From eadbeaaad0d196b211e87ffc0b31b39c94047baf Mon Sep 17 00:00:00 2001 From: Maxime Meignan Date: Fri, 3 Nov 2023 16:23:17 +0100 Subject: [PATCH] Added directions when the vulnerable driver does not unload correctly --- EDRSandblast_CLI/EDRSandblast.c | 2 +- EDRSandblast_StaticLibrary/EDRSandblast_API.c | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/EDRSandblast_CLI/EDRSandblast.c b/EDRSandblast_CLI/EDRSandblast.c index a8f45f0..90d67ef 100644 --- a/EDRSandblast_CLI/EDRSandblast.c +++ b/EDRSandblast_CLI/EDRSandblast.c @@ -887,7 +887,7 @@ Dump options:\n\ status = UninstallVulnerableDriver(); if (status == FALSE) { _putts_or_not(TEXT("[!] An error occured while attempting to uninstall the vulnerable driver")); - _tprintf_or_not(TEXT("[*] The service should be manually deleted: cmd /c sc delete %s\n"), GetDriverServiceName()); + _tprintf_or_not(TEXT("[*] The service should be manually deleted and the computer restarted. Use: cmd /c sc delete %s\n"), GetDriverServiceName()); lpExitCode = EXIT_FAILURE; } else { diff --git a/EDRSandblast_StaticLibrary/EDRSandblast_API.c b/EDRSandblast_StaticLibrary/EDRSandblast_API.c index f284205..dd0c86b 100644 --- a/EDRSandblast_StaticLibrary/EDRSandblast_API.c +++ b/EDRSandblast_StaticLibrary/EDRSandblast_API.c @@ -755,7 +755,11 @@ VOID EDRSB_CleanUp(_Inout_ EDRSB_CONTEXT* ctx) { BOOL status = UninstallVulnerableDriver(); if (status == FALSE) { _putts_or_not(TEXT("[!] An error occured while attempting to uninstall the vulnerable driver")); - _tprintf_or_not(TEXT("[*] The service should be manually deleted: cmd /c sc delete %s\n"), GetDriverServiceName()); + _tprintf_or_not(TEXT("[*] Executing: cmd /c sc delete %s\n"), GetDriverServiceName()); + TCHAR cmd[MAX_PATH] = { 0 }; + wsprintf(cmd, TEXT("cmd /c sc delete %s"), GetDriverServiceName()); + _wsystem(cmd); + _putts_or_not(TEXT("[!] Please restart the machine for the uninstallation to be complete")); } } }