small cleanup in header files

EDRSandblast/Drivers/DriverDBUtil.c

@@ -2,7 +2,8 @@
 #include <assert.h>
 #include <tchar.h>
 
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
+
 
 /*
 * "DBUtil_2_3.sys" (SHA256: 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5)

EDRSandblast/EDRSandblast.vcxproj

@@ -201,13 +201,13 @@
     <ClCompile Include="Utils\WindowsServiceOps.c" />
   </ItemGroup>
   <ItemGroup>
-    <ClInclude Include="EDRSandblast.h" />
     <ClInclude Include="Includes\CiOffsets.h" />
     <ClInclude Include="Includes\CredGuard.h" />
     <ClInclude Include="Includes\DriverDBUtil.h" />
     <ClInclude Include="Includes\DriverGDRV.h" />
     <ClInclude Include="Includes\DriverRTCore.h" />
     <ClInclude Include="Includes\KernelDSE.h" />
+    <ClInclude Include="Includes\PrintFunctions.h" />
     <ClInclude Include="Includes\ProcessDumpDirectSyscalls.h" />
     <ClInclude Include="Includes\FileUtils.h" />
     <ClInclude Include="Includes\HttpClient.h" />

EDRSandblast/EDRSandblast.vcxproj.filters

@@ -236,9 +236,6 @@
     <ClInclude Include="Includes\ProcessDumpDirectSyscalls.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="EDRSandblast.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
     <ClInclude Include="Includes\CiOffsets.h">
       <Filter>Header Files</Filter>
     </ClInclude>
@@ -248,6 +245,9 @@
     <ClInclude Include="Includes\DriverGDRV.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="Includes\PrintFunctions.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <MASM Include="Utils\SW2_Syscalls_stubs.x64.asm">

EDRSandblast/Includes/KernelMemoryPrimitives.h

@@ -1,10 +1,3 @@
-/*
-
---- Kernel memory Read / Write primitives through the vulnerable Micro-Star MSI Afterburner driver.
---- Source and credit: https://github.com/Barakat/CVE-2019-16098/blob/master/CVE-2019-16098.cpp
-
-*/
-
 #pragma once
 
 #include <Windows.h>

EDRSandblast/Includes/PrintFunctions.h

@@ -1,17 +1,5 @@
 #pragma once
 
-//TODO P1 : implement a "clean" mode that only removes the driver if installed
-//TODO P2 : replace all instances of exit(1) by a clean_exit() function that uninstalls the driver before exiting
-typedef enum _START_MODE {
-    dump,
-    cmd,
-    credguard,
-    audit,
-    firewall,
-    load,
-    none
-} START_MODE;
-
 #define NO_STRINGS 0
 
 #if NO_STRINGS

EDRSandblast/Includes/RemotePEBBrowser.h

@@ -1,7 +1,6 @@
 #include <Windows.h>
 #include <tchar.h>
 
-#include "../EDRSandblast.h"
 #include "Undoc.h"
 
 typedef struct _MODULE_INFO {

EDRSandblast/Includes/SyscallProcessUtils.h

@@ -2,9 +2,6 @@
 #include <Windows.h>
 #include <tchar.h>
 
-#include "../EDRSandblast.h"
-#include "SW2_Syscalls.h"
-
 #define ProcessImageFileName 27
 
 DWORD SandGetProcessPID(HANDLE hProcess);

EDRSandblast/Includes/WindowsServiceOps.h

@@ -1,10 +1,5 @@
 #pragma once
 
-#include <Windows.h>
-#include <aclapi.h>
-#include <Tchar.h>
-#include <stdio.h>
-#include <time.h>
 
 #if !defined(PRINT_ERROR_AUTO)
 #define PRINT_ERROR_AUTO(func) _tprintf_or_not(TEXT("[!] ERROR ") TEXT(__FUNCTION__) TEXT(" ; ") func TEXT(" (0x%08x)\n"), GetLastError())

EDRSandblast/KernellandBypass/ETWThreatIntel.c

@@ -8,10 +8,10 @@
 #include <Windows.h>
 #include <Tchar.h>
 
-#include "../EDRSandBlast.h"
 #include "ETWThreatIntel.h"
 #include "KernelMemoryPrimitives.h"
 #include "NtoskrnlOffsets.h"
+#include "PrintFunctions.h"
 
 
 DWORD64 GetEtwThreatInt_ProviderEnableInfoAddress(BOOL verbose) {

EDRSandblast/KernellandBypass/KernelCallbacks.c

@@ -7,7 +7,6 @@
 
 #include <Windows.h>
 
-#include "../EDRSandblast.h"
 #include "FileUtils.h"
 #include "FileVersion.h"
 #include "IsEDRChecks.h"
@@ -16,6 +15,7 @@
 #include "NtoskrnlOffsets.h"
 #include "PEParser.h"
 #include "PdbSymbols.h"
+#include "PrintFunctions.h"
 
 #include "KernelCallbacks.h"
 

EDRSandblast/KernellandBypass/KernelDSE.c

@@ -1,6 +1,5 @@
 #include "windows.h"
 #include "KernelDSE.h"
-#include "../EDRSandblast.h"
 #include "winternl.h"
 #include "stdio.h" // for printf
 //#include "ntstatus.h"

EDRSandblast/KernellandBypass/KernelUtils.c

@@ -2,7 +2,7 @@
 #include <Psapi.h>
 #include <Tchar.h>
 
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
 
 DWORD64 g_NtoskrnlBaseAddress;
 DWORD64 FindNtoskrnlBaseAddress(void) {

EDRSandblast/KernellandBypass/ObjectCallbacks.c

@@ -1,7 +1,6 @@
 #include <Tchar.h>
 #include <Windows.h>
 
-#include "../EDRSandblast.h"
 #include "IsEDRChecks.h"
 #include "PdbSymbols.h"
 #include "NtoskrnlOffsets.h"
@@ -9,6 +8,7 @@
 #include "KernelUtils.h"
 #include "FileVersion.h"
 #include "KernelCallbacks.h"
+#include "PrintFunctions.h"
 
 #include "ObjectCallbacks.h"
 

EDRSandblast/LSASSProtectionBypass/CredGuard.c

@@ -4,7 +4,7 @@
 #include <tlhelp32.h>
 #include <Tchar.h>
 
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
 #include "WdigestOffsets.h"
 
 DWORD WINAPI disableCredGuardByPatchingLSASS(void) {

EDRSandblast/LSASSProtectionBypass/RunAsPPL.c

@@ -6,9 +6,9 @@
 */
 #include <tchar.h>
 
-#include "../EDRSandblast.h"
 #include "KernelMemoryPrimitives.h"
 #include "NtoskrnlOffsets.h"
+#include "PrintFunctions.h"
 #include "Undoc.h"
 #include "RunAsPPL.h"
 

EDRSandblast/UserlandBypass/Firewalling.c

@@ -3,7 +3,8 @@
 --- Firewall rules to block EDR products from the network (inboud / outbound connections).
 
 */
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
+
 #include "Firewalling.h"
 
 HRESULT FirewallBlockEDRBinaries(fwBlockingRulesList* sFWEntries) {

EDRSandblast/UserlandBypass/ProcessDumpDirectSyscalls.c

@@ -2,6 +2,7 @@
 #include <minidumpapiset.h>
 
 #include "ListUtils.h"
+#include "PrintFunctions.h"
 #include "RemotePEBBrowser.h"
 #include "StringUtils.h"
 #include "SyscallProcessUtils.h"

EDRSandblast/UserlandBypass/UserlandHooks.c

@@ -6,9 +6,9 @@
 #include <shlwapi.h>
 #include <stdio.h>
 
-#include "../EDRSandblast.h"
 #include "FileUtils.h"
 #include "UserlandHooks.h"
+#include "PrintFunctions.h"
 #include "PEBBrowse.h"
 #include "Undoc.h"
 #include "Syscalls.h"

EDRSandblast/Utils/CiOffsets.c

@@ -9,9 +9,9 @@
 #include <tchar.h>
 #include <stdio.h>
 
-#include "../EDRSandblast.h"
 #include "FileVersion.h"
 #include "PdbSymbols.h"
+#include "PrintFunctions.h"
 
 #include "CiOffsets.h"
 

EDRSandblast/Utils/DriverOps.c

@@ -12,7 +12,7 @@
 
 #include "DriverOps.h"
 
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
 #include "StringUtils.h"
 #include "WindowsServiceOps.h"
 /*

EDRSandblast/Utils/FileVersion.c

@@ -6,7 +6,7 @@
 #include <Tchar.h>
 #include <stdio.h>
 
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
 
 #include "FileVersion.h"
 

EDRSandblast/Utils/FirewallOps.cpp

@@ -1,5 +1,5 @@
 extern "C" {
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
 #include "FirewallOps.h"
 }
 

EDRSandblast/Utils/HttpClient.c

@@ -4,7 +4,8 @@
 #include <windef.h>
 #include <winhttp.h>
 
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
+
 #include "HttpClient.h"
 
 

EDRSandblast/Utils/IsEDRChecks.c

@@ -1,4 +1,5 @@
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
+
 #include "IsEDRChecks.h"
 
 /*

EDRSandblast/Utils/KernelMemoryPrimitives.c

@@ -7,7 +7,6 @@
 #include "DriverDBUtil.h"
 #include "DriverGDRV.h"
 #include "KernelUtils.h"
-#include "../EDRSandblast.h"
 
 #include "KernelMemoryPrimitives.h"
 

EDRSandblast/Utils/KernelPatternSearch.c

@@ -6,9 +6,10 @@
 */
 #include <Windows.h>
 #include <Tchar.h>
+
 #include "KernelMemoryPrimitives.h"
 #include "KernelUtils.h"
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
 
 DWORD64 PatternSearchStartingFromAddress(DWORD64 startAddress, DWORD bytesToScan, DWORD64 pattern, DWORD64 mask) {
     for (DWORD i = 0; i < bytesToScan; i++) {

EDRSandblast/Utils/NtoskrnlOffsets.c

@@ -8,8 +8,8 @@
 #include <stdio.h>
 
 #include "FileVersion.h"
+#include "PrintFunctions.h"
 #include "PdbSymbols.h"
-#include "../EDRSandblast.h"
 
 #include "NtoskrnlOffsets.h"
 

EDRSandblast/Utils/PEBBrowse.c

@@ -2,9 +2,9 @@
 * Functions that browse the PEB structure instead of relying on GetModuleHandle
 */
 
-#include "../EDRSandblast.h"
 #include "Undoc.h"
 #include "PEBBrowse.h"
+#include "PrintFunctions.h"
 #include <stdio.h>
 
 /*

EDRSandblast/Utils/PEParser.c

@@ -3,11 +3,13 @@
 * Among other things, reimplements GetProcAddress and the PE relocation process
 */
 
-#include "../EDRSandblast.h"
 #include "PEParser.h"
 #include <stdio.h>
 #include <assert.h>
 
+#include "PrintFunctions.h"
+
+
 IMAGE_SECTION_HEADER* PE_sectionHeader_fromRVA(PE* pe, DWORD rva) {
 	IMAGE_SECTION_HEADER* sectionHeaders = pe->sectionHeaders;
 	for (DWORD sectionIndex = 0; sectionIndex < pe->ntHeader->FileHeader.NumberOfSections; sectionIndex++) {

EDRSandblast/Utils/PdbSymbols.c

@@ -3,10 +3,10 @@
 #include <dbghelp.h>
 #include <stdio.h>
 
-#include "../EDRSandblast.h"
 #include "FileUtils.h"
 #include "HttpClient.h"
 #include "PEParser.h"
+#include "PrintFunctions.h"
 
 #include "PdbSymbols.h"
 

EDRSandblast/Utils/ProcessDump.c

@@ -8,8 +8,8 @@
 #include <minidumpapiset.h>
 #include <tchar.h>
 
-#include "../EDRSandblast.h"
 #include "PEParser.h"
+#include "PrintFunctions.h"
 #include "ProcessDump.h"
 
 BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) {

EDRSandblast/Utils/RemotePEBBrowser.c

@@ -1,3 +1,4 @@
+#include "PrintFunctions.h"
 #include "RemotePEBBrowser.h"
 #include "SW2_Syscalls.h"
 

EDRSandblast/Utils/SignatureOps.c

@@ -1,5 +1,5 @@
 #include "SignatureOps.h"
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
 
 // Concat in pSigners output the list of Signer(s) signing the specified file on disk.
 SignatureOpsError GetFileSigners(TCHAR* pFilePath, TCHAR* outSigners, size_t* szOutSigners) {

EDRSandblast/Utils/SyscallProcessUtils.c

@@ -1,3 +1,9 @@
+#include <Windows.h>
+#include <tchar.h>
+
+#include "SW2_Syscalls.h"
+#include "PrintFunctions.h"
+
 #include "SyscallProcessUtils.h"
 
 // Retrieve a given process PID.

EDRSandblast/Utils/WdigestOffsets.c

@@ -9,9 +9,9 @@
 #include <tchar.h>
 #include <stdio.h>
 
-#include "../EDRSandblast.h"
 #include "FileVersion.h"
 #include "PdbSymbols.h"
+#include "PrintFunctions.h"
 
 #include "WdigestOffsets.h"
 

EDRSandblast/Utils/WindowsServiceOps.c

@@ -1,4 +1,11 @@
-#include "../EDRSandblast.h"
+#include <Windows.h>
+#include <aclapi.h>
+#include <Tchar.h>
+#include <stdio.h>
+#include <time.h>
+
+#include "PrintFunctions.h"
+
 #include "WindowsServiceOps.h"
 
 BOOL ServiceAddEveryoneAccess(SC_HANDLE serviceHandle) {

EDRSandblast_CLI/EDRSandblast.c

@@ -22,6 +22,7 @@
 #include "NtoskrnlOffsets.h"
 #include "ObjectCallbacks.h"
 #include "PEBBrowse.h"
+#include "PrintFunctions.h"
 #include "RunAsPPL.h"
 #include "Syscalls.h"
 #include "Undoc.h"
@@ -30,7 +31,18 @@
 #include "CiOffsets.h"
 #include "KernelDSE.h"
 
-#include "../EDRSandblast/EDRSandblast.h"
+//TODO P1 : implement a "clean" mode that only removes the driver if installed
+//TODO P2 : replace all instances of exit(1) by a clean_exit() function that uninstalls the driver before exiting
+
+typedef enum _START_MODE {
+    dump,
+    cmd,
+    credguard,
+    audit,
+    firewall,
+    load,
+    none
+} START_MODE;
 
 typedef NTSTATUS(NTAPI* NtQueryInformationProcess_f)(
     HANDLE          ProcessHandle,

EDRSandblast_CLI/EDRSandblast_CLI.vcxproj

@@ -74,12 +74,12 @@
   </ImportGroup>
   <PropertyGroup Label="UserMacros" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <IncludePath>$(SolutionDir)\EDRSandblast\Includes;$(IncludePath)</IncludePath>
+    <IncludePath>$(SolutionDir)EDRSandblast\Includes;$(IncludePath)</IncludePath>
     <LibraryPath>$(LibraryPath)</LibraryPath>
     <TargetName>EDRSandblast</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <IncludePath>$(SolutionDir)\EDRSandblast\Includes;$(IncludePath)</IncludePath>
+    <IncludePath>$(SolutionDir)EDRSandblast\Includes;$(IncludePath)</IncludePath>
     <LibraryPath>$(LibraryPath)</LibraryPath>
     <TargetName>EDRSandblast</TargetName>
   </PropertyGroup>

EDRSandblast_StaticLibrary/EDRSandblast_API.c

@@ -1,22 +1,23 @@
 #include <Windows.h>
 #include <shlwapi.h>
 
-#include "../EDRSandblast/EDRSandblast.h"
+#include "CredGuard.h"
-#include "../EDRSandblast/Includes/CredGuard.h"
+#include "DriverOps.h"
-#include "../EDRSandblast/Includes/DriverOps.h"
+#include "ETWThreatIntel.h"
-#include "../EDRSandblast/Includes/ETWThreatIntel.h"
+#include "FileUtils.h"
-#include "../EDRSandblast/Includes/FileUtils.h"
+#include "Firewalling.h"
-#include "../EDRSandblast/Includes/Firewalling.h"
+#include "KernelCallbacks.h"
-#include "../EDRSandblast/Includes/KernelCallbacks.h"
+#include "KernelMemoryPrimitives.h"
-#include "../EDRSandblast/Includes/KernelMemoryPrimitives.h"
+#include "PrintFunctions.h"
-#include "../EDRSandblast/Includes/ProcessDump.h"
+#include "ProcessDump.h"
-#include "../EDRSandblast/Includes/ProcessDumpDirectSyscalls.h"
+#include "ProcessDumpDirectSyscalls.h"
-#include "../EDRSandblast/Includes/NtoskrnlOffsets.h"
+#include "NtoskrnlOffsets.h"
-#include "../EDRSandblast/Includes/ObjectCallbacks.h"
+#include "ObjectCallbacks.h"
-#include "../EDRSandblast/Includes/RunAsPPL.h"
+#include "RunAsPPL.h"
-#include "../EDRSandblast/Includes/Syscalls.h"
+#include "Syscalls.h"
-#include "../EDRSandblast/Includes/UserlandHooks.h"
+#include "UserlandHooks.h"
-#include "../EDRSandblast/Includes/WdigestOffsets.h"
+#include "WdigestOffsets.h"
+
 #include "EDRSandblast_API.h"
 
 // A passer dans le core?

EDRSandblast_StaticLibrary/EDRSandblast_API.h

@@ -1,6 +1,8 @@
 #pragma once
 #include <Windows.h>
-#include "../EDRSandblast/Includes/UserlandHooks.h"
+
+#include "..\EDRSandblast\Includes\PrintFunctions.h"
+#include "..\EDRSandblast\Includes\UserlandHooks.h"
 
 typedef struct EDRSB_SINGLETONS_t {
     HANDLE NtdllCopyHandle;

EDRSandblast_StaticLibrary/EDRSandblast_StaticLibrary.vcxproj

@@ -70,6 +70,12 @@
     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
   </ImportGroup>
   <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <IncludePath>$(SolutionDir)EDRSandblast\Includes;$(IncludePath)</IncludePath>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <IncludePath>$(SolutionDir)EDRSandblast\Includes;$(IncludePath)</IncludePath>
+  </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <ClCompile>
       <WarningLevel>Level3</WarningLevel>