Header inclusion feng-shui (each file only includes what it needs)

EDRSandblast/EDRBypass/ETWThreatIntel.c

@@ -5,7 +5,12 @@
 
 */
 
+#include <Windows.h>
+#include <Tchar.h>
+
 #include "ETWThreatIntel.h"
+#include "KernelMemoryPrimitives.h"
+#include "NtoskrnlOffsets.h"
 
 DWORD64 GetEtwThreatIntProvRegHandleAddress() {
     if (ntoskrnlOffsets.st.etwThreatIntProvRegHandle == 0x0) {

EDRSandblast/EDRBypass/KernelCallbacks.c

@@ -5,7 +5,11 @@
 
 */
 
+#include <Windows.h>
+#include <Tchar.h>
 #include "KernelCallbacks.h"
+#include "KernelMemoryPrimitives.h"
+#include "NtoskrnlOffsets.h"
 
 // List of EDR drivers for which Kernel callbacks will be impacted.
 // Source: https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes

EDRSandblast/EDRSandBlast.h

@@ -1,30 +1,5 @@
 #pragma once
 
-#include <Windows.h>
-#include <aclapi.h>
-#include <stdio.h>
-#include <Dbghelp.h>
-#include <stdlib.h>
-#include <Psapi.h>
-#include <Tchar.h>
-#include <time.h>
-#include <tlhelp32.h>
-#include <malloc.h>
-#include <assert.h>
-
-#include "CredGuard.h"
-#include "DriverOps.h"
-#include "ETWThreatIntel.h"
-#include "FileVersion.h"
-#include "KernelCallbacks.h"
-#include "KernelMemoryPrimitives.h"
-#include "KernelPatternSearch.h"
-#include "LSASSDump.h"
-#include "NtoskrnlOffsets.h"
-#include "RunAsPPL.h"
-#include "WdigestOffsets.h"
-#include "UserlandHooks.h"
-
 typedef enum _START_MODE {
     dump,
     cmd,

EDRSandblast/EDRSandblast.c

@@ -1,3 +1,21 @@
+#include <Windows.h>
+#include <stdio.h>
+#include <Tchar.h>
+
+#ifdef _DEBUG
+#include <assert.h>
+#endif
+
+#include "CredGuard.h"
+#include "DriverOps.h"
+#include "ETWThreatIntel.h"
+#include "KernelCallbacks.h"
+#include "LSASSDump.h"
+#include "NtoskrnlOffsets.h"
+#include "RunAsPPL.h"
+#include "WdigestOffsets.h"
+#include "UserlandHooks.h"
+
 #include "EDRSandBlast.h"
 
 /*

EDRSandblast/EDRSandblast.vcxproj.filters

@@ -13,9 +13,6 @@
       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
     </Filter>
-    <Filter Include="Source Files\LSASSProtectionBypass">
-      <UniqueIdentifier>{54b0d87a-da5b-4c62-99f2-30e8848bbfda}</UniqueIdentifier>
-    </Filter>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="EDRSandblast.c">

EDRSandblast/Includes/CredGuard.h

@@ -1,11 +1,5 @@
 #pragma once
 
 #include <Windows.h>
-#include <stdio.h>
-
-#include <Psapi.h>
-#include <tlhelp32.h>
-
-#include "WdigestOffsets.h"
 
 DWORD WINAPI disableCredGuardByPatchingLSASS(void);

EDRSandblast/Includes/DriverOps.h

@@ -6,13 +6,7 @@
 */
 
 #pragma once
-
 #include <Windows.h>
-#include <aclapi.h>
-#include <Tchar.h>
-#include <stdio.h>
-#include <time.h>
-
 
 #if !defined(PRINT_ERROR_AUTO)
 #define PRINT_ERROR_AUTO(func) (_tprintf(TEXT("[!] ERROR ") TEXT(__FUNCTION__) TEXT(" ; ") func TEXT(" (0x%08x)\n"), GetLastError()))

EDRSandblast/Includes/ETWThreatIntel.h

@@ -8,11 +8,6 @@
 #pragma once
 
 #include <Windows.h>
-#include <Tchar.h>
-#include <stdio.h>
-
-#include "KernelMemoryPrimitives.h"
-#include "NtoskrnlOffsets.h"
 
 #define DISABLE_PROVIDER 0x0
 #define ENABLE_PROVIDER 0x1

EDRSandblast/Includes/FileVersion.h

@@ -1,8 +1,6 @@
 #pragma once
 
 #include <Windows.h>
-#include <Tchar.h>
-#include <stdio.h>
 
 void GetFileVersion(TCHAR* buffer, SIZE_T bufferLen, TCHAR* filename);
 

EDRSandblast/Includes/KernelCallbacks.h

@@ -8,12 +8,7 @@
 #pragma once
 
 #include <Windows.h>
-#include <Tchar.h>
-#include <stdio.h>
 
-#include "DriverOps.h"
-#include "KernelMemoryPrimitives.h"
-#include "NtoskrnlOffsets.h"
 
 /*
 * PspCreateProcessNotifyRoutine / PspCreateThreadNotifyRoutine max: 64 callbacks

EDRSandblast/Includes/KernelMemoryPrimitives.h

@@ -8,9 +8,6 @@
 #pragma once
 
 #include <Windows.h>
-#include <Psapi.h>
-#include <Tchar.h>
-#include <stdio.h>
 
 
 struct RTCORE64_MSR_READ {

EDRSandblast/Includes/KernelPatternSearch.h

@@ -8,10 +8,6 @@
 #pragma once
 
 #include <Windows.h>
-#include <Tchar.h>
-#include <stdio.h>
-
-#include "KernelMemoryPrimitives.h"
 
 DWORD64 PatternSearchStartingFromAddress(HANDLE Device, DWORD64 startAddress, DWORD bytesToScan, DWORD64 pattern, DWORD64 mask);
 

EDRSandblast/Includes/LSASSDump.h

@@ -7,9 +7,6 @@
 #pragma once
 
 #include <Windows.h>
-#include <Dbghelp.h>
+
-#include <Tchar.h>
-#include <stdio.h>
-#include <tlhelp32.h>
 
 DWORD WINAPI dumpLSASSProcess(void* data);

EDRSandblast/Includes/NtoskrnlOffsets.h

@@ -8,9 +8,7 @@
 #pragma once
 
 #include <Windows.h>
-#include <Tchar.h>
 
-#include "FileVersion.h"
 
 enum NtoskrnlOffsetType {
     CREATE_PROCESS_ROUTINE = 0,

EDRSandblast/Includes/RunAsPPL.h

@@ -9,11 +9,7 @@
 #pragma once
 
 #include <Windows.h>
-#include <Tchar.h>
-#include <stdio.h>
 
-#include "KernelMemoryPrimitives.h"
-#include "NtoskrnlOffsets.h"
 
 //extern union NtoskrnlOffsets ntoskrnlOffsets;
 

EDRSandblast/Includes/UserlandHooks.h

@@ -1,12 +1,5 @@
 #pragma once
-#include <Windows.h>
-#include "Undoc.h"
 #include "PEParser.h"
-#include "PEBBrowse.h"
-#include <stdio.h>
-#include <TlHelp32.h>
-#include <DbgHelp.h>
-#include <pathcch.h>
 
 typedef struct diff_t {
 	PVOID disk_ptr;

EDRSandblast/Includes/WdigestOffsets.h

@@ -9,9 +9,7 @@
 #pragma once
 
 #include <Windows.h>
-#include <Tchar.h>
 
-#include "FileVersion.h"
 
 enum WdigestOffsetType {
     g_fParameter_UseLogonCredential = 0,

EDRSandblast/LSASSProtectionBypass/CredGuard.c

@@ -1,4 +1,10 @@
-#include "CredGuard.h"
+#include <Windows.h>
+#include <stdio.h>
+#include <Psapi.h>
+#include <tlhelp32.h>
+#include <Tchar.h>
+
+#include "WdigestOffsets.h"
 
 DWORD WINAPI disableCredGuardByPatchingLSASS(void) {
     HANDLE hProcessSnap;

EDRSandblast/LSASSProtectionBypass/RunAsPPL.c

@@ -4,7 +4,10 @@
 --- The code to locate the EPROCESS structure is adapted from:
     http://blog.rewolf.pl/blog/?p=1683
 */
+#include <tchar.h>
 
+#include "KernelMemoryPrimitives.h"
+#include "NtoskrnlOffsets.h"
 #include "RunAsPPL.h"
 
 DWORD64 GetSelfEPROCESSAddress(BOOL verbose) {

EDRSandblast/Userland/PEBBrowse.c

@@ -1,3 +1,7 @@
+/*
+* Functions that browse the PEB structure instead of relying on GetModuleHandle
+*/
+
 #include "Undoc.h"
 #include "PEBBrowse.h"
 #include <stdio.h>

EDRSandblast/Userland/PEParser.c

@@ -1,3 +1,8 @@
+/*
+* Full library whose job is to parse PE structures, on disk, on memory and even in another process memory
+* Among other things, reimplements GetProcAddress and the PE relocation process
+*/
+
 #include "PEParser.h"
 #include <stdio.h>
 #include <assert.h>

EDRSandblast/Userland/UserlandHooks.c

@@ -1,7 +1,14 @@
-// FreeHookers.cpp : This file contains the 'main' function. Program execution begins and ends there.
+/*
-//
+* All the logic that detects, resolves, patch userland hooks and other related structures
+*/
+
+#include <Windows.h>
+#include <PathCch.h>
+#include <stdio.h>
 
 #include "UserlandHooks.h"
+#include "PEBBrowse.h"
+#include "Undoc.h"
 
 #define NT_SUCCESS(StatCode) ((NTSTATUS)(StatCode)>=0)
 

EDRSandblast/Utils/DriverOps.c

@@ -4,6 +4,10 @@
 --- Source and credit: https://github.com/gentilkiwi/mimikatz
 
 */
+#include <Windows.h>
+#include <aclapi.h>
+#include <Tchar.h>
+#include <time.h>
 
 #include "DriverOps.h"
 

EDRSandblast/Utils/FileVersion.c

@@ -3,6 +3,8 @@
 --- ntoskrnl.exe / wdigest.dll version compute functions.
 
 */
+#include <Tchar.h>
+#include <stdio.h>
 
 #include "FileVersion.h"
 

EDRSandblast/Utils/KernelMemoryPrimitives.c

@@ -4,6 +4,9 @@
 --- Source and credit: https://github.com/Barakat/CVE-2019-16098/blob/master/CVE-2019-16098.cpp
 
 */
+#include <Windows.h>
+#include <Tchar.h>
+#include <Psapi.h>
 
 #include "KernelMemoryPrimitives.h"
 

EDRSandblast/Utils/KernelPatternSearch.c

@@ -4,8 +4,9 @@
 --- Ultimately not used because too unreliable and too prone to BSoD.
 
 */
-
+#include <Windows.h>
-#include "KernelPatternSearch.h"
+#include <Tchar.h>
+#include "KernelMemoryPrimitives.h"
 
 DWORD64 PatternSearchStartingFromAddress(HANDLE Device, DWORD64 startAddress, DWORD bytesToScan, DWORD64 pattern, DWORD64 mask) {
     for (DWORD i = 0; i < bytesToScan; i++) {

EDRSandblast/Utils/LSASSDump.c

@@ -3,7 +3,10 @@
 --- LSASS dump functions.
 
 */
-
+#include <Windows.h>
+#include <TlHelp32.h>
+#include <minidumpapiset.h>
+#include <tchar.h>
 #include "LSASSDump.h"
 
 BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)

EDRSandblast/Utils/NtoskrnlOffsets.c

@@ -4,8 +4,11 @@
 --- Hardcoded patterns, with offsets for 350+ ntoskrnl versions provided in the CSV file.
 
 */
+#include <tchar.h>
+#include <stdio.h>
 
 #include "NtoskrnlOffsets.h"
+#include "FileVersion.h"
 
 union NtoskrnlOffsets ntoskrnlOffsets = { 0 };
 

EDRSandblast/Utils/WdigestOffsets.c

@@ -6,6 +6,10 @@
 
 */
 
+#include <tchar.h>
+#include <stdio.h>
+
+#include "FileVersion.h"
 #include "WdigestOffsets.h"
 
 union WdigestOffsets wdigestOffsets = { 0 };