D3FC0N 30 release: Obj callbacks, firewalling, symbols w/ internet, and more

Co-authored-by: Maxime Meignan <maxime.meignan@wavestone.com>
2026-06-09 08:57:24 +00:00 · 2022-08-13 09:23:48 -07:00
parent 2e037a379b
commit 48a75a7029
91 changed files with 10503 additions and 4414 deletions
@@ -44,7 +44,7 @@ searches is justified by the fact that the undocumented APIs responsible for
 Kernel callbacks addition / removal are subject to change and that any attempt
 to write Kernel memory at the wrong address may (and often will) result in a
 `Bug Check` (`Blue Screen of Death`). For more information on how the offsets
-were gathered, refer to [Offsets section](Offsets).
+were gathered (and how to update them), refer to [Offsets section](Offsets).

 ### EDR bypass through deactivation of the ETW Microsoft-Windows-Threat-Intelligence provider

@@ -399,12 +399,12 @@ Actions mode:

 Other options:

--dont-unload-driver                    Keep the Micro-Star MSI Afterburner vulnerable driver installed on the host
+--dont-unload-driver                    Keep the vulnerable driver installed on the host
                                        Default to automatically unsinstall the driver.
 --dont-restore-callbacks                Do not restore the EDR drivers' Kernel Callbacks that were removed.
                                        Default to restore the callbacks.

--driver <RTCore64.sys>                 Path to the Micro-Star MSI Afterburner vulnerable driver file.
+--driver <RTCore64.sys>                 Path to the vulnerable driver file.
                                        Default to 'RTCore64.sys' in the current directory.
 --service <SERVICE_NAME>                Name of the vulnerable service to intall / start.

@@ -423,6 +423,11 @@ Other options:

 -o | --output <DUMP_FILE>               Output path to the dump file that will be generated by the 'dump' mode.
                                        Default to 'lsass' in the current directory.
+
+-i | --internet                         Enables automatic symbols download from Microsoft Symbol Server
+                                        If a corresponding *Offsets.csv file exists, appends the downloaded offsets to the file for later use
+                                        OpSec warning: downloads and drops on disk a PDB file for ntoskrnl.exe and/or wdigest.dll
+
 ```

 ### Build
@@ -456,6 +461,10 @@ optional arguments:
  -d, --dowload         Flag to download the PE from Microsoft servers using list of versions from winbindex.m417z.com.
 ```

+### Automatic offsets retrieval and update
+An additionnal option has been implemented in `EDRSandBlast` to allow the program to download the needed `.pdb` files itself from Microsoft Symbol Server, extract the required offsets, and even update the corresponding `.csv` files if present.
+Using the `--internet` option make the tool execution much simpler, while introducing an additionnal OpSec risk, since a `.pdb` file is downloaded and dropped on disk during the process. This is required by the `dbghelp.dll` functions used to parse the symbols database ; however, full in-memory PDB parsing might be implemented in the future to lift this requierement and reduce the tool's footprint.
+
 ## Detection
 From the defender (EDR vendor, Microsoft, SOC analysts looking at EDR's telemetry, ...) point of view, multiple indicators can be used to detect or prevent this kind of techniques.