userland hooking audit: add an option to load arbitrary DLL before auditing

README.md

@@ -359,7 +359,7 @@ http://download-eu2.guru3d.com/afterburner/%5BGuru3D.com%5D-MSIAfterburnerSetup4
 ### Quick usage
 
 ```
-EDRSandblast.exe [-h | --help] [-v | --verbose] <audit | dump | cmd | credguard> [--usermode [--unhook-method <N>]] [--kernelmode] [--dont-unload-driver] [--dont-restore-callbacks] [--driver <RTCore64.sys>] [--nt-offsets <NtoskrnlOffsets.csv>] [--wdigest-offsets <WdigestOffsets.csv>] [-o | --dump-output <DUMP_FILE>]
+Usage: EDRSandblast.exe [-h | --help] [-v | --verbose] <audit | dump | cmd | credguard> [--usermode [--unhook-method <N>]] [--kernelmode] [--dont-unload-driver] [--dont-restore-callbacks] [--driver <RTCore64.sys>] [--service <SERVICE_NAME>] [--nt-offsets <NtoskrnlOffsets.csv>] [--wdigest-offsets <WdigestOffsets.csv>] [--add-dll <dll name or path>]* [-o | --dump-output <DUMP_FILE>]
 ```
 
 ### Options
@@ -406,6 +406,7 @@ Other options:
 
 --driver <RTCore64.sys>                 Path to the Micro-Star MSI Afterburner vulnerable driver file.
                                         Default to 'RTCore64.sys' in the current directory.
+--service <SERVICE_NAME>                Name of the vulnerable service to intall / start.
 
 --nt-offsets <NtoskrnlOffsets.csv>      Path to the CSV file containing the required ntoskrnl.exe's offsets.
                                         Default to 'NtoskrnlOffsets.csv' in the current directory.
@@ -413,6 +414,13 @@ Other options:
                                         (only for the 'credguard' mode).
                                         Default to 'WdigestOffsets.csv' in the current directory.
 
+--add-dll <dll name or path>            Loads arbitrary libraries into the process' address space, before starting
+                                        anything. This can be useful to audit userland hooking for DLL that are not
+                                        loaded by default by this program. Use this option multiple times to load
+                                        multiple DLLs all at once.
+                                        Example of interesting DLLs to look at: user32.dll, ole32.dll, crypt32.dll,
+                                        samcli.dll, winhttp.dll, urlmon.dll, secur32.dll, shell32.dll...
+
 -o | --output <DUMP_FILE>               Output path to the dump file that will be generated by the 'dump' mode.
                                         Default to 'lsass' in the current directory.
 ```