[new feature] Implements EDR minifilter callbacks detection and removal

Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com>

EDRSandblast/Includes/FltmgrOffsets.h

@@ -0,0 +1,50 @@
+#pragma once
+#include <Windows.h>
+
+
+enum FltmgrOffsetType {
+	FltGlobals = 0,
+	_GLOBALS_FrameList,
+	_FLT_RESOURCE_LIST_HEAD_rList,
+	_FLTP_FRAME_Links,
+	_FLTP_FRAME_RegisteredFilters,
+	_FLT_OBJECT_PrimaryLink,
+	_FLT_FILTER_DriverObject,
+	_FLT_FILTER_InstanceList,
+	_DRIVER_OBJECT_DriverInit,
+	_FLT_INSTANCE_CallbackNodes,
+	_FLT_INSTANCE_FilterLink,
+	_SUPPORTED_FLTMGR_OFFSETS_END
+};
+
+union FltmgrOffsets {
+	// structure version of fltmgr.sys's offsets
+	struct {
+		DWORD64 FltGlobals;
+		DWORD64 _GLOBALS_FrameList;
+		DWORD64 _FLT_RESOURCE_LIST_HEAD_rList;
+		DWORD64 _FLTP_FRAME_Links;
+		DWORD64 _FLTP_FRAME_RegisteredFilters;
+		DWORD64 _FLT_OBJECT_PrimaryLink;
+		DWORD64 _FLT_FILTER_DriverObject;
+		DWORD64 _FLT_FILTER_InstanceList;
+		DWORD64 _DRIVER_OBJECT_DriverInit;
+		DWORD64 _FLT_INSTANCE_CallbackNodes;
+		DWORD64 _FLT_INSTANCE_FilterLink;
+	} st;
+
+	// array version (usefull for code factoring)
+	DWORD64 ar[_SUPPORTED_FLTMGR_OFFSETS_END];
+};
+
+union FltmgrOffsets g_fltmgrOffsets;
+
+BOOL LoadFltmgrOffsets(_In_opt_ TCHAR* fltmgrOffsetFilename, BOOL canUseInternet);
+
+BOOL LoadFltmgrOffsetsFromFile(TCHAR* fltmgrOffsetFilename);
+void SaveFltmgrOffsetsToFile(TCHAR* fltmgrOffsetFilename);
+
+BOOL LoadFltmgrOffsetsFromInternet(BOOL delete_pdb);
+
+LPTSTR GetFltmgrPath();
+LPTSTR GetFltmgrVersion();

EDRSandblast/Includes/KernelCallbacks.h

@@ -21,6 +21,7 @@
 enum kernel_callback_type_e {
 	NOTIFY_ROUTINE_CB,
 	OBJECT_CALLBACK,
+	MINIFILTER_CALLBACK,
 };
 struct KRNL_CALLBACK {
 	enum kernel_callback_type_e type;
@@ -34,8 +35,11 @@ struct KRNL_CALLBACK {
 		struct object_callback_t {
 			DWORD64 enable_addr;
 		} object_callback;
+		struct minifilter_callback_t {
+			DWORD64 callback_node;
+		} minifilter_callback;
 	} addresses;
-	DWORD64 callback_func;
+	DWORD64 callback_func; //TODO: reorganize this struct since object callbacks and minifilter callbacks have preoperations and postoperations
 	BOOL removed;
 };
 

EDRSandblast/Includes/MinifilterCallbacks.h

@@ -0,0 +1,9 @@
+#pragma once
+#include <Windows.h>
+#include "KernelCallbacks.h"
+
+BOOL EnumEDRMinifilterCallbacks(struct FOUND_EDR_CALLBACKS* foundEDRCallbacks, BOOL verbose);
+#if WriteMemoryPrimitiveIsAtomic
+void RemoveEDRMinifilterCallbacks(struct FOUND_EDR_CALLBACKS* edrCallbacks);
+BOOL RestoreEDRMinifilterCallbacks(struct FOUND_EDR_CALLBACKS* edrCallbacks);
+#endif