From 4ae1872ae9ec023e610216c38be8ac1840cb5994 Mon Sep 17 00:00:00 2001
From: Maxime Meignan <maxime.meignan@wavestone.com>
Date: Fri, 31 Dec 2021 15:50:16 +0100
Subject: [PATCH] userland hooking audit: add an option to load arbitrary DLL
 before auditing

---
 EDRSandblast/EDRSandblast.c | 23 +++++++++++++++++++++--
 README.md                   | 10 +++++++++-
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/EDRSandblast/EDRSandblast.c b/EDRSandblast/EDRSandblast.c
index 7cdc1fe..7f6a970 100644
--- a/EDRSandblast/EDRSandblast.c
+++ b/EDRSandblast/EDRSandblast.c
@@ -8,7 +8,7 @@
 
 int _tmain(int argc, TCHAR** argv) {
     // Parse command line arguments and initialize variables to default values if needed.
-    const TCHAR usage[] = TEXT("Usage: EDRSandblast.exe [-h | --help] [-v | --verbose] <audit | dump | cmd | credguard> [--usermode [--unhook-method <N>]] [--kernelmode] [--dont-unload-driver] [--dont-restore-callbacks] [--driver <RTCore64.sys>] [--service <SERVICE_NAME>] [--nt-offsets <NtoskrnlOffsets.csv>] [--wdigest-offsets <WdigestOffsets.csv>] [-o | --dump-output <DUMP_FILE>]");
+    const TCHAR usage[] = TEXT("Usage: EDRSandblast.exe [-h | --help] [-v | --verbose] <audit | dump | cmd | credguard> [--usermode [--unhook-method <N>]] [--kernelmode] [--dont-unload-driver] [--dont-restore-callbacks] [--driver <RTCore64.sys>] [--service <SERVICE_NAME>] [--nt-offsets <NtoskrnlOffsets.csv>] [--wdigest-offsets <WdigestOffsets.csv>] [--add-dll <dll name or path>]* [-o | --dump-output <DUMP_FILE>]");
     const TCHAR extendedUsage[] = TEXT("\n\
 -h | --help             Show this help message and exit.\n\
 -v | --verbose          Enable a more verbose output.\n\
@@ -58,6 +58,13 @@ Other options:\n\
                                         (only for the 'credguard' mode).\n\
                                         Default to 'WdigestOffsets.csv' in the current directory.\n\
 \n\
+--add-dll <dll name or path>            Loads arbitrary libraries into the process' address space, before starting\n\
+                                        anything. This can be useful to audit userland hooking for DLL that are not\n\
+                                        loaded by default by this program. Use this option multiple times to load\n\
+                                        multiple DLLs all at once.\n\
+                                        Example of interesting DLLs to look at: user32.dll, ole32.dll, crypt32.dll,\n\
+                                        samcli.dll, winhttp.dll, urlmon.dll, secur32.dll, shell32.dll...\n\
+\n\
 -o | --output <DUMP_FILE>               Output path to the dump file that will be generated by the 'dump' mode.\n\
                                         Default to 'lsass' in the current directory.\n");
     BOOL status;
@@ -171,9 +178,21 @@ Other options:\n\
             }
             unhook_method = _ttoi(argv[i]);
         }
+        else if (_tcsicmp(argv[i], TEXT("--add-dll")) == 0) {
+            i++;
+            if (i > argc) {
+                _tprintf(TEXT("%s"), usage);
+                return EXIT_FAILURE;
+            }
+            HANDLE hAdditionnalLib = LoadLibrary(argv[i]);
+            if (hAdditionnalLib == INVALID_HANDLE_VALUE) {
+                _tprintf(TEXT("Library %s could not have been loaded, exiting...\n"), argv[i]);
+                return EXIT_FAILURE;
+            }
+        }
         else {
             _tprintf(TEXT("%s"), usage);
-            return 1;
+            return EXIT_FAILURE;
         }
     }
 
diff --git a/README.md b/README.md
index eec0044..43c85af 100644
--- a/README.md
+++ b/README.md
@@ -359,7 +359,7 @@ http://download-eu2.guru3d.com/afterburner/%5BGuru3D.com%5D-MSIAfterburnerSetup4
 ### Quick usage
 
 ```
-EDRSandblast.exe [-h | --help] [-v | --verbose] <audit | dump | cmd | credguard> [--usermode [--unhook-method <N>]] [--kernelmode] [--dont-unload-driver] [--dont-restore-callbacks] [--driver <RTCore64.sys>] [--nt-offsets <NtoskrnlOffsets.csv>] [--wdigest-offsets <WdigestOffsets.csv>] [-o | --dump-output <DUMP_FILE>]
+Usage: EDRSandblast.exe [-h | --help] [-v | --verbose] <audit | dump | cmd | credguard> [--usermode [--unhook-method <N>]] [--kernelmode] [--dont-unload-driver] [--dont-restore-callbacks] [--driver <RTCore64.sys>] [--service <SERVICE_NAME>] [--nt-offsets <NtoskrnlOffsets.csv>] [--wdigest-offsets <WdigestOffsets.csv>] [--add-dll <dll name or path>]* [-o | --dump-output <DUMP_FILE>]
 ```
 
 ### Options
@@ -406,6 +406,7 @@ Other options:
 
 --driver <RTCore64.sys>                 Path to the Micro-Star MSI Afterburner vulnerable driver file.
                                         Default to 'RTCore64.sys' in the current directory.
+--service <SERVICE_NAME>                Name of the vulnerable service to intall / start.
 
 --nt-offsets <NtoskrnlOffsets.csv>      Path to the CSV file containing the required ntoskrnl.exe's offsets.
                                         Default to 'NtoskrnlOffsets.csv' in the current directory.
@@ -413,6 +414,13 @@ Other options:
                                         (only for the 'credguard' mode).
                                         Default to 'WdigestOffsets.csv' in the current directory.
 
+--add-dll <dll name or path>            Loads arbitrary libraries into the process' address space, before starting
+                                        anything. This can be useful to audit userland hooking for DLL that are not
+                                        loaded by default by this program. Use this option multiple times to load
+                                        multiple DLLs all at once.
+                                        Example of interesting DLLs to look at: user32.dll, ole32.dll, crypt32.dll,
+                                        samcli.dll, winhttp.dll, urlmon.dll, secur32.dll, shell32.dll...
+
 -o | --output <DUMP_FILE>               Output path to the dump file that will be generated by the 'dump' mode.
                                         Default to 'lsass' in the current directory.
 ```