small cleanup in header files

2026-06-08 16:37:12 +00:00 · 2023-10-06 16:12:52 +02:00
parent 7be844b518
commit 43cea1f08b
41 changed files with 91 additions and 78 deletions
@@ -2,7 +2,8 @@
 #include <assert.h>
 #include <tchar.h>

-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
+

 /*
 * "DBUtil_2_3.sys" (SHA256: 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5)
@@ -201,13 +201,13 @@
    <ClCompile Include="Utils\WindowsServiceOps.c" />
  </ItemGroup>
  <ItemGroup>
-    <ClInclude Include="EDRSandblast.h" />
    <ClInclude Include="Includes\CiOffsets.h" />
    <ClInclude Include="Includes\CredGuard.h" />
    <ClInclude Include="Includes\DriverDBUtil.h" />
    <ClInclude Include="Includes\DriverGDRV.h" />
    <ClInclude Include="Includes\DriverRTCore.h" />
    <ClInclude Include="Includes\KernelDSE.h" />
+    <ClInclude Include="Includes\PrintFunctions.h" />
    <ClInclude Include="Includes\ProcessDumpDirectSyscalls.h" />
    <ClInclude Include="Includes\FileUtils.h" />
    <ClInclude Include="Includes\HttpClient.h" />
@@ -236,9 +236,6 @@
    <ClInclude Include="Includes\ProcessDumpDirectSyscalls.h">
      <Filter>Header Files</Filter>
    </ClInclude>
-    <ClInclude Include="EDRSandblast.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
    <ClInclude Include="Includes\CiOffsets.h">
      <Filter>Header Files</Filter>
    </ClInclude>
@@ -248,6 +245,9 @@
    <ClInclude Include="Includes\DriverGDRV.h">
      <Filter>Header Files</Filter>
    </ClInclude>
+    <ClInclude Include="Includes\PrintFunctions.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
  </ItemGroup>
  <ItemGroup>
    <MASM Include="Utils\SW2_Syscalls_stubs.x64.asm">
@@ -1,10 +1,3 @@
-/*
-
--- Kernel memory Read / Write primitives through the vulnerable Micro-Star MSI Afterburner driver.
--- Source and credit: https://github.com/Barakat/CVE-2019-16098/blob/master/CVE-2019-16098.cpp
-
-*/
-
 #pragma once

 #include <Windows.h>
@@ -1,17 +1,5 @@
 #pragma once

-//TODO P1 : implement a "clean" mode that only removes the driver if installed
-//TODO P2 : replace all instances of exit(1) by a clean_exit() function that uninstalls the driver before exiting
-typedef enum _START_MODE {
-    dump,
-    cmd,
-    credguard,
-    audit,
-    firewall,
-    load,
-    none
-} START_MODE;
-
 #define NO_STRINGS 0

 #if NO_STRINGS
@@ -1,7 +1,6 @@
 #include <Windows.h>
 #include <tchar.h>

-#include "../EDRSandblast.h"
 #include "Undoc.h"

 typedef struct _MODULE_INFO {
@@ -2,9 +2,6 @@
 #include <Windows.h>
 #include <tchar.h>

-#include "../EDRSandblast.h"
-#include "SW2_Syscalls.h"
-
 #define ProcessImageFileName 27

 DWORD SandGetProcessPID(HANDLE hProcess);
@@ -1,10 +1,5 @@
 #pragma once

-#include <Windows.h>
-#include <aclapi.h>
-#include <Tchar.h>
-#include <stdio.h>
-#include <time.h>

 #if !defined(PRINT_ERROR_AUTO)
 #define PRINT_ERROR_AUTO(func) _tprintf_or_not(TEXT("[!] ERROR ") TEXT(__FUNCTION__) TEXT(" ; ") func TEXT(" (0x%08x)\n"), GetLastError())
@@ -8,10 +8,10 @@
 #include <Windows.h>
 #include <Tchar.h>

-#include "../EDRSandBlast.h"
 #include "ETWThreatIntel.h"
 #include "KernelMemoryPrimitives.h"
 #include "NtoskrnlOffsets.h"
+#include "PrintFunctions.h"


 DWORD64 GetEtwThreatInt_ProviderEnableInfoAddress(BOOL verbose) {
@@ -7,7 +7,6 @@

 #include <Windows.h>

-#include "../EDRSandblast.h"
 #include "FileUtils.h"
 #include "FileVersion.h"
 #include "IsEDRChecks.h"
@@ -16,6 +15,7 @@
 #include "NtoskrnlOffsets.h"
 #include "PEParser.h"
 #include "PdbSymbols.h"
+#include "PrintFunctions.h"

 #include "KernelCallbacks.h"

@@ -1,6 +1,5 @@
 #include "windows.h"
 #include "KernelDSE.h"
-#include "../EDRSandblast.h"
 #include "winternl.h"
 #include "stdio.h" // for printf
 //#include "ntstatus.h"
@@ -2,7 +2,7 @@
 #include <Psapi.h>
 #include <Tchar.h>

-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"

 DWORD64 g_NtoskrnlBaseAddress;
 DWORD64 FindNtoskrnlBaseAddress(void) {
@@ -1,7 +1,6 @@
 #include <Tchar.h>
 #include <Windows.h>

-#include "../EDRSandblast.h"
 #include "IsEDRChecks.h"
 #include "PdbSymbols.h"
 #include "NtoskrnlOffsets.h"
@@ -9,6 +8,7 @@
 #include "KernelUtils.h"
 #include "FileVersion.h"
 #include "KernelCallbacks.h"
+#include "PrintFunctions.h"

 #include "ObjectCallbacks.h"

@@ -4,7 +4,7 @@
 #include <tlhelp32.h>
 #include <Tchar.h>

-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
 #include "WdigestOffsets.h"

 DWORD WINAPI disableCredGuardByPatchingLSASS(void) {
@@ -6,9 +6,9 @@
 */
 #include <tchar.h>

-#include "../EDRSandblast.h"
 #include "KernelMemoryPrimitives.h"
 #include "NtoskrnlOffsets.h"
+#include "PrintFunctions.h"
 #include "Undoc.h"
 #include "RunAsPPL.h"

@@ -3,7 +3,8 @@
 --- Firewall rules to block EDR products from the network (inboud / outbound connections).

 */
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
+
 #include "Firewalling.h"

 HRESULT FirewallBlockEDRBinaries(fwBlockingRulesList* sFWEntries) {
@@ -2,6 +2,7 @@
 #include <minidumpapiset.h>

 #include "ListUtils.h"
+#include "PrintFunctions.h"
 #include "RemotePEBBrowser.h"
 #include "StringUtils.h"
 #include "SyscallProcessUtils.h"
@@ -6,9 +6,9 @@
 #include <shlwapi.h>
 #include <stdio.h>

-#include "../EDRSandblast.h"
 #include "FileUtils.h"
 #include "UserlandHooks.h"
+#include "PrintFunctions.h"
 #include "PEBBrowse.h"
 #include "Undoc.h"
 #include "Syscalls.h"
@@ -9,9 +9,9 @@
 #include <tchar.h>
 #include <stdio.h>

-#include "../EDRSandblast.h"
 #include "FileVersion.h"
 #include "PdbSymbols.h"
+#include "PrintFunctions.h"

 #include "CiOffsets.h"

@@ -12,7 +12,7 @@

 #include "DriverOps.h"

-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
 #include "StringUtils.h"
 #include "WindowsServiceOps.h"
 /*
@@ -6,7 +6,7 @@
 #include <Tchar.h>
 #include <stdio.h>

-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"

 #include "FileVersion.h"

@@ -1,5 +1,5 @@
 extern "C" {
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
 #include "FirewallOps.h"
 }

@@ -4,7 +4,8 @@
 #include <windef.h>
 #include <winhttp.h>

-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
+
 #include "HttpClient.h"


@@ -1,4 +1,5 @@
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"
+
 #include "IsEDRChecks.h"

 /*
@@ -7,7 +7,6 @@
 #include "DriverDBUtil.h"
 #include "DriverGDRV.h"
 #include "KernelUtils.h"
-#include "../EDRSandblast.h"

 #include "KernelMemoryPrimitives.h"

@@ -6,9 +6,10 @@
 */
 #include <Windows.h>
 #include <Tchar.h>
+
 #include "KernelMemoryPrimitives.h"
 #include "KernelUtils.h"
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"

 DWORD64 PatternSearchStartingFromAddress(DWORD64 startAddress, DWORD bytesToScan, DWORD64 pattern, DWORD64 mask) {
    for (DWORD i = 0; i < bytesToScan; i++) {
@@ -8,8 +8,8 @@
 #include <stdio.h>

 #include "FileVersion.h"
+#include "PrintFunctions.h"
 #include "PdbSymbols.h"
-#include "../EDRSandblast.h"

 #include "NtoskrnlOffsets.h"

@@ -2,9 +2,9 @@
 * Functions that browse the PEB structure instead of relying on GetModuleHandle
 */

-#include "../EDRSandblast.h"
 #include "Undoc.h"
 #include "PEBBrowse.h"
+#include "PrintFunctions.h"
 #include <stdio.h>

 /*
@@ -3,11 +3,13 @@
 * Among other things, reimplements GetProcAddress and the PE relocation process
 */

-#include "../EDRSandblast.h"
 #include "PEParser.h"
 #include <stdio.h>
 #include <assert.h>

+#include "PrintFunctions.h"
+
+
 IMAGE_SECTION_HEADER* PE_sectionHeader_fromRVA(PE* pe, DWORD rva) {
 	IMAGE_SECTION_HEADER* sectionHeaders = pe->sectionHeaders;
 	for (DWORD sectionIndex = 0; sectionIndex < pe->ntHeader->FileHeader.NumberOfSections; sectionIndex++) {
@@ -3,10 +3,10 @@
 #include <dbghelp.h>
 #include <stdio.h>

-#include "../EDRSandblast.h"
 #include "FileUtils.h"
 #include "HttpClient.h"
 #include "PEParser.h"
+#include "PrintFunctions.h"

 #include "PdbSymbols.h"

@@ -8,8 +8,8 @@
 #include <minidumpapiset.h>
 #include <tchar.h>

-#include "../EDRSandblast.h"
 #include "PEParser.h"
+#include "PrintFunctions.h"
 #include "ProcessDump.h"

 BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) {
@@ -1,3 +1,4 @@
+#include "PrintFunctions.h"
 #include "RemotePEBBrowser.h"
 #include "SW2_Syscalls.h"

@@ -1,5 +1,5 @@
 #include "SignatureOps.h"
-#include "../EDRSandblast.h"
+#include "PrintFunctions.h"

 // Concat in pSigners output the list of Signer(s) signing the specified file on disk.
 SignatureOpsError GetFileSigners(TCHAR* pFilePath, TCHAR* outSigners, size_t* szOutSigners) {
@@ -1,3 +1,9 @@
+#include <Windows.h>
+#include <tchar.h>
+
+#include "SW2_Syscalls.h"
+#include "PrintFunctions.h"
+
 #include "SyscallProcessUtils.h"

 // Retrieve a given process PID.
@@ -9,9 +9,9 @@
 #include <tchar.h>
 #include <stdio.h>

-#include "../EDRSandblast.h"
 #include "FileVersion.h"
 #include "PdbSymbols.h"
+#include "PrintFunctions.h"

 #include "WdigestOffsets.h"

@@ -1,4 +1,11 @@
-#include "../EDRSandblast.h"
+#include <Windows.h>
+#include <aclapi.h>
+#include <Tchar.h>
+#include <stdio.h>
+#include <time.h>
+
+#include "PrintFunctions.h"
+
 #include "WindowsServiceOps.h"

 BOOL ServiceAddEveryoneAccess(SC_HANDLE serviceHandle) {
@@ -22,6 +22,7 @@
 #include "NtoskrnlOffsets.h"
 #include "ObjectCallbacks.h"
 #include "PEBBrowse.h"
+#include "PrintFunctions.h"
 #include "RunAsPPL.h"
 #include "Syscalls.h"
 #include "Undoc.h"
@@ -30,7 +31,18 @@
 #include "CiOffsets.h"
 #include "KernelDSE.h"

-#include "../EDRSandblast/EDRSandblast.h"
+//TODO P1 : implement a "clean" mode that only removes the driver if installed
+//TODO P2 : replace all instances of exit(1) by a clean_exit() function that uninstalls the driver before exiting
+
+typedef enum _START_MODE {
+    dump,
+    cmd,
+    credguard,
+    audit,
+    firewall,
+    load,
+    none
+} START_MODE;

 typedef NTSTATUS(NTAPI* NtQueryInformationProcess_f)(
    HANDLE          ProcessHandle,
@@ -74,12 +74,12 @@
  </ImportGroup>
  <PropertyGroup Label="UserMacros" />
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <IncludePath>$(SolutionDir)\EDRSandblast\Includes;$(IncludePath)</IncludePath>
+    <IncludePath>$(SolutionDir)EDRSandblast\Includes;$(IncludePath)</IncludePath>
    <LibraryPath>$(LibraryPath)</LibraryPath>
    <TargetName>EDRSandblast</TargetName>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <IncludePath>$(SolutionDir)\EDRSandblast\Includes;$(IncludePath)</IncludePath>
+    <IncludePath>$(SolutionDir)EDRSandblast\Includes;$(IncludePath)</IncludePath>
    <LibraryPath>$(LibraryPath)</LibraryPath>
    <TargetName>EDRSandblast</TargetName>
  </PropertyGroup>
@@ -1,22 +1,23 @@
 #include <Windows.h>
 #include <shlwapi.h>

-#include "../EDRSandblast/EDRSandblast.h"
-#include "../EDRSandblast/Includes/CredGuard.h"
-#include "../EDRSandblast/Includes/DriverOps.h"
-#include "../EDRSandblast/Includes/ETWThreatIntel.h"
-#include "../EDRSandblast/Includes/FileUtils.h"
-#include "../EDRSandblast/Includes/Firewalling.h"
-#include "../EDRSandblast/Includes/KernelCallbacks.h"
-#include "../EDRSandblast/Includes/KernelMemoryPrimitives.h"
-#include "../EDRSandblast/Includes/ProcessDump.h"
-#include "../EDRSandblast/Includes/ProcessDumpDirectSyscalls.h"
-#include "../EDRSandblast/Includes/NtoskrnlOffsets.h"
-#include "../EDRSandblast/Includes/ObjectCallbacks.h"
-#include "../EDRSandblast/Includes/RunAsPPL.h"
-#include "../EDRSandblast/Includes/Syscalls.h"
-#include "../EDRSandblast/Includes/UserlandHooks.h"
-#include "../EDRSandblast/Includes/WdigestOffsets.h"
+#include "CredGuard.h"
+#include "DriverOps.h"
+#include "ETWThreatIntel.h"
+#include "FileUtils.h"
+#include "Firewalling.h"
+#include "KernelCallbacks.h"
+#include "KernelMemoryPrimitives.h"
+#include "PrintFunctions.h"
+#include "ProcessDump.h"
+#include "ProcessDumpDirectSyscalls.h"
+#include "NtoskrnlOffsets.h"
+#include "ObjectCallbacks.h"
+#include "RunAsPPL.h"
+#include "Syscalls.h"
+#include "UserlandHooks.h"
+#include "WdigestOffsets.h"
+
 #include "EDRSandblast_API.h"

 // A passer dans le core?
@@ -1,6 +1,8 @@
 #pragma once
 #include <Windows.h>
-#include "../EDRSandblast/Includes/UserlandHooks.h"
+
+#include "..\EDRSandblast\Includes\PrintFunctions.h"
+#include "..\EDRSandblast\Includes\UserlandHooks.h"

 typedef struct EDRSB_SINGLETONS_t {
    HANDLE NtdllCopyHandle;
@@ -70,6 +70,12 @@
    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
  </ImportGroup>
  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <IncludePath>$(SolutionDir)EDRSandblast\Includes;$(IncludePath)</IncludePath>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <IncludePath>$(SolutionDir)EDRSandblast\Includes;$(IncludePath)</IncludePath>
+  </PropertyGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    <ClCompile>
      <WarningLevel>Level3</WarningLevel>