diff --git a/EDRSandblast/EDRBypass/ETWThreatIntel.c b/EDRSandblast/EDRBypass/ETWThreatIntel.c index df836ff..48eec3c 100644 --- a/EDRSandblast/EDRBypass/ETWThreatIntel.c +++ b/EDRSandblast/EDRBypass/ETWThreatIntel.c @@ -5,7 +5,12 @@ */ +#include +#include + #include "ETWThreatIntel.h" +#include "KernelMemoryPrimitives.h" +#include "NtoskrnlOffsets.h" DWORD64 GetEtwThreatIntProvRegHandleAddress() { if (ntoskrnlOffsets.st.etwThreatIntProvRegHandle == 0x0) { diff --git a/EDRSandblast/EDRBypass/KernelCallbacks.c b/EDRSandblast/EDRBypass/KernelCallbacks.c index 8a1088c..e3796ce 100644 --- a/EDRSandblast/EDRBypass/KernelCallbacks.c +++ b/EDRSandblast/EDRBypass/KernelCallbacks.c @@ -5,7 +5,11 @@ */ +#include +#include #include "KernelCallbacks.h" +#include "KernelMemoryPrimitives.h" +#include "NtoskrnlOffsets.h" // List of EDR drivers for which Kernel callbacks will be impacted. // Source: https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes diff --git a/EDRSandblast/EDRSandBlast.h b/EDRSandblast/EDRSandBlast.h index 62329a8..1f28085 100644 --- a/EDRSandblast/EDRSandBlast.h +++ b/EDRSandblast/EDRSandBlast.h @@ -1,30 +1,5 @@ #pragma once -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "CredGuard.h" -#include "DriverOps.h" -#include "ETWThreatIntel.h" -#include "FileVersion.h" -#include "KernelCallbacks.h" -#include "KernelMemoryPrimitives.h" -#include "KernelPatternSearch.h" -#include "LSASSDump.h" -#include "NtoskrnlOffsets.h" -#include "RunAsPPL.h" -#include "WdigestOffsets.h" -#include "UserlandHooks.h" - typedef enum _START_MODE { dump, cmd, diff --git a/EDRSandblast/EDRSandblast.c b/EDRSandblast/EDRSandblast.c index 7f6a970..4ad624b 100644 --- a/EDRSandblast/EDRSandblast.c +++ b/EDRSandblast/EDRSandblast.c @@ -1,3 +1,21 @@ +#include +#include +#include + +#ifdef _DEBUG +#include +#endif + +#include "CredGuard.h" +#include "DriverOps.h" +#include "ETWThreatIntel.h" +#include "KernelCallbacks.h" +#include "LSASSDump.h" +#include "NtoskrnlOffsets.h" +#include "RunAsPPL.h" +#include "WdigestOffsets.h" +#include "UserlandHooks.h" + #include "EDRSandBlast.h" /* diff --git a/EDRSandblast/EDRSandblast.vcxproj.filters b/EDRSandblast/EDRSandblast.vcxproj.filters index 614e3eb..43a78e9 100644 --- a/EDRSandblast/EDRSandblast.vcxproj.filters +++ b/EDRSandblast/EDRSandblast.vcxproj.filters @@ -13,9 +13,6 @@ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms - - {54b0d87a-da5b-4c62-99f2-30e8848bbfda} - diff --git a/EDRSandblast/Includes/CredGuard.h b/EDRSandblast/Includes/CredGuard.h index 6ff7179..9a1e533 100644 --- a/EDRSandblast/Includes/CredGuard.h +++ b/EDRSandblast/Includes/CredGuard.h @@ -1,11 +1,5 @@ #pragma once #include -#include - -#include -#include - -#include "WdigestOffsets.h" DWORD WINAPI disableCredGuardByPatchingLSASS(void); diff --git a/EDRSandblast/Includes/DriverOps.h b/EDRSandblast/Includes/DriverOps.h index 88ee272..51f2f76 100644 --- a/EDRSandblast/Includes/DriverOps.h +++ b/EDRSandblast/Includes/DriverOps.h @@ -6,13 +6,7 @@ */ #pragma once - #include -#include -#include -#include -#include - #if !defined(PRINT_ERROR_AUTO) #define PRINT_ERROR_AUTO(func) (_tprintf(TEXT("[!] ERROR ") TEXT(__FUNCTION__) TEXT(" ; ") func TEXT(" (0x%08x)\n"), GetLastError())) diff --git a/EDRSandblast/Includes/ETWThreatIntel.h b/EDRSandblast/Includes/ETWThreatIntel.h index 77d1ad8..bab3202 100644 --- a/EDRSandblast/Includes/ETWThreatIntel.h +++ b/EDRSandblast/Includes/ETWThreatIntel.h @@ -8,11 +8,6 @@ #pragma once #include -#include -#include - -#include "KernelMemoryPrimitives.h" -#include "NtoskrnlOffsets.h" #define DISABLE_PROVIDER 0x0 #define ENABLE_PROVIDER 0x1 diff --git a/EDRSandblast/Includes/FileVersion.h b/EDRSandblast/Includes/FileVersion.h index 53b448e..259b089 100644 --- a/EDRSandblast/Includes/FileVersion.h +++ b/EDRSandblast/Includes/FileVersion.h @@ -1,8 +1,6 @@ #pragma once #include -#include -#include void GetFileVersion(TCHAR* buffer, SIZE_T bufferLen, TCHAR* filename); diff --git a/EDRSandblast/Includes/KernelCallbacks.h b/EDRSandblast/Includes/KernelCallbacks.h index 1e902bc..70349e9 100644 --- a/EDRSandblast/Includes/KernelCallbacks.h +++ b/EDRSandblast/Includes/KernelCallbacks.h @@ -8,12 +8,7 @@ #pragma once #include -#include -#include -#include "DriverOps.h" -#include "KernelMemoryPrimitives.h" -#include "NtoskrnlOffsets.h" /* * PspCreateProcessNotifyRoutine / PspCreateThreadNotifyRoutine max: 64 callbacks diff --git a/EDRSandblast/Includes/KernelMemoryPrimitives.h b/EDRSandblast/Includes/KernelMemoryPrimitives.h index 1383aff..2c63593 100644 --- a/EDRSandblast/Includes/KernelMemoryPrimitives.h +++ b/EDRSandblast/Includes/KernelMemoryPrimitives.h @@ -8,9 +8,6 @@ #pragma once #include -#include -#include -#include struct RTCORE64_MSR_READ { diff --git a/EDRSandblast/Includes/KernelPatternSearch.h b/EDRSandblast/Includes/KernelPatternSearch.h index 6f5d2b6..df6e9fc 100644 --- a/EDRSandblast/Includes/KernelPatternSearch.h +++ b/EDRSandblast/Includes/KernelPatternSearch.h @@ -8,10 +8,6 @@ #pragma once #include -#include -#include - -#include "KernelMemoryPrimitives.h" DWORD64 PatternSearchStartingFromAddress(HANDLE Device, DWORD64 startAddress, DWORD bytesToScan, DWORD64 pattern, DWORD64 mask); diff --git a/EDRSandblast/Includes/LSASSDump.h b/EDRSandblast/Includes/LSASSDump.h index 2b8f174..a86019e 100644 --- a/EDRSandblast/Includes/LSASSDump.h +++ b/EDRSandblast/Includes/LSASSDump.h @@ -7,9 +7,6 @@ #pragma once #include -#include -#include -#include -#include + DWORD WINAPI dumpLSASSProcess(void* data); \ No newline at end of file diff --git a/EDRSandblast/Includes/NtoskrnlOffsets.h b/EDRSandblast/Includes/NtoskrnlOffsets.h index 92b9770..d79e503 100644 --- a/EDRSandblast/Includes/NtoskrnlOffsets.h +++ b/EDRSandblast/Includes/NtoskrnlOffsets.h @@ -8,9 +8,7 @@ #pragma once #include -#include -#include "FileVersion.h" enum NtoskrnlOffsetType { CREATE_PROCESS_ROUTINE = 0, diff --git a/EDRSandblast/Includes/RunAsPPL.h b/EDRSandblast/Includes/RunAsPPL.h index eb73ac2..a530a15 100644 --- a/EDRSandblast/Includes/RunAsPPL.h +++ b/EDRSandblast/Includes/RunAsPPL.h @@ -9,11 +9,7 @@ #pragma once #include -#include -#include -#include "KernelMemoryPrimitives.h" -#include "NtoskrnlOffsets.h" //extern union NtoskrnlOffsets ntoskrnlOffsets; diff --git a/EDRSandblast/Includes/UserlandHooks.h b/EDRSandblast/Includes/UserlandHooks.h index 1319421..22f73f8 100644 --- a/EDRSandblast/Includes/UserlandHooks.h +++ b/EDRSandblast/Includes/UserlandHooks.h @@ -1,12 +1,5 @@ #pragma once -#include -#include "Undoc.h" #include "PEParser.h" -#include "PEBBrowse.h" -#include -#include -#include -#include typedef struct diff_t { PVOID disk_ptr; diff --git a/EDRSandblast/Includes/WdigestOffsets.h b/EDRSandblast/Includes/WdigestOffsets.h index 00dc050..8d5d734 100644 --- a/EDRSandblast/Includes/WdigestOffsets.h +++ b/EDRSandblast/Includes/WdigestOffsets.h @@ -9,9 +9,7 @@ #pragma once #include -#include -#include "FileVersion.h" enum WdigestOffsetType { g_fParameter_UseLogonCredential = 0, diff --git a/EDRSandblast/LSASSProtectionBypass/CredGuard.c b/EDRSandblast/LSASSProtectionBypass/CredGuard.c index 277c764..617697d 100644 --- a/EDRSandblast/LSASSProtectionBypass/CredGuard.c +++ b/EDRSandblast/LSASSProtectionBypass/CredGuard.c @@ -1,4 +1,10 @@ -#include "CredGuard.h" +#include +#include +#include +#include +#include + +#include "WdigestOffsets.h" DWORD WINAPI disableCredGuardByPatchingLSASS(void) { HANDLE hProcessSnap; diff --git a/EDRSandblast/LSASSProtectionBypass/RunAsPPL.c b/EDRSandblast/LSASSProtectionBypass/RunAsPPL.c index 7dcd469..6a15cd1 100644 --- a/EDRSandblast/LSASSProtectionBypass/RunAsPPL.c +++ b/EDRSandblast/LSASSProtectionBypass/RunAsPPL.c @@ -4,7 +4,10 @@ --- The code to locate the EPROCESS structure is adapted from: http://blog.rewolf.pl/blog/?p=1683 */ +#include +#include "KernelMemoryPrimitives.h" +#include "NtoskrnlOffsets.h" #include "RunAsPPL.h" DWORD64 GetSelfEPROCESSAddress(BOOL verbose) { diff --git a/EDRSandblast/Userland/PEBBrowse.c b/EDRSandblast/Userland/PEBBrowse.c index de24f0b..f5b226b 100644 --- a/EDRSandblast/Userland/PEBBrowse.c +++ b/EDRSandblast/Userland/PEBBrowse.c @@ -1,3 +1,7 @@ +/* +* Functions that browse the PEB structure instead of relying on GetModuleHandle +*/ + #include "Undoc.h" #include "PEBBrowse.h" #include diff --git a/EDRSandblast/Userland/PEParser.c b/EDRSandblast/Userland/PEParser.c index ec5fd41..a2e5581 100644 --- a/EDRSandblast/Userland/PEParser.c +++ b/EDRSandblast/Userland/PEParser.c @@ -1,3 +1,8 @@ +/* +* Full library whose job is to parse PE structures, on disk, on memory and even in another process memory +* Among other things, reimplements GetProcAddress and the PE relocation process +*/ + #include "PEParser.h" #include #include diff --git a/EDRSandblast/Userland/UserlandHooks.c b/EDRSandblast/Userland/UserlandHooks.c index f65dbb2..89fea7b 100644 --- a/EDRSandblast/Userland/UserlandHooks.c +++ b/EDRSandblast/Userland/UserlandHooks.c @@ -1,7 +1,14 @@ -// FreeHookers.cpp : This file contains the 'main' function. Program execution begins and ends there. -// +/* +* All the logic that detects, resolves, patch userland hooks and other related structures +*/ + +#include +#include +#include #include "UserlandHooks.h" +#include "PEBBrowse.h" +#include "Undoc.h" #define NT_SUCCESS(StatCode) ((NTSTATUS)(StatCode)>=0) diff --git a/EDRSandblast/Utils/DriverOps.c b/EDRSandblast/Utils/DriverOps.c index 2f5762c..8e0d0d6 100644 --- a/EDRSandblast/Utils/DriverOps.c +++ b/EDRSandblast/Utils/DriverOps.c @@ -4,6 +4,10 @@ --- Source and credit: https://github.com/gentilkiwi/mimikatz */ +#include +#include +#include +#include #include "DriverOps.h" diff --git a/EDRSandblast/Utils/FileVersion.c b/EDRSandblast/Utils/FileVersion.c index e3a71f6..7a5d03d 100644 --- a/EDRSandblast/Utils/FileVersion.c +++ b/EDRSandblast/Utils/FileVersion.c @@ -3,6 +3,8 @@ --- ntoskrnl.exe / wdigest.dll version compute functions. */ +#include +#include #include "FileVersion.h" diff --git a/EDRSandblast/Utils/KernelMemoryPrimitives.c b/EDRSandblast/Utils/KernelMemoryPrimitives.c index bfb2616..1b29394 100644 --- a/EDRSandblast/Utils/KernelMemoryPrimitives.c +++ b/EDRSandblast/Utils/KernelMemoryPrimitives.c @@ -4,6 +4,9 @@ --- Source and credit: https://github.com/Barakat/CVE-2019-16098/blob/master/CVE-2019-16098.cpp */ +#include +#include +#include #include "KernelMemoryPrimitives.h" diff --git a/EDRSandblast/Utils/KernelPatternSearch.c b/EDRSandblast/Utils/KernelPatternSearch.c index 7342b68..1a0048a 100644 --- a/EDRSandblast/Utils/KernelPatternSearch.c +++ b/EDRSandblast/Utils/KernelPatternSearch.c @@ -4,8 +4,9 @@ --- Ultimately not used because too unreliable and too prone to BSoD. */ - -#include "KernelPatternSearch.h" +#include +#include +#include "KernelMemoryPrimitives.h" DWORD64 PatternSearchStartingFromAddress(HANDLE Device, DWORD64 startAddress, DWORD bytesToScan, DWORD64 pattern, DWORD64 mask) { for (DWORD i = 0; i < bytesToScan; i++) { diff --git a/EDRSandblast/Utils/LSASSDump.c b/EDRSandblast/Utils/LSASSDump.c index 3538ba7..144a1c5 100644 --- a/EDRSandblast/Utils/LSASSDump.c +++ b/EDRSandblast/Utils/LSASSDump.c @@ -3,7 +3,10 @@ --- LSASS dump functions. */ - +#include +#include +#include +#include #include "LSASSDump.h" BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) diff --git a/EDRSandblast/Utils/NtoskrnlOffsets.c b/EDRSandblast/Utils/NtoskrnlOffsets.c index 1f09e8a..b9ea351 100644 --- a/EDRSandblast/Utils/NtoskrnlOffsets.c +++ b/EDRSandblast/Utils/NtoskrnlOffsets.c @@ -4,8 +4,11 @@ --- Hardcoded patterns, with offsets for 350+ ntoskrnl versions provided in the CSV file. */ +#include +#include #include "NtoskrnlOffsets.h" +#include "FileVersion.h" union NtoskrnlOffsets ntoskrnlOffsets = { 0 }; diff --git a/EDRSandblast/Utils/WdigestOffsets.c b/EDRSandblast/Utils/WdigestOffsets.c index 9243217..e45dc6a 100644 --- a/EDRSandblast/Utils/WdigestOffsets.c +++ b/EDRSandblast/Utils/WdigestOffsets.c @@ -6,6 +6,10 @@ */ +#include +#include + +#include "FileVersion.h" #include "WdigestOffsets.h" union WdigestOffsets wdigestOffsets = { 0 };