Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-08 16:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

userland hooking audit: add an option to load arbitrary DLL before auditing

Browse Source
This commit is contained in:
Maxime Meignan
2021-12-31 15:50:16 +01:00
parent 3c81bd4f26
commit 4ae1872ae9
2 changed files with 30 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
EDRSandblast/EDRSandblast.c
+21 -2
View File
@@ -8,7 +8,7 @@
int _tmain(int argc, TCHAR** argv) { int _tmain(int argc, TCHAR** argv) {
// Parse command line arguments and initialize variables to default values if needed. // Parse command line arguments and initialize variables to default values if needed.
const TCHAR usage[] = TEXT("Usage: EDRSandblast.exe [-h | --help] [-v | --verbose] <audit | dump | cmd | credguard> [--usermode [--unhook-method <N>]] [--kernelmode] [--dont-unload-driver] [--dont-restore-callbacks] [--driver <RTCore64.sys>] [--service <SERVICE_NAME>] [--nt-offsets <NtoskrnlOffsets.csv>] [--wdigest-offsets <WdigestOffsets.csv>] [-o | --dump-output <DUMP_FILE>]"); const TCHAR usage[] = TEXT("Usage: EDRSandblast.exe [-h | --help] [-v | --verbose] <audit | dump | cmd | credguard> [--usermode [--unhook-method <N>]] [--kernelmode] [--dont-unload-driver] [--dont-restore-callbacks] [--driver <RTCore64.sys>] [--service <SERVICE_NAME>] [--nt-offsets <NtoskrnlOffsets.csv>] [--wdigest-offsets <WdigestOffsets.csv>] [--add-dll <dll name or path>]* [-o | --dump-output <DUMP_FILE>]");
const TCHAR extendedUsage[] = TEXT("\n\ const TCHAR extendedUsage[] = TEXT("\n\
-h | --help Show this help message and exit.\n\ -h | --help Show this help message and exit.\n\
-v | --verbose Enable a more verbose output.\n\ -v | --verbose Enable a more verbose output.\n\
@@ -58,6 +58,13 @@ Other options:\n\
(only for the 'credguard' mode).\n\ (only for the 'credguard' mode).\n\
Default to 'WdigestOffsets.csv' in the current directory.\n\ Default to 'WdigestOffsets.csv' in the current directory.\n\
\n\ \n\
--add-dll <dll name or path> Loads arbitrary libraries into the process' address space, before starting\n\
anything. This can be useful to audit userland hooking for DLL that are not\n\
loaded by default by this program. Use this option multiple times to load\n\
multiple DLLs all at once.\n\
Example of interesting DLLs to look at: user32.dll, ole32.dll, crypt32.dll,\n\
samcli.dll, winhttp.dll, urlmon.dll, secur32.dll, shell32.dll...\n\
\n\
-o | --output <DUMP_FILE> Output path to the dump file that will be generated by the 'dump' mode.\n\ -o | --output <DUMP_FILE> Output path to the dump file that will be generated by the 'dump' mode.\n\
Default to 'lsass' in the current directory.\n"); Default to 'lsass' in the current directory.\n");
BOOL status; BOOL status;
@@ -171,9 +178,21 @@ Other options:\n\
} }
unhook_method = _ttoi(argv[i]); unhook_method = _ttoi(argv[i]);
} }
else if (_tcsicmp(argv[i], TEXT("--add-dll")) == 0) {
i++;
if (i > argc) {
_tprintf(TEXT("%s"), usage);
return EXIT_FAILURE;
}
HANDLE hAdditionnalLib = LoadLibrary(argv[i]);
if (hAdditionnalLib == INVALID_HANDLE_VALUE) {
_tprintf(TEXT("Library %s could not have been loaded, exiting...\n"), argv[i]);
return EXIT_FAILURE;
}
}
else { else {
_tprintf(TEXT("%s"), usage); _tprintf(TEXT("%s"), usage);
return 1; return EXIT_FAILURE;
} }
} }
README.md
+9 -1
View File
@@ -359,7 +359,7 @@ http://download-eu2.guru3d.com/afterburner/%5BGuru3D.com%5D-MSIAfterburnerSetup4
### Quick usage ### Quick usage
``` ```
EDRSandblast.exe [-h | --help] [-v | --verbose] <audit | dump | cmd | credguard> [--usermode [--unhook-method <N>]] [--kernelmode] [--dont-unload-driver] [--dont-restore-callbacks] [--driver <RTCore64.sys>] [--nt-offsets <NtoskrnlOffsets.csv>] [--wdigest-offsets <WdigestOffsets.csv>] [-o | --dump-output <DUMP_FILE>] Usage: EDRSandblast.exe [-h | --help] [-v | --verbose] <audit | dump | cmd | credguard> [--usermode [--unhook-method <N>]] [--kernelmode] [--dont-unload-driver] [--dont-restore-callbacks] [--driver <RTCore64.sys>] [--service <SERVICE_NAME>] [--nt-offsets <NtoskrnlOffsets.csv>] [--wdigest-offsets <WdigestOffsets.csv>] [--add-dll <dll name or path>]* [-o | --dump-output <DUMP_FILE>]
``` ```
### Options ### Options
@@ -406,6 +406,7 @@ Other options:
--driver <RTCore64.sys> Path to the Micro-Star MSI Afterburner vulnerable driver file. --driver <RTCore64.sys> Path to the Micro-Star MSI Afterburner vulnerable driver file.
Default to 'RTCore64.sys' in the current directory. Default to 'RTCore64.sys' in the current directory.
--service <SERVICE_NAME> Name of the vulnerable service to intall / start.
--nt-offsets <NtoskrnlOffsets.csv> Path to the CSV file containing the required ntoskrnl.exe's offsets. --nt-offsets <NtoskrnlOffsets.csv> Path to the CSV file containing the required ntoskrnl.exe's offsets.
Default to 'NtoskrnlOffsets.csv' in the current directory. Default to 'NtoskrnlOffsets.csv' in the current directory.
@@ -413,6 +414,13 @@ Other options:
(only for the 'credguard' mode). (only for the 'credguard' mode).
Default to 'WdigestOffsets.csv' in the current directory. Default to 'WdigestOffsets.csv' in the current directory.
--add-dll <dll name or path> Loads arbitrary libraries into the process' address space, before starting
anything. This can be useful to audit userland hooking for DLL that are not
loaded by default by this program. Use this option multiple times to load
multiple DLLs all at once.
Example of interesting DLLs to look at: user32.dll, ole32.dll, crypt32.dll,
samcli.dll, winhttp.dll, urlmon.dll, secur32.dll, shell32.dll...
-o | --output <DUMP_FILE> Output path to the dump file that will be generated by the 'dump' mode. -o | --output <DUMP_FILE> Output path to the dump file that will be generated by the 'dump' mode.
Default to 'lsass' in the current directory. Default to 'lsass' in the current directory.
``` ```