Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-09 08:57:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

[new feature] Implements EDR minifilter callbacks detection and removal

Browse Source 
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com>
This commit is contained in:
Maxime Meignan
2023-11-29 14:32:35 +01:00
parent 1b1919ba8a
commit e567c488ff
12 changed files with 594 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
EDRSandblast/Includes/KernelCallbacks.h
+5 -1
View File
@@ -21,6 +21,7 @@
enum kernel_callback_type_e {
NOTIFY_ROUTINE_CB,
OBJECT_CALLBACK,
MINIFILTER_CALLBACK,
};
struct KRNL_CALLBACK {
enum kernel_callback_type_e type;
@@ -34,8 +35,11 @@ struct KRNL_CALLBACK {
struct object_callback_t {
DWORD64 enable_addr;
} object_callback;
struct minifilter_callback_t {
DWORD64 callback_node;
} minifilter_callback;
} addresses;
DWORD64 callback_func;
DWORD64 callback_func; //TODO: reorganize this struct since object callbacks and minifilter callbacks have preoperations and postoperations
BOOL removed;
};