRSandblast_CLI.vcxproj | 4 +-- EDRSandblast_StaticLibrary/EDRSandblast_API.c | 33 ++++++++++--------- EDRSandblast_StaticLibrary/EDRSandblast_API.h | 4 ++- .../EDRSandblast_StaticLibrary.vcxproj | 6 ++++ 41 files changed, 91 insertions(+), 78 deletions(-) rename EDRSandblast/{EDRSandBlast.h => Includes/PrintFunctions.h} (56%) diff --git a/EDRSandblast/Drivers/DriverDBUtil.c b/EDRSandblast/Drivers/DriverDBUtil.c index 333e066..37408e2 100644 --- a/EDRSandblast/Drivers/DriverDBUtil.c +++ b/EDRSandblast/Drivers/DriverDBUtil.c @@ -2,7 +2,8 @@ #include #include -#include "../EDRSandblast.h" +#include "PrintFunctions.h" + /* * "DBUtil_2_3.sys" (SHA256: 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5) diff --git a/EDRSandblast/EDRSandblast.vcxproj b/EDRSandblast/EDRSandblast.vcxproj index 2fab87c..a982537 100644 --- a/EDRSandblast/EDRSandblast.vcxproj +++ b/EDRSandblast/EDRSandblast.vcxproj @@ -201,13 +201,13 @@ - + diff --git a/EDRSandblast/EDRSandblast.vcxproj.filters b/EDRSandblast/EDRSandblast.vcxproj.filters index 0f2bf37..ce385a3 100644 --- a/EDRSandblast/EDRSandblast.vcxproj.filters +++ b/EDRSandblast/EDRSandblast.vcxproj.filters @@ -236,9 +236,6 @@ Header Files - - Header Files - Header Files @@ -248,6 +245,9 @@ Header Files + + Header Files + diff --git a/EDRSandblast/Includes/KernelMemoryPrimitives.h b/EDRSandblast/Includes/KernelMemoryPrimitives.h index a95553d..866520e 100644 --- a/EDRSandblast/Includes/KernelMemoryPrimitives.h +++ b/EDRSandblast/Includes/KernelMemoryPrimitives.h @@ -1,10 +1,3 @@ -/* - ---- Kernel memory Read / Write primitives through the vulnerable Micro-Star MSI Afterburner driver. ---- Source and credit: https://github.com/Barakat/CVE-2019-16098/blob/master/CVE-2019-16098.cpp - -*/ - #pragma once #include diff --git a/EDRSandblast/EDRSandBlast.h b/EDRSandblast/Includes/PrintFunctions.h similarity index 56% rename from EDRSandblast/EDRSandBlast.h rename to EDRSandblast/Includes/PrintFunctions.h index 7e79bbe..b8a7260 100644 --- a/EDRSandblast/EDRSandBlast.h +++ b/EDRSandblast/Includes/PrintFunctions.h @@ -1,17 +1,5 @@ #pragma once -//TODO P1 : implement a "clean" mode that only removes the driver if installed -//TODO P2 : replace all instances of exit(1) by a clean_exit() function that uninstalls the driver before exiting -typedef enum _START_MODE { - dump, - cmd, - credguard, - audit, - firewall, - load, - none -} START_MODE; - #define NO_STRINGS 0 #if NO_STRINGS diff --git a/EDRSandblast/Includes/RemotePEBBrowser.h b/EDRSandblast/Includes/RemotePEBBrowser.h index 7d8f664..c1ccb1e 100644 --- a/EDRSandblast/Includes/RemotePEBBrowser.h +++ b/EDRSandblast/Includes/RemotePEBBrowser.h @@ -1,7 +1,6 @@ #include #include -#include "../EDRSandblast.h" #include "Undoc.h" typedef struct _MODULE_INFO { diff --git a/EDRSandblast/Includes/SyscallProcessUtils.h b/EDRSandblast/Includes/SyscallProcessUtils.h index 410e602..0d5e2d5 100644 --- a/EDRSandblast/Includes/SyscallProcessUtils.h +++ b/EDRSandblast/Includes/SyscallProcessUtils.h @@ -2,9 +2,6 @@ #include #include -#include "../EDRSandblast.h" -#include "SW2_Syscalls.h" - #define ProcessImageFileName 27 DWORD SandGetProcessPID(HANDLE hProcess); diff --git a/EDRSandblast/Includes/WindowsServiceOps.h b/EDRSandblast/Includes/WindowsServiceOps.h index 1da06e5..1cf1744 100644 --- a/EDRSandblast/Includes/WindowsServiceOps.h +++ b/EDRSandblast/Includes/WindowsServiceOps.h @@ -1,10 +1,5 @@ #pragma once -#include -#include -#include -#include -#include #if !defined(PRINT_ERROR_AUTO) #define PRINT_ERROR_AUTO(func) _tprintf_or_not(TEXT("[!] ERROR ") TEXT(__FUNCTION__) TEXT(" ; ") func TEXT(" (0x%08x)\n"), GetLastError()) diff --git a/EDRSandblast/KernellandBypass/ETWThreatIntel.c b/EDRSandblast/KernellandBypass/ETWThreatIntel.c index fa7120a..d05cca9 100644 --- a/EDRSandblast/KernellandBypass/ETWThreatIntel.c +++ b/EDRSandblast/KernellandBypass/ETWThreatIntel.c @@ -8,10 +8,10 @@ #include #include -#include "../EDRSandBlast.h" #include "ETWThreatIntel.h" #include "KernelMemoryPrimitives.h" #include "NtoskrnlOffsets.h" +#include "PrintFunctions.h" DWORD64 GetEtwThreatInt_ProviderEnableInfoAddress(BOOL verbose) { diff --git a/EDRSandblast/KernellandBypass/KernelCallbacks.c b/EDRSandblast/KernellandBypass/KernelCallbacks.c index 2eb57ec..c7ce876 100644 --- a/EDRSandblast/KernellandBypass/KernelCallbacks.c +++ b/EDRSandblast/KernellandBypass/KernelCallbacks.c @@ -7,7 +7,6 @@ #include -#include "../EDRSandblast.h" #include "FileUtils.h" #include "FileVersion.h" #include "IsEDRChecks.h" @@ -16,6 +15,7 @@ #include "NtoskrnlOffsets.h" #include "PEParser.h" #include "PdbSymbols.h" +#include "PrintFunctions.h" #include "KernelCallbacks.h" diff --git a/EDRSandblast/KernellandBypass/KernelDSE.c b/EDRSandblast/KernellandBypass/KernelDSE.c index 79430b6..95e243c 100644 --- a/EDRSandblast/KernellandBypass/KernelDSE.c +++ b/EDRSandblast/KernellandBypass/KernelDSE.c @@ -1,6 +1,5 @@ #include "windows.h" #include "KernelDSE.h" -#include "../EDRSandblast.h" #include "winternl.h" #include "stdio.h" // for printf //#include "ntstatus.h" diff --git a/EDRSandblast/KernellandBypass/KernelUtils.c b/EDRSandblast/KernellandBypass/KernelUtils.c index 3c3c56c..4b2b9cd 100644 --- a/EDRSandblast/KernellandBypass/KernelUtils.c +++ b/EDRSandblast/KernellandBypass/KernelUtils.c @@ -2,7 +2,7 @@ #include #include -#include "../EDRSandblast.h" +#include "PrintFunctions.h" DWORD64 g_NtoskrnlBaseAddress; DWORD64 FindNtoskrnlBaseAddress(void) { diff --git a/EDRSandblast/KernellandBypass/ObjectCallbacks.c b/EDRSandblast/KernellandBypass/ObjectCallbacks.c index 22a78d4..965fc79 100644 --- a/EDRSandblast/KernellandBypass/ObjectCallbacks.c +++ b/EDRSandblast/KernellandBypass/ObjectCallbacks.c @@ -1,7 +1,6 @@ #include #include -#include "../EDRSandblast.h" #include "IsEDRChecks.h" #include "PdbSymbols.h" #include "NtoskrnlOffsets.h" @@ -9,6 +8,7 @@ #include "KernelUtils.h" #include "FileVersion.h" #include "KernelCallbacks.h" +#include "PrintFunctions.h" #include "ObjectCallbacks.h" diff --git a/EDRSandblast/LSASSProtectionBypass/CredGuard.c b/EDRSandblast/LSASSProtectionBypass/CredGuard.c index e328394..8dab310 100644 --- a/EDRSandblast/LSASSProtectionBypass/CredGuard.c +++ b/EDRSandblast/LSASSProtectionBypass/CredGuard.c @@ -4,7 +4,7 @@ #include #include -#include "../EDRSandblast.h" +#include "PrintFunctions.h" #include "WdigestOffsets.h" DWORD WINAPI disableCredGuardByPatchingLSASS(void) { diff --git a/EDRSandblast/LSASSProtectionBypass/RunAsPPL.c b/EDRSandblast/LSASSProtectionBypass/RunAsPPL.c index 52c8e2b..79cee47 100644 --- a/EDRSandblast/LSASSProtectionBypass/RunAsPPL.c +++ b/EDRSandblast/LSASSProtectionBypass/RunAsPPL.c @@ -6,9 +6,9 @@ */ #include -#include "../EDRSandblast.h" #include "KernelMemoryPrimitives.h" #include "NtoskrnlOffsets.h" +#include "PrintFunctions.h" #include "Undoc.h" #include "RunAsPPL.h" diff --git a/EDRSandblast/UserlandBypass/Firewalling.c b/EDRSandblast/UserlandBypass/Firewalling.c index 881f1d2..e62a68e 100644 --- a/EDRSandblast/UserlandBypass/Firewalling.c +++ b/EDRSandblast/UserlandBypass/Firewalling.c @@ -3,7 +3,8 @@ --- Firewall rules to block EDR products from the network (inboud / outbound connections). */ -#include "../EDRSandblast.h" +#include "PrintFunctions.h" + #include "Firewalling.h" HRESULT FirewallBlockEDRBinaries(fwBlockingRulesList* sFWEntries) { diff --git a/EDRSandblast/UserlandBypass/ProcessDumpDirectSyscalls.c b/EDRSandblast/UserlandBypass/ProcessDumpDirectSyscalls.c index 1f9430f..c645c3b 100644 --- a/EDRSandblast/UserlandBypass/ProcessDumpDirectSyscalls.c +++ b/EDRSandblast/UserlandBypass/ProcessDumpDirectSyscalls.c @@ -2,6 +2,7 @@ #include #include "ListUtils.h" +#include "PrintFunctions.h" #include "RemotePEBBrowser.h" #include "StringUtils.h" #include "SyscallProcessUtils.h" diff --git a/EDRSandblast/UserlandBypass/UserlandHooks.c b/EDRSandblast/UserlandBypass/UserlandHooks.c index ac70545..436efa7 100644 --- a/EDRSandblast/UserlandBypass/UserlandHooks.c +++ b/EDRSandblast/UserlandBypass/UserlandHooks.c @@ -6,9 +6,9 @@ #include #include -#include "../EDRSandblast.h" #include "FileUtils.h" #include "UserlandHooks.h" +#include "PrintFunctions.h" #include "PEBBrowse.h" #include "Undoc.h" #include "Syscalls.h" diff --git a/EDRSandblast/Utils/CiOffsets.c b/EDRSandblast/Utils/CiOffsets.c index 9b99727..d66d48f 100644 --- a/EDRSandblast/Utils/CiOffsets.c +++ b/EDRSandblast/Utils/CiOffsets.c @@ -9,9 +9,9 @@ #include #include -#include "../EDRSandblast.h" #include "FileVersion.h" #include "PdbSymbols.h" +#include "PrintFunctions.h" #include "CiOffsets.h" diff --git a/EDRSandblast/Utils/DriverOps.c b/EDRSandblast/Utils/DriverOps.c index 815583e..f69049d 100644 --- a/EDRSandblast/Utils/DriverOps.c +++ b/EDRSandblast/Utils/DriverOps.c @@ -12,7 +12,7 @@ #include "DriverOps.h" -#include "../EDRSandblast.h" +#include "PrintFunctions.h" #include "StringUtils.h" #include "WindowsServiceOps.h" /* diff --git a/EDRSandblast/Utils/FileVersion.c b/EDRSandblast/Utils/FileVersion.c index 63949c7..7b3bf72 100644 --- a/EDRSandblast/Utils/FileVersion.c +++ b/EDRSandblast/Utils/FileVersion.c @@ -6,7 +6,7 @@ #include #include -#include "../EDRSandblast.h" +#include "PrintFunctions.h" #include "FileVersion.h" diff --git a/EDRSandblast/Utils/FirewallOps.cpp b/EDRSandblast/Utils/FirewallOps.cpp index 150d227..0b7b95e 100644 --- a/EDRSandblast/Utils/FirewallOps.cpp +++ b/EDRSandblast/Utils/FirewallOps.cpp @@ -1,5 +1,5 @@ extern "C" { -#include "../EDRSandblast.h" +#include "PrintFunctions.h" #include "FirewallOps.h" } diff --git a/EDRSandblast/Utils/HttpClient.c b/EDRSandblast/Utils/HttpClient.c index 19ab7fa..2f3b81e 100644 --- a/EDRSandblast/Utils/HttpClient.c +++ b/EDRSandblast/Utils/HttpClient.c @@ -4,7 +4,8 @@ #include #include -#include "../EDRSandblast.h" +#include "PrintFunctions.h" + #include "HttpClient.h" diff --git a/EDRSandblast/Utils/IsEDRChecks.c b/EDRSandblast/Utils/IsEDRChecks.c index 2081402..4e9b828 100644 --- a/EDRSandblast/Utils/IsEDRChecks.c +++ b/EDRSandblast/Utils/IsEDRChecks.c @@ -1,4 +1,5 @@ -#include "../EDRSandblast.h" +#include "PrintFunctions.h" + #include "IsEDRChecks.h" /* diff --git a/EDRSandblast/Utils/KernelMemoryPrimitives.c b/EDRSandblast/Utils/KernelMemoryPrimitives.c index f5018cd..8cbb0ab 100644 --- a/EDRSandblast/Utils/KernelMemoryPrimitives.c +++ b/EDRSandblast/Utils/KernelMemoryPrimitives.c @@ -7,7 +7,6 @@ #include "DriverDBUtil.h" #include "DriverGDRV.h" #include "KernelUtils.h" -#include "../EDRSandblast.h" #include "KernelMemoryPrimitives.h" diff --git a/EDRSandblast/Utils/KernelPatternSearch.c b/EDRSandblast/Utils/KernelPatternSearch.c index 81c68ef..b9226eb 100644 --- a/EDRSandblast/Utils/KernelPatternSearch.c +++ b/EDRSandblast/Utils/KernelPatternSearch.c @@ -6,9 +6,10 @@ */ #include #include + #include "KernelMemoryPrimitives.h" #include "KernelUtils.h" -#include "../EDRSandblast.h" +#include "PrintFunctions.h" DWORD64 PatternSearchStartingFromAddress(DWORD64 startAddress, DWORD bytesToScan, DWORD64 pattern, DWORD64 mask) { for (DWORD i = 0; i < bytesToScan; i++) { diff --git a/EDRSandblast/Utils/NtoskrnlOffsets.c b/EDRSandblast/Utils/NtoskrnlOffsets.c index 5fbee28..7213dc7 100644 --- a/EDRSandblast/Utils/NtoskrnlOffsets.c +++ b/EDRSandblast/Utils/NtoskrnlOffsets.c @@ -8,8 +8,8 @@ #include #include "FileVersion.h" +#include "PrintFunctions.h" #include "PdbSymbols.h" -#include "../EDRSandblast.h" #include "NtoskrnlOffsets.h" diff --git a/EDRSandblast/Utils/PEBBrowse.c b/EDRSandblast/Utils/PEBBrowse.c index 9bf88e7..e8bf8fd 100644 --- a/EDRSandblast/Utils/PEBBrowse.c +++ b/EDRSandblast/Utils/PEBBrowse.c @@ -2,9 +2,9 @@ * Functions that browse the PEB structure instead of relying on GetModuleHandle */ -#include "../EDRSandblast.h" #include "Undoc.h" #include "PEBBrowse.h" +#include "PrintFunctions.h" #include /* diff --git a/EDRSandblast/Utils/PEParser.c b/EDRSandblast/Utils/PEParser.c index 61c0cf7..abafff9 100644 --- a/EDRSandblast/Utils/PEParser.c +++ b/EDRSandblast/Utils/PEParser.c @@ -3,11 +3,13 @@ * Among other things, reimplements GetProcAddress and the PE relocation process */ -#include "../EDRSandblast.h" #include "PEParser.h" #include #include +#include "PrintFunctions.h" + + IMAGE_SECTION_HEADER* PE_sectionHeader_fromRVA(PE* pe, DWORD rva) { IMAGE_SECTION_HEADER* sectionHeaders = pe->sectionHeaders; for (DWORD sectionIndex = 0; sectionIndex < pe->ntHeader->FileHeader.NumberOfSections; sectionIndex++) { diff --git a/EDRSandblast/Utils/PdbSymbols.c b/EDRSandblast/Utils/PdbSymbols.c index 22c4818..e2198c7 100644 --- a/EDRSandblast/Utils/PdbSymbols.c +++ b/EDRSandblast/Utils/PdbSymbols.c @@ -3,10 +3,10 @@ #include #include -#include "../EDRSandblast.h" #include "FileUtils.h" #include "HttpClient.h" #include "PEParser.h" +#include "PrintFunctions.h" #include "PdbSymbols.h" diff --git a/EDRSandblast/Utils/ProcessDump.c b/EDRSandblast/Utils/ProcessDump.c index 3344cd7..48a6f40 100644 --- a/EDRSandblast/Utils/ProcessDump.c +++ b/EDRSandblast/Utils/ProcessDump.c @@ -8,8 +8,8 @@ #include #include -#include "../EDRSandblast.h" #include "PEParser.h" +#include "PrintFunctions.h" #include "ProcessDump.h" BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) { diff --git a/EDRSandblast/Utils/RemotePEBBrowser.c b/EDRSandblast/Utils/RemotePEBBrowser.c index 971352c..c320e58 100644 --- a/EDRSandblast/Utils/RemotePEBBrowser.c +++ b/EDRSandblast/Utils/RemotePEBBrowser.c @@ -1,3 +1,4 @@ +#include "PrintFunctions.h" #include "RemotePEBBrowser.h" #include "SW2_Syscalls.h" diff --git a/EDRSandblast/Utils/SignatureOps.c b/EDRSandblast/Utils/SignatureOps.c index 2b40a38..3d71547 100644 --- a/EDRSandblast/Utils/SignatureOps.c +++ b/EDRSandblast/Utils/SignatureOps.c @@ -1,5 +1,5 @@ #include "SignatureOps.h" -#include "../EDRSandblast.h" +#include "PrintFunctions.h" // Concat in pSigners output the list of Signer(s) signing the specified file on disk. SignatureOpsError GetFileSigners(TCHAR* pFilePath, TCHAR* outSigners, size_t* szOutSigners) { diff --git a/EDRSandblast/Utils/SyscallProcessUtils.c b/EDRSandblast/Utils/SyscallProcessUtils.c index b15841a..851e71c 100644 --- a/EDRSandblast/Utils/SyscallProcessUtils.c +++ b/EDRSandblast/Utils/SyscallProcessUtils.c @@ -1,3 +1,9 @@ +#include +#include + +#include "SW2_Syscalls.h" +#include "PrintFunctions.h" + #include "SyscallProcessUtils.h" // Retrieve a given process PID. diff --git a/EDRSandblast/Utils/WdigestOffsets.c b/EDRSandblast/Utils/WdigestOffsets.c index 09317ea..d6b22d1 100644 --- a/EDRSandblast/Utils/WdigestOffsets.c +++ b/EDRSandblast/Utils/WdigestOffsets.c @@ -9,9 +9,9 @@ #include #include -#include "../EDRSandblast.h" #include "FileVersion.h" #include "PdbSymbols.h" +#include "PrintFunctions.h" #include "WdigestOffsets.h" diff --git a/EDRSandblast/Utils/WindowsServiceOps.c b/EDRSandblast/Utils/WindowsServiceOps.c index fe1c411..69f1fad 100644 --- a/EDRSandblast/Utils/WindowsServiceOps.c +++ b/EDRSandblast/Utils/WindowsServiceOps.c @@ -1,4 +1,11 @@ -#include "../EDRSandblast.h" +#include +#include +#include +#include +#include + +#include "PrintFunctions.h" + #include "WindowsServiceOps.h" BOOL ServiceAddEveryoneAccess(SC_HANDLE serviceHandle) { diff --git a/EDRSandblast_CLI/EDRSandblast.c b/EDRSandblast_CLI/EDRSandblast.c index 86400f1..0b994af 100644 --- a/EDRSandblast_CLI/EDRSandblast.c +++ b/EDRSandblast_CLI/EDRSandblast.c @@ -22,6 +22,7 @@ #include "NtoskrnlOffsets.h" #include "ObjectCallbacks.h" #include "PEBBrowse.h" +#include "PrintFunctions.h" #include "RunAsPPL.h" #include "Syscalls.h" #include "Undoc.h" @@ -30,7 +31,18 @@ #include "CiOffsets.h" #include "KernelDSE.h" -#include "../EDRSandblast/EDRSandblast.h" +//TODO P1 : implement a "clean" mode that only removes the driver if installed +//TODO P2 : replace all instances of exit(1) by a clean_exit() function that uninstalls the driver before exiting + +typedef enum _START_MODE { + dump, + cmd, + credguard, + audit, + firewall, + load, + none +} START_MODE; typedef NTSTATUS(NTAPI* NtQueryInformationProcess_f)( HANDLE ProcessHandle, diff --git a/EDRSandblast_CLI/EDRSandblast_CLI.vcxproj b/EDRSandblast_CLI/EDRSandblast_CLI.vcxproj index eb30c58..82acaa6 100644 --- a/EDRSandblast_CLI/EDRSandblast_CLI.vcxproj +++ b/EDRSandblast_CLI/EDRSandblast_CLI.vcxproj @@ -74,12 +74,12 @@ - $(SolutionDir)\EDRSandblast\Includes;$(IncludePath) + $(SolutionDir)EDRSandblast\Includes;$(IncludePath) $(LibraryPath) EDRSandblast - $(SolutionDir)\EDRSandblast\Includes;$(IncludePath) + $(SolutionDir)EDRSandblast\Includes;$(IncludePath) $(LibraryPath) EDRSandblast diff --git a/EDRSandblast_StaticLibrary/EDRSandblast_API.c b/EDRSandblast_StaticLibrary/EDRSandblast_API.c index 544acc0..f284205 100644 --- a/EDRSandblast_StaticLibrary/EDRSandblast_API.c +++ b/EDRSandblast_StaticLibrary/EDRSandblast_API.c @@ -1,22 +1,23 @@ #include #include -#include "../EDRSandblast/EDRSandblast.h" -#include "../EDRSandblast/Includes/CredGuard.h" -#include "../EDRSandblast/Includes/DriverOps.h" -#include "../EDRSandblast/Includes/ETWThreatIntel.h" -#include "../EDRSandblast/Includes/FileUtils.h" -#include "../EDRSandblast/Includes/Firewalling.h" -#include "../EDRSandblast/Includes/KernelCallbacks.h" -#include "../EDRSandblast/Includes/KernelMemoryPrimitives.h" -#include "../EDRSandblast/Includes/ProcessDump.h" -#include "../EDRSandblast/Includes/ProcessDumpDirectSyscalls.h" -#include "../EDRSandblast/Includes/NtoskrnlOffsets.h" -#include "../EDRSandblast/Includes/ObjectCallbacks.h" -#include "../EDRSandblast/Includes/RunAsPPL.h" -#include "../EDRSandblast/Includes/Syscalls.h" -#include "../EDRSandblast/Includes/UserlandHooks.h" -#include "../EDRSandblast/Includes/WdigestOffsets.h" +#include "CredGuard.h" +#include "DriverOps.h" +#include "ETWThreatIntel.h" +#include "FileUtils.h" +#include "Firewalling.h" +#include "KernelCallbacks.h" +#include "KernelMemoryPrimitives.h" +#include "PrintFunctions.h" +#include "ProcessDump.h" +#include "ProcessDumpDirectSyscalls.h" +#include "NtoskrnlOffsets.h" +#include "ObjectCallbacks.h" +#include "RunAsPPL.h" +#include "Syscalls.h" +#include "UserlandHooks.h" +#include "WdigestOffsets.h" + #include "EDRSandblast_API.h" // A passer dans le core? diff --git a/EDRSandblast_StaticLibrary/EDRSandblast_API.h b/EDRSandblast_StaticLibrary/EDRSandblast_API.h index 9699ee9..7960347 100644 --- a/EDRSandblast_StaticLibrary/EDRSandblast_API.h +++ b/EDRSandblast_StaticLibrary/EDRSandblast_API.h @@ -1,6 +1,8 @@ #pragma once #include -#include "../EDRSandblast/Includes/UserlandHooks.h" + +#include "..\EDRSandblast\Includes\PrintFunctions.h" +#include "..\EDRSandblast\Includes\UserlandHooks.h" typedef struct EDRSB_SINGLETONS_t { HANDLE NtdllCopyHandle; diff --git a/EDRSandblast_StaticLibrary/EDRSandblast_StaticLibrary.vcxproj b/EDRSandblast_StaticLibrary/EDRSandblast_StaticLibrary.vcxproj index f4950c2..3ed396f 100644 --- a/EDRSandblast_StaticLibrary/EDRSandblast_StaticLibrary.vcxproj +++ b/EDRSandblast_StaticLibrary/EDRSandblast_StaticLibrary.vcxproj @@ -70,6 +70,12 @@ + + $(SolutionDir)EDRSandblast\Includes;$(IncludePath) + + + $(SolutionDir)EDRSandblast\Includes;$(IncludePath) + Level3