Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-09 08:57:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

[new feature] Implements EDR minifilter callbacks detection and removal

Browse Source 
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com>
This commit is contained in:
Maxime Meignan
2023-11-29 14:32:35 +01:00
parent 1b1919ba8a
commit e567c488ff
12 changed files with 594 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Offsets/ExtractOffsets.py
+14 -1
View File
@@ -17,7 +17,7 @@ THREADS_LIMIT = None
CSVLock = threading.Lock()
machineType = dict(x86=332, x64=34404)
supported_images = ["ntoskrnl.exe", "wdigest.dll", "ci.dll"]
supported_images = ["ntoskrnl.exe", "wdigest.dll", "ci.dll", "fltmgr.sys"]
modes = [image_name.split(".")[0] for image_name in supported_images]
extensions_by_mode = dict(image_name.split(".") for image_name in supported_images)
known_image_versions = {mode: list() for mode in modes}
@@ -46,6 +46,19 @@ symbols = dict(
("g_CiOptions", "symbol"),
("CiValidateImageHeader", "symbol"),
],
fltmgr=[
("FltGlobals", "symbol"),
("_GLOBALS", "FrameList", "field"),
("_FLT_RESOURCE_LIST_HEAD", "rList", "field"),
("_FLTP_FRAME", "Links", "field"),
("_FLTP_FRAME", "RegisteredFilters", "field"),
("_FLT_OBJECT", "PrimaryLink", "field"),
("_FLT_FILTER", "DriverObject", "field"),
("_FLT_FILTER", "InstanceList", "field"),
("_DRIVER_OBJECT", "DriverInit", "field"),
("_FLT_INSTANCE", "CallbackNodes", "field"),
("_FLT_INSTANCE", "FilterLink", "field"),
],
)
symbols_names = {mode: [t[0] if t[-1] == "symbol" else f"{t[0]}_{t[1]}" for t in symbols[mode]] for mode in modes}
Offsets/FltmgrOffsets.csv
+90
View File
@@ -0,0 +1,90 @@
fltmgrVersion,FltGlobals,_GLOBALS_FrameList,_FLT_RESOURCE_LIST_HEAD_rList,_FLTP_FRAME_Links,_FLTP_FRAME_RegisteredFilters,_FLT_OBJECT_PrimaryLink,_FLT_FILTER_DriverObject,_FLT_FILTER_InstanceList,_DRIVER_OBJECT_DriverInit,_FLT_INSTANCE_CallbackNodes,_FLT_INSTANCE_FilterLink
fltmgr_10240-16384.sys,254c0,58,68,8,48,10,60,68,58,a0,70
fltmgr_10240-18967.sys,254c0,58,68,8,48,10,60,68,58,a0,70
fltmgr_10240-19983.sys,254c0,58,68,8,48,10,60,68,58,a0,70
fltmgr_10586-0.sys,25500,58,68,8,48,10,60,68,58,a0,70
fltmgr_14393-0.sys,25500,58,68,8,48,10,60,68,58,a0,70
fltmgr_14393-2879.sys,25500,58,68,8,48,10,60,68,58,a0,70
fltmgr_14393-3297.sys,25500,58,68,8,48,10,60,68,58,a0,70
fltmgr_14393-3659.sys,25500,58,68,8,48,10,60,68,58,a0,70
fltmgr_14393-4467.sys,25500,58,68,8,48,10,60,68,58,a0,70
fltmgr_14393-4583.sys,25500,58,68,8,48,10,60,68,58,a0,70
fltmgr_14393-4946.sys,25500,58,68,8,48,10,60,68,58,a0,70
fltmgr_14393-5127.sys,25500,58,68,8,48,10,60,68,58,a0,70
fltmgr_14393-5192.sys,25500,58,68,8,48,10,60,68,58,a0,70
fltmgr_15063-0.sys,27500,58,68,8,48,10,60,68,58,a0,70
fltmgr_15063-413.sys,27500,58,68,8,48,10,60,68,58,a0,70
fltmgr_15063-850.sys,27500,58,68,8,48,10,60,68,58,a0,70
fltmgr_15063-2161.sys,27500,58,68,8,48,10,60,68,58,a0,70
fltmgr_16299-15.sys,28540,58,68,8,48,10,60,68,58,a0,70
fltmgr_16299-98.sys,28540,58,68,8,48,10,60,68,58,a0,70
fltmgr_16299-99.sys,28540,58,68,8,48,10,60,68,58,a0,70
fltmgr_16299-192.sys,28540,58,68,8,48,10,60,68,58,a0,70
fltmgr_16299-371.sys,28540,58,68,8,48,10,60,68,58,a0,70
fltmgr_16299-402.sys,28540,58,68,8,48,10,60,68,58,a0,70
fltmgr_16299-1480.sys,28540,58,68,8,48,10,60,68,58,a0,70
fltmgr_16299-1868.sys,27540,58,68,8,48,10,60,68,58,a0,70
fltmgr_16299-2401.sys,27540,58,68,8,48,10,60,68,58,a0,70
fltmgr_16299-10000.sys,28540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17134-1.sys,29540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17134-228.sys,29540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17134-1098.sys,29540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17134-1365.sys,29540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17134-1456.sys,29540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17763-1.sys,2a540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17763-379.sys,2a540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17763-592.sys,2a540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17763-831.sys,2a540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17763-1999.sys,2a540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17763-2028.sys,2a540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17763-2061.sys,2a540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17763-2090.sys,2a540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17763-2510.sys,2a540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17763-4492.sys,2a540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17763-4644.sys,2a540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17763-4720.sys,2a540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17763-5122.sys,2a540,58,68,8,48,10,60,68,58,a0,70
fltmgr_17763-10576.sys,2a540,58,68,8,48,10,60,68,58,a0,70
fltmgr_18362-1.sys,2a580,58,68,8,48,10,60,68,58,a0,70
fltmgr_18362-267.sys,2a580,58,68,8,48,10,60,68,58,a0,70
fltmgr_18362-1110.sys,2a580,58,68,8,48,10,60,68,58,a0,70
fltmgr_18362-1216.sys,2a580,58,68,8,48,10,60,68,58,a0,70
fltmgr_18362-1645.sys,2a580,58,68,8,48,10,60,68,58,a0,70
fltmgr_18362-1714.sys,2a580,58,68,8,48,10,60,68,58,a0,70
fltmgr_18362-2337.sys,2a580,58,68,8,48,10,60,68,58,a0,70
fltmgr_19041-264.sys,2b600,58,68,8,48,10,60,68,58,a0,70
fltmgr_19041-1151.sys,2b600,58,68,8,48,10,60,68,58,a0,70
fltmgr_19041-1165.sys,2b600,58,68,8,48,10,60,68,58,a0,70
fltmgr_19041-1503.sys,2a600,58,68,8,48,10,60,68,58,a0,70
fltmgr_19041-1526.sys,2a600,58,68,8,48,10,60,68,58,a0,70
fltmgr_19041-1682.sys,2b600,58,68,8,48,10,60,68,58,a0,70
fltmgr_19041-1767.sys,2b600,58,68,8,48,10,60,68,58,a0,70
fltmgr_19041-1806.sys,29600,58,68,8,48,10,60,68,58,a0,70
fltmgr_19041-2728.sys,29600,58,68,8,48,10,60,68,58,a0,70
fltmgr_19041-2788.sys,29600,58,68,8,48,10,60,68,58,a0,70
fltmgr_19041-3086.sys,29600,58,68,8,48,10,60,68,58,a0,70
fltmgr_19041-3205.sys,29600,58,68,8,48,10,60,68,58,a0,70
fltmgr_19041-3570.sys,29600,58,68,8,48,10,60,68,58,a0,70
fltmgr_19041-3636.sys,29600,58,68,8,48,10,60,68,58,a0,70
fltmgr_19041-3684.sys,29600,58,68,8,48,10,60,68,58,a0,70
fltmgr_21390-1.sys,2b6c0,58,68,8,48,10,60,68,58,a8,70
fltmgr_22000-1.sys,2b6c0,58,68,8,48,10,60,68,58,a8,70
fltmgr_22000-469.sys,2b6c0,58,68,8,48,10,60,68,58,a8,70
fltmgr_22000-527.sys,2b6c0,58,68,8,48,10,60,68,58,a8,70
fltmgr_22000-778.sys,2b6c0,58,68,8,48,10,60,68,58,a8,70
fltmgr_22000-1098.sys,2b6c0,58,68,8,48,10,60,68,58,a8,70
fltmgr_22000-1165.sys,2b6c0,58,68,8,48,10,60,68,58,a8,70
fltmgr_22000-1219.sys,2b6c0,58,68,8,48,10,60,68,58,a8,70
fltmgr_22000-1281.sys,2b6c0,58,68,8,48,10,60,68,58,a8,70
fltmgr_22000-1696.sys,2b6c0,58,68,8,48,10,60,68,58,a8,70
fltmgr_22000-1761.sys,2b6c0,58,68,8,48,10,60,68,58,a8,70
fltmgr_22000-2124.sys,2b6c0,58,68,8,48,10,60,68,58,a8,70
fltmgr_22000-2592.sys,2b6c0,58,68,8,48,10,60,68,58,a8,70
fltmgr_22000-2600.sys,2b6c0,58,68,8,48,10,60,68,58,a8,70
fltmgr_22621-4.sys,2c700,58,68,8,48,10,60,68,58,a8,70
fltmgr_22621-608.sys,2c700,58,68,8,48,10,60,68,58,a8,70
fltmgr_22621-1690.sys,2c700,58,68,8,48,10,60,68,58,a8,70
fltmgr_22621-2361.sys,2e700,58,68,8,48,10,60,68,58,a8,70
fltmgr_22621-2415.sys,2e700,58,68,8,48,10,60,68,58,a8,70
fltmgr_22621-2506.sys,2e700,58,68,8,48,10,60,68,58,a8,70
fltmgr_22621-2771.sys,2e700,58,68,8,48,10,60,68,58,a8,70
1 fltmgrVersion FltGlobals _GLOBALS_FrameList _FLT_RESOURCE_LIST_HEAD_rList _FLTP_FRAME_Links _FLTP_FRAME_RegisteredFilters _FLT_OBJECT_PrimaryLink _FLT_FILTER_DriverObject _FLT_FILTER_InstanceList _DRIVER_OBJECT_DriverInit _FLT_INSTANCE_CallbackNodes _FLT_INSTANCE_FilterLink
2 fltmgr_10240-16384.sys 254c0 58 68 8 48 10 60 68 58 a0 70
3 fltmgr_10240-18967.sys 254c0 58 68 8 48 10 60 68 58 a0 70
4 fltmgr_10240-19983.sys 254c0 58 68 8 48 10 60 68 58 a0 70
5 fltmgr_10586-0.sys 25500 58 68 8 48 10 60 68 58 a0 70
6 fltmgr_14393-0.sys 25500 58 68 8 48 10 60 68 58 a0 70
7 fltmgr_14393-2879.sys 25500 58 68 8 48 10 60 68 58 a0 70
8 fltmgr_14393-3297.sys 25500 58 68 8 48 10 60 68 58 a0 70
9 fltmgr_14393-3659.sys 25500 58 68 8 48 10 60 68 58 a0 70
10 fltmgr_14393-4467.sys 25500 58 68 8 48 10 60 68 58 a0 70
11 fltmgr_14393-4583.sys 25500 58 68 8 48 10 60 68 58 a0 70
12 fltmgr_14393-4946.sys 25500 58 68 8 48 10 60 68 58 a0 70
13 fltmgr_14393-5127.sys 25500 58 68 8 48 10 60 68 58 a0 70
14 fltmgr_14393-5192.sys 25500 58 68 8 48 10 60 68 58 a0 70
15 fltmgr_15063-0.sys 27500 58 68 8 48 10 60 68 58 a0 70
16 fltmgr_15063-413.sys 27500 58 68 8 48 10 60 68 58 a0 70
17 fltmgr_15063-850.sys 27500 58 68 8 48 10 60 68 58 a0 70
18 fltmgr_15063-2161.sys 27500 58 68 8 48 10 60 68 58 a0 70
19 fltmgr_16299-15.sys 28540 58 68 8 48 10 60 68 58 a0 70
20 fltmgr_16299-98.sys 28540 58 68 8 48 10 60 68 58 a0 70
21 fltmgr_16299-99.sys 28540 58 68 8 48 10 60 68 58 a0 70
22 fltmgr_16299-192.sys 28540 58 68 8 48 10 60 68 58 a0 70
23 fltmgr_16299-371.sys 28540 58 68 8 48 10 60 68 58 a0 70
24 fltmgr_16299-402.sys 28540 58 68 8 48 10 60 68 58 a0 70
25 fltmgr_16299-1480.sys 28540 58 68 8 48 10 60 68 58 a0 70
26 fltmgr_16299-1868.sys 27540 58 68 8 48 10 60 68 58 a0 70
27 fltmgr_16299-2401.sys 27540 58 68 8 48 10 60 68 58 a0 70
28 fltmgr_16299-10000.sys 28540 58 68 8 48 10 60 68 58 a0 70
29 fltmgr_17134-1.sys 29540 58 68 8 48 10 60 68 58 a0 70
30 fltmgr_17134-228.sys 29540 58 68 8 48 10 60 68 58 a0 70
31 fltmgr_17134-1098.sys 29540 58 68 8 48 10 60 68 58 a0 70
32 fltmgr_17134-1365.sys 29540 58 68 8 48 10 60 68 58 a0 70
33 fltmgr_17134-1456.sys 29540 58 68 8 48 10 60 68 58 a0 70
34 fltmgr_17763-1.sys 2a540 58 68 8 48 10 60 68 58 a0 70
35 fltmgr_17763-379.sys 2a540 58 68 8 48 10 60 68 58 a0 70
36 fltmgr_17763-592.sys 2a540 58 68 8 48 10 60 68 58 a0 70
37 fltmgr_17763-831.sys 2a540 58 68 8 48 10 60 68 58 a0 70
38 fltmgr_17763-1999.sys 2a540 58 68 8 48 10 60 68 58 a0 70
39 fltmgr_17763-2028.sys 2a540 58 68 8 48 10 60 68 58 a0 70
40 fltmgr_17763-2061.sys 2a540 58 68 8 48 10 60 68 58 a0 70
41 fltmgr_17763-2090.sys 2a540 58 68 8 48 10 60 68 58 a0 70
42 fltmgr_17763-2510.sys 2a540 58 68 8 48 10 60 68 58 a0 70
43 fltmgr_17763-4492.sys 2a540 58 68 8 48 10 60 68 58 a0 70
44 fltmgr_17763-4644.sys 2a540 58 68 8 48 10 60 68 58 a0 70
45 fltmgr_17763-4720.sys 2a540 58 68 8 48 10 60 68 58 a0 70
46 fltmgr_17763-5122.sys 2a540 58 68 8 48 10 60 68 58 a0 70
47 fltmgr_17763-10576.sys 2a540 58 68 8 48 10 60 68 58 a0 70
48 fltmgr_18362-1.sys 2a580 58 68 8 48 10 60 68 58 a0 70
49 fltmgr_18362-267.sys 2a580 58 68 8 48 10 60 68 58 a0 70
50 fltmgr_18362-1110.sys 2a580 58 68 8 48 10 60 68 58 a0 70
51 fltmgr_18362-1216.sys 2a580 58 68 8 48 10 60 68 58 a0 70
52 fltmgr_18362-1645.sys 2a580 58 68 8 48 10 60 68 58 a0 70
53 fltmgr_18362-1714.sys 2a580 58 68 8 48 10 60 68 58 a0 70
54 fltmgr_18362-2337.sys 2a580 58 68 8 48 10 60 68 58 a0 70
55 fltmgr_19041-264.sys 2b600 58 68 8 48 10 60 68 58 a0 70
56 fltmgr_19041-1151.sys 2b600 58 68 8 48 10 60 68 58 a0 70
57 fltmgr_19041-1165.sys 2b600 58 68 8 48 10 60 68 58 a0 70
58 fltmgr_19041-1503.sys 2a600 58 68 8 48 10 60 68 58 a0 70
59 fltmgr_19041-1526.sys 2a600 58 68 8 48 10 60 68 58 a0 70
60 fltmgr_19041-1682.sys 2b600 58 68 8 48 10 60 68 58 a0 70
61 fltmgr_19041-1767.sys 2b600 58 68 8 48 10 60 68 58 a0 70
62 fltmgr_19041-1806.sys 29600 58 68 8 48 10 60 68 58 a0 70
63 fltmgr_19041-2728.sys 29600 58 68 8 48 10 60 68 58 a0 70
64 fltmgr_19041-2788.sys 29600 58 68 8 48 10 60 68 58 a0 70
65 fltmgr_19041-3086.sys 29600 58 68 8 48 10 60 68 58 a0 70
66 fltmgr_19041-3205.sys 29600 58 68 8 48 10 60 68 58 a0 70
67 fltmgr_19041-3570.sys 29600 58 68 8 48 10 60 68 58 a0 70
68 fltmgr_19041-3636.sys 29600 58 68 8 48 10 60 68 58 a0 70
69 fltmgr_19041-3684.sys 29600 58 68 8 48 10 60 68 58 a0 70
70 fltmgr_21390-1.sys 2b6c0 58 68 8 48 10 60 68 58 a8 70
71 fltmgr_22000-1.sys 2b6c0 58 68 8 48 10 60 68 58 a8 70
72 fltmgr_22000-469.sys 2b6c0 58 68 8 48 10 60 68 58 a8 70
73 fltmgr_22000-527.sys 2b6c0 58 68 8 48 10 60 68 58 a8 70
74 fltmgr_22000-778.sys 2b6c0 58 68 8 48 10 60 68 58 a8 70
75 fltmgr_22000-1098.sys 2b6c0 58 68 8 48 10 60 68 58 a8 70
76 fltmgr_22000-1165.sys 2b6c0 58 68 8 48 10 60 68 58 a8 70
77 fltmgr_22000-1219.sys 2b6c0 58 68 8 48 10 60 68 58 a8 70
78 fltmgr_22000-1281.sys 2b6c0 58 68 8 48 10 60 68 58 a8 70
79 fltmgr_22000-1696.sys 2b6c0 58 68 8 48 10 60 68 58 a8 70
80 fltmgr_22000-1761.sys 2b6c0 58 68 8 48 10 60 68 58 a8 70
81 fltmgr_22000-2124.sys 2b6c0 58 68 8 48 10 60 68 58 a8 70
82 fltmgr_22000-2592.sys 2b6c0 58 68 8 48 10 60 68 58 a8 70
83 fltmgr_22000-2600.sys 2b6c0 58 68 8 48 10 60 68 58 a8 70
84 fltmgr_22621-4.sys 2c700 58 68 8 48 10 60 68 58 a8 70
85 fltmgr_22621-608.sys 2c700 58 68 8 48 10 60 68 58 a8 70
86 fltmgr_22621-1690.sys 2c700 58 68 8 48 10 60 68 58 a8 70
87 fltmgr_22621-2361.sys 2e700 58 68 8 48 10 60 68 58 a8 70
88 fltmgr_22621-2415.sys 2e700 58 68 8 48 10 60 68 58 a8 70
89 fltmgr_22621-2506.sys 2e700 58 68 8 48 10 60 68 58 a8 70
90 fltmgr_22621-2771.sys 2e700 58 68 8 48 10 60 68 58 a8 70