From 2072b71d050b9a722477b84712ff27f5b71dee60 Mon Sep 17 00:00:00 2001 From: John Lambert Date: Wed, 8 Dec 2021 07:15:06 -0800 Subject: [PATCH 1/2] Fix potential buffer overrun in credguard disable The call to `GetModuleFileNameEx` passes in `sizeof(szModulename)` for the size parameter. The documentation for that API says the size parameter is a character count, not a byte count ("The size of the lpFilename buffer, in characters."). Since the code currently passes in a byte count, this opens up the possibility for a stack buffer overrun on UNICODE compilations of this tool where the byte count will be `2*MAX_PATH` which `GetModuleFileNameEx` will interpret as a character count and potentially write up to `2*2*MAX_PATH' bytes into the buffer. Fix by passing in a character count. You could also use a macro like `ARRAYSIZE(szModulename)`. ```diff TCHAR szModulename[MAX_PATH]; for (DWORD i = 0; i < (lpcbNeeded / sizeof(HMODULE)); i++) { if (hModulesArray[i] && !GetModuleFileNameEx(hLsass, hModulesArray[i], szModulename, sizeof(szModulename))) { ... } ``` [1] Docs for GetModuleFileNameEx are here (https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getmodulefilenameexa) --- EDRSandblast/LSASSProtectionBypass/CredGuard.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/EDRSandblast/LSASSProtectionBypass/CredGuard.c b/EDRSandblast/LSASSProtectionBypass/CredGuard.c index 46a046e..e20d91c 100644 --- a/EDRSandblast/LSASSProtectionBypass/CredGuard.c +++ b/EDRSandblast/LSASSProtectionBypass/CredGuard.c @@ -54,7 +54,7 @@ DWORD WINAPI disableCredGuardByPatchingLSASS(void) { BOOL returnStatus = FALSE; TCHAR szModulename[MAX_PATH]; for (DWORD i = 0; i < (lpcbNeeded / sizeof(HMODULE)); i++) { - if (hModulesArray[i] && !GetModuleFileNameEx(hLsass, hModulesArray[i], szModulename, sizeof(szModulename))) { + if (hModulesArray[i] && !GetModuleFileNameEx(hLsass, hModulesArray[i], szModulename, MAX_PATH)) { _tprintf(TEXT("[!] Cred Guard bypass non fatal error: couldn't get module name for module at index 0x%lx (GetModuleFileNameEx, error code 0x%lx)\n"), i, GetLastError()); continue; } @@ -167,4 +167,4 @@ DWORD WINAPI disableCredGuardByPatchingLSASS(void) { CloseHandle(hLsass); return returnStatus; -} \ No newline at end of file +} From 7c6eb8173dd86efc9b30f9f9d53ea25f6f273519 Mon Sep 17 00:00:00 2001 From: John Lambert Date: Wed, 8 Dec 2021 08:26:18 -0800 Subject: [PATCH 2/2] Update CredGuard.c --- EDRSandblast/LSASSProtectionBypass/CredGuard.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EDRSandblast/LSASSProtectionBypass/CredGuard.c b/EDRSandblast/LSASSProtectionBypass/CredGuard.c index e20d91c..277c764 100644 --- a/EDRSandblast/LSASSProtectionBypass/CredGuard.c +++ b/EDRSandblast/LSASSProtectionBypass/CredGuard.c @@ -54,7 +54,7 @@ DWORD WINAPI disableCredGuardByPatchingLSASS(void) { BOOL returnStatus = FALSE; TCHAR szModulename[MAX_PATH]; for (DWORD i = 0; i < (lpcbNeeded / sizeof(HMODULE)); i++) { - if (hModulesArray[i] && !GetModuleFileNameEx(hLsass, hModulesArray[i], szModulename, MAX_PATH)) { + if (hModulesArray[i] && !GetModuleFileNameEx(hLsass, hModulesArray[i], szModulename, _countof(szModulename))) { _tprintf(TEXT("[!] Cred Guard bypass non fatal error: couldn't get module name for module at index 0x%lx (GetModuleFileNameEx, error code 0x%lx)\n"), i, GetLastError()); continue; }