D3FC0N 30 release: Obj callbacks, firewalling, symbols w/ internet, and more

Co-authored-by: Maxime Meignan <maxime.meignan@wavestone.com>

EDRSandblast/Includes/UserlandHooks.h

@@ -1,52 +1,61 @@
 #pragma once
 #include "PEParser.h"
 
-typedef struct diff_t {
-	PVOID disk_ptr;
-	PVOID mem_ptr;
-	size_t size;
-} diff;
+// Sets an arbitrary maximum size of a hook ; ideally, this should be the minimum value of all (potentially patched) functions' lengths
+#if _WIN64
+#define PATCH_MAX_SIZE 0x18
+#else
+#define PATCH_MAX_SIZE 0x10
+#endif
 
-typedef struct hook_t {
-	PVOID disk_function;
-	PVOID mem_function;
-	LPCSTR functionName;
-	diff* list_patches;
-} hook;
+typedef struct PATCH_DIFF_t {
+    PVOID disk_ptr;
+    PVOID mem_ptr;
+    size_t size;
+} PATCH_DIFF;
+
+typedef struct HOOK_t {
+    PVOID disk_function;
+    PVOID mem_function;
+    LPCSTR functionName;
+    PATCH_DIFF* list_patches;
+} HOOK;
 
 typedef NTSTATUS(NTAPI* pNtProtectVirtualMemory) (
-	IN HANDLE               ProcessHandle,
-	IN OUT PVOID* BaseAddress,
-	IN OUT PSIZE_T           NumberOfBytesToProtect,
-	IN ULONG                NewAccessProtection,
-	OUT PULONG              OldAccessProtection);
+    IN HANDLE               ProcessHandle,
+    IN OUT PVOID* BaseAddress,
+    IN OUT PSIZE_T           NumberOfBytesToProtect,
+    IN ULONG                NewAccessProtection,
+    OUT PULONG              OldAccessProtection);
 
 typedef NTSTATUS(NTAPI* pRtlGetVersion)(
-	OUT LPOSVERSIONINFOEXW lpVersionInformation);
+    OUT LPOSVERSIONINFOEXW lpVersionInformation);
 
-enum unhook_method_e {
-	UNHOOK_NONE,
+typedef enum UNHOOK_METHOD_e {
+    UNHOOK_NONE,
 
-	// Uses the (probably monitored) NtProtectVirtualMemory function in ntdll to remove all detected hooks
-	UNHOOK_WITH_NTPROTECTVIRTUALMEMORY,
+    // Uses the (probably monitored) NtProtectVirtualMemory function in ntdll to remove all detected hooks
+    UNHOOK_WITH_NTPROTECTVIRTUALMEMORY,
 
-	// Constructs an "unhooked" (i.e. unmonitored) version of NtProtectVirtualMemory, by allocating an executable trampoling jumping over the hook, and remove all detected hooks
-	UNHOOK_WITH_INHOUSE_NTPROTECTVIRTUALMEMORY_TRAMPOLINE,
+    // Constructs an "unhooked" (i.e. unmonitored) version of NtProtectVirtualMemory, by allocating an executable trampoling jumping over the hook, and remove all detected hooks
+    UNHOOK_WITH_INHOUSE_NTPROTECTVIRTUALMEMORY_TRAMPOLINE,
 
-	// Search for an existing trampoline allocated by the EDR itself, to get an "unhooked" (i.e. unmonitored) version of NtProtectVirtualMemory, and remove all detected hooks
-	UNHOOK_WITH_EDR_NTPROTECTVIRTUALMEMORY_TRAMPOLINE,
+    // Search for an existing trampoline allocated by the EDR itself, to get an "unhooked" (i.e. unmonitored) version of NtProtectVirtualMemory, and remove all detected hooks
+    UNHOOK_WITH_EDR_NTPROTECTVIRTUALMEMORY_TRAMPOLINE,
 
-	// Loads an additionnal version of ntdll library into memory, and use the (hopefully unmonitored) version of NtProtectVirtualMemory present in this library to remove all detected hooks
-	UNHOOK_WITH_DUPLICATE_NTPROTECTVIRTUALMEMORY,
+    // Loads an additionnal version of ntdll library into memory, and use the (hopefully unmonitored) version of NtProtectVirtualMemory present in this library to remove all detected hooks
+    UNHOOK_WITH_DUPLICATE_NTPROTECTVIRTUALMEMORY,
 
-	// Allocates a shellcode that uses a direct syscall to call NtProtectVirtualMemory, and uses it to remove all detected hooks
-	UNHOOK_WITH_DIRECT_SYSCALL
-};
+    // Allocates a shellcode that uses a direct syscall to call NtProtectVirtualMemory, and uses it to remove all detected hooks
+    UNHOOK_WITH_DIRECT_SYSCALL
+}UNHOOK_METHOD;
 
-hook* searchHooks(const char* csvFileName);
+_Ret_notnull_ HOOK* searchHooks(const char* csvFileName);
 PVOID hookResolver(PBYTE hookAddr);
 pNtProtectVirtualMemory getSafeVirtualProtectUsingTrampoline(DWORD unhook_method);
-VOID unhook(hook* hook, DWORD unhook_method);
+PVOID searchTrampolineInExecutableMemory(PVOID pattern, size_t patternSize, PVOID expectedTarget);
+PBYTE findDiff(PBYTE mem, PBYTE disk, size_t len, size_t* lenPatch);
+VOID unhook(HOOK* hook, UNHOOK_METHOD unhook_method);
 
 
 /*