mirror of
https://github.com/wavestone-cdt/EDRSandblast.git
synced 2026-06-08 16:37:12 +00:00
Merge pull request #14 from v1k1ngfr/g_CiOptionExtract
Add g_CiOptions offset extract "feature"
This commit is contained in:
Maxime Meignan
@@ -0,0 +1,186 @@
|
||||
g_CiOptionsOffset
|
||||
ci_10240-17673.dll,16c10
|
||||
ci_10240-17797.dll,16c10
|
||||
ci_10240-17861.dll,16c10
|
||||
ci_10240-17831.dll,16c10
|
||||
ci_10240-17319.dll,16c10
|
||||
ci_10240-17889.dll,16c10
|
||||
ci_10240-17976.dll,16c10
|
||||
ci_10240-16384.dll,16c10
|
||||
ci_10240-19119.dll,16c10
|
||||
ci_10586-0.dll,16c30
|
||||
ci_10586-1232.dll,16c30
|
||||
ci_10586-1478.dll,16c30
|
||||
ci_14393-0.dll,19b50
|
||||
ci_10586-839.dll,16c30
|
||||
ci_10586-1540.dll,16c30
|
||||
ci_14393-2214.dll,19b50
|
||||
ci_14393-2273.dll,19b50
|
||||
ci_14393-2248.dll,19b50
|
||||
ci_14393-206.dll,19b50
|
||||
ci_14393-2312.dll,19b50
|
||||
ci_14393-2189.dll,19b50
|
||||
ci_14393-2339.dll,19b50
|
||||
ci_14393-2395.dll,19b50
|
||||
ci_14393-2485.dll,19b50
|
||||
ci_14393-3053.dll,19b50
|
||||
ci_14393-3115.dll,19b50
|
||||
ci_14393-3297.dll,19b50
|
||||
ci_14393-3323.dll,19b50
|
||||
ci_14393-2636.dll,19b50
|
||||
ci_14393-3383.dll,19b50
|
||||
ci_14393-3930.dll,19b70
|
||||
ci_14393-4350.dll,19b70
|
||||
ci_14393-4583.dll,19b70
|
||||
ci_14393-4704.dll,19b70
|
||||
ci_14393-4770.dll,19b70
|
||||
ci_14393-3986.dll,19b70
|
||||
ci_14393-5125.dll,19b70
|
||||
ci_14393-4530.dll,19b70
|
||||
ci_14393-5006.dll,19b70
|
||||
ci_14393-5501.dll,19b50
|
||||
ci_14393-726.dll,19b50
|
||||
ci_14393-953.dll,19b50
|
||||
ci_15063-0.dll,1bbb0
|
||||
ci_14393-5192.dll,19b50
|
||||
ci_15063-1058.dll,1bbb0
|
||||
ci_15063-1091.dll,1bbb0
|
||||
ci_15063-1155.dll,1bbb0
|
||||
ci_15063-1324.dll,1bbb0
|
||||
ci_15063-1235.dll,1bbb0
|
||||
ci_16299-95.dll,1cd10
|
||||
ci_15063-296.dll,1bbb0
|
||||
ci_15063-968.dll,1bbb0
|
||||
ci_16299-15.dll,1cd10
|
||||
ci_15063-877.dll,1bbb0
|
||||
ci_16299-1565.dll,1dd10
|
||||
ci_16299-246.dll,1cd10
|
||||
ci_16299-1268.dll,1dd10
|
||||
ci_16299-246.dll,1cd10
|
||||
ci_16299-246.dll,1cd10
|
||||
ci_16299-432.dll,1cd10
|
||||
ci_16299-10000.dll,1cd10
|
||||
ci_16299-64.dll,1cd10
|
||||
ci_16299-371.dll,1cd10
|
||||
ci_17134-1.dll,1dcb0
|
||||
ci_17134-1098.dll,1dc98
|
||||
ci_16299-1087.dll,1cd10
|
||||
ci_17134-1067.dll,1dc98
|
||||
ci_17134-112.dll,1dcb0
|
||||
ci_17134-228.dll,1dc98
|
||||
ci_17134-2090.dll,1dc98
|
||||
ci_17134-1130.dll,1dc98
|
||||
ci_17134-285.dll,1dc98
|
||||
ci_17134-829.dll,1dc98
|
||||
ci_17134-441.dll,1dc98
|
||||
ci_17134-80.dll,1dcb0
|
||||
ci_17134-885.dll,1dc98
|
||||
ci_17134-1006.dll,1dc98
|
||||
ci_17134-858.dll,1dc98
|
||||
ci_17763-253.dll,36d18
|
||||
ci_17134-950.dll,1dc98
|
||||
ci_17763-1131.dll,36d18
|
||||
ci_17763-1131.dll,36d18
|
||||
ci_17763-1007.dll,36d18
|
||||
ci_17763-1282.dll,36d18
|
||||
ci_17763-1554.dll,36d18
|
||||
ci_17763-1577.dll,36d18
|
||||
ci_17763-10458.dll,36d18
|
||||
ci_17763-1757.dll,36d18
|
||||
ci_17763-1971.dll,36d18
|
||||
ci_17763-2061.dll,36d18
|
||||
ci_17763-1790.dll,36d18
|
||||
ci_17763-2183.dll,36d18
|
||||
ci_17763-2090.dll,36d18
|
||||
ci_17763-2237.dll,36d18
|
||||
ci_17763-2510.dll,36d18
|
||||
ci_17763-2458.dll,36d18
|
||||
ci_17763-292.dll,36d18
|
||||
ci_17763-2330.dll,36d18
|
||||
ci_17763-2369.dll,36d18
|
||||
ci_17763-2989.dll,36d18
|
||||
ci_17763-2628.dll,36d18
|
||||
ci_17763-10877.dll,36d18
|
||||
ci_17763-3406.dll,36d18
|
||||
ci_17763-3165.dll,36d18
|
||||
ci_17763-3532.dll,36d58
|
||||
ci_17763-379.dll,36d18
|
||||
ci_17763-404.dll,36d18
|
||||
ci_17763-3650.dll,36d58
|
||||
ci_17763-592.dll,36d18
|
||||
ci_17763-557.dll,36d18
|
||||
ci_17763-615.dll,36d18
|
||||
ci_17763-55.dll,36d18
|
||||
ci_17763-719.dll,36d18
|
||||
ci_17763-802.dll,36d18
|
||||
ci_17763-678.dll,36d18
|
||||
ci_18362-53.dll,37278
|
||||
ci_18362-1171.dll,37278
|
||||
ci_18362-1556.dll,37278
|
||||
ci_18362-1593.dll,38278
|
||||
ci_18362-1020.dll,37278
|
||||
ci_18362-1171.dll,37278
|
||||
ci_18362-1734.dll,38278
|
||||
ci_18362-1049.dll,37278
|
||||
ci_18362-1801.dll,38278
|
||||
ci_18362-1854.dll,38278
|
||||
ci_18362-1679.dll,38278
|
||||
ci_18362-2337.dll,38278
|
||||
ci_18362-1027.dll,37278
|
||||
ci_18362-2039.dll,38278
|
||||
ci_18362-239.dll,37278
|
||||
ci_18362-10013.dll,37278
|
||||
ci_18362-295.dll,37278
|
||||
ci_18362-329.dll,37278
|
||||
ci_18362-387.dll,37278
|
||||
ci_18362-815.dll,37278
|
||||
ci_18362-592.dll,37278
|
||||
ci_18362-900.dll,37278
|
||||
ci_18362-1059.dll,37278
|
||||
ci_19041-208.dll,38378
|
||||
ci_19041-1157.dll,383d8
|
||||
ci_19041-1157.dll,383d8
|
||||
ci_19041-1023.dll,383d8
|
||||
ci_19041-1165.dll,383b8
|
||||
ci_19041-1165.dll,383d8
|
||||
ci_19041-1165.dll,383b8
|
||||
ci_19041-1288.dll,383b8
|
||||
ci_19041-1320.dll,383b8
|
||||
ci_19041-1371.dll,383b8
|
||||
ci_19041-1173.dll,383b8
|
||||
ci_19041-1526.dll,393b8
|
||||
ci_19041-1865.dll,393d8
|
||||
ci_19041-1826.dll,393b8
|
||||
ci_19041-1708.dll,393b8
|
||||
ci_19041-1645.dll,383b8
|
||||
ci_19041-1469.dll,383b8
|
||||
ci_19041-1682.dll,383b8
|
||||
ci_19041-2251.dll,3a438
|
||||
ci_19041-388.dll,38378
|
||||
ci_19041-488.dll,383b8
|
||||
ci_19041-2311.dll,39418
|
||||
ci_19041-870.dll,383b8
|
||||
ci_19041-423.dll,383b8
|
||||
ci_19041-606.dll,383b8
|
||||
ci_22000-132.dll,3d004
|
||||
ci_19041-985.dll,383d8
|
||||
ci_22000-1219.dll,3d004
|
||||
ci_22000-318.dll,3d004
|
||||
ci_22000-1219.dll,3d004
|
||||
ci_22000-347.dll,3d004
|
||||
ci_22000-434.dll,3d004
|
||||
ci_22000-376.dll,3d004
|
||||
ci_22000-613.dll,3d004
|
||||
ci_22000-652.dll,3d004
|
||||
ci_22000-493.dll,3d004
|
||||
ci_22000-675.dll,3d004
|
||||
ci_22000-795.dll,3d004
|
||||
ci_22000-832.dll,3d004
|
||||
ci_22000-740.dll,3d004
|
||||
ci_22000-975.dll,3d004
|
||||
ci_22621-590.dll,41004
|
||||
ci_22621-608.dll,41004
|
||||
ci_22621-815.dll,41004
|
||||
ci_22621-675.dll,41004
|
||||
ci_19041-2075.dll,3a438
|
||||
ci_19045-2364.dll,39418
|
||||
|
@@ -14,8 +14,8 @@ import threading
|
||||
CSVLock = threading.Lock()
|
||||
|
||||
machineType = dict(x86=332, x64=34404)
|
||||
knownImageVersions = dict(ntoskrnl=list(), wdigest=list())
|
||||
extensions_by_mode = dict(ntoskrnl="exe", wdigest="dll")
|
||||
knownImageVersions = dict(ntoskrnl=list(), wdigest=list(), ci=list())
|
||||
extensions_by_mode = dict(ntoskrnl="exe", wdigest="dll", ci="dll")
|
||||
|
||||
def find(key, value):
|
||||
for k, v in value.items():
|
||||
@@ -144,12 +144,16 @@ def extractOffsets(input_file, output_file, mode):
|
||||
# check image type (ntoskrnl, wdigest, etc.)
|
||||
r = run(["r2", "-c", "iE", "-qq", input_file], capture_output=True)
|
||||
for line in r.stdout.decode().splitlines():
|
||||
line = line.lower()
|
||||
if "ntoskrnl.exe" in line:
|
||||
imageType = "ntoskrnl"
|
||||
break
|
||||
elif "wdigest.dll" in line:
|
||||
imageType = "wdigest"
|
||||
break
|
||||
elif "ci.dll" in line:
|
||||
imageType = "ci"
|
||||
break
|
||||
else:
|
||||
print(f"[*] File {input_file} unrecognized")
|
||||
return
|
||||
@@ -194,6 +198,10 @@ def extractOffsets(input_file, output_file, mode):
|
||||
("g_fParameter_UseLogonCredential",get_symbol_offset),
|
||||
("g_IsCredGuardEnabled",get_symbol_offset)
|
||||
]
|
||||
elif imageType == "ci":
|
||||
symbols = [
|
||||
("g_CiOptions",get_symbol_offset),
|
||||
]
|
||||
|
||||
|
||||
symbols_values = list()
|
||||
@@ -243,18 +251,18 @@ def loadOffsetsFromCSV(loadedVersions, CSVPath):
|
||||
if __name__ == '__main__':
|
||||
parser = argparse.ArgumentParser()
|
||||
|
||||
parser.add_argument('mode', help='ntoskrnl or wdigest. Mode to download and extract offsets for either ntoskrnl or wdigest')
|
||||
parser.add_argument('mode', help='"ntoskrnl", "wdigest" or "ci". Mode to download and extract offsets from either ntoskrnl.exe, wdigest.dll or ci.dll')
|
||||
parser.add_argument('-i', '--input', dest='input', required=True,
|
||||
help='Single file or directory containing ntoskrnl.exe / wdigest.dll to extract offsets from. If in download mode, the PE downloaded from MS symbols servers will be placed in this folder.')
|
||||
help='Single file or directory containing ntoskrnl.exe / wdigest.dll / ci.dll to extract offsets from. If in download mode, the PE downloaded from MS symbols servers will be placed in this folder.')
|
||||
parser.add_argument('-o', '--output', dest='output',
|
||||
help='CSV file to write offsets to. If the specified file already exists, only new ntoskrnl versions will be downloaded / analyzed. Defaults to NtoskrnlOffsets.csv / WdigestOffsets.csv in the current folder.')
|
||||
help='CSV file to write offsets to. If the specified file already exists, only new ntoskrnl versions will be downloaded / analyzed. Defaults to NtoskrnlOffsets.csv / WdigestOffsets.csv / CiOffsets.csv in the current folder.')
|
||||
parser.add_argument('-d', '--download', dest='download', action='store_true',
|
||||
help='Flag to download the PE from Microsoft servers using list of versions from winbindex.m417z.com.')
|
||||
|
||||
args = parser.parse_args()
|
||||
mode = args.mode.lower()
|
||||
if mode not in knownImageVersions:
|
||||
print(f'[!] ERROR : unsupported mode "{args.mode}", supported mode are: "ntoskrnl" and "wdigest"')
|
||||
print(f'[!] ERROR : unsupported mode "{args.mode}", supported mode are: "ntoskrnl", "wdigest" and "ci"')
|
||||
exit(1)
|
||||
|
||||
# check R2 version
|
||||
@@ -298,6 +306,8 @@ if __name__ == '__main__':
|
||||
output.write('ntoskrnlVersion,PspCreateProcessNotifyRoutineOffset,PspCreateThreadNotifyRoutineOffset,PspLoadImageNotifyRoutineOffset,_PS_PROTECTIONOffset,EtwThreatIntProvRegHandleOffset,EtwRegEntry_GuidEntryOffset,EtwGuidEntry_ProviderEnableInfoOffset,PsProcessType,PsThreadType,CallbackList\n')
|
||||
elif mode == "wdigest":
|
||||
output.write('wdigestVersion,g_fParameter_UseLogonCredentialOffset,g_IsCredGuardEnabledOffset\n')
|
||||
elif mode == "ci":
|
||||
output.write('g_CiOptionsOffset\n')
|
||||
else:
|
||||
assert False
|
||||
# In download mode, an updated list of image versions published will be retrieved from https://winbindex.m417z.com.
|
||||
|
||||
Reference in New Issue
Block a user