Header inclusion feng-shui (each file only includes what it needs)

2026-06-11 09:51:18 +00:00 · 2021-12-31 17:29:14 +01:00
parent 4ae1872ae9
commit fa75dd9ec1
29 changed files with 79 additions and 84 deletions
@@ -5,7 +5,12 @@

 */

+#include <Windows.h>
+#include <Tchar.h>
+
 #include "ETWThreatIntel.h"
+#include "KernelMemoryPrimitives.h"
+#include "NtoskrnlOffsets.h"

 DWORD64 GetEtwThreatIntProvRegHandleAddress() {
    if (ntoskrnlOffsets.st.etwThreatIntProvRegHandle == 0x0) {
@@ -5,7 +5,11 @@

 */

+#include <Windows.h>
+#include <Tchar.h>
 #include "KernelCallbacks.h"
+#include "KernelMemoryPrimitives.h"
+#include "NtoskrnlOffsets.h"

 // List of EDR drivers for which Kernel callbacks will be impacted.
 // Source: https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes
@@ -1,30 +1,5 @@
 #pragma once

-#include <Windows.h>
-#include <aclapi.h>
-#include <stdio.h>
-#include <Dbghelp.h>
-#include <stdlib.h>
-#include <Psapi.h>
-#include <Tchar.h>
-#include <time.h>
-#include <tlhelp32.h>
-#include <malloc.h>
-#include <assert.h>
-
-#include "CredGuard.h"
-#include "DriverOps.h"
-#include "ETWThreatIntel.h"
-#include "FileVersion.h"
-#include "KernelCallbacks.h"
-#include "KernelMemoryPrimitives.h"
-#include "KernelPatternSearch.h"
-#include "LSASSDump.h"
-#include "NtoskrnlOffsets.h"
-#include "RunAsPPL.h"
-#include "WdigestOffsets.h"
-#include "UserlandHooks.h"
-
 typedef enum _START_MODE {
    dump,
    cmd,
@@ -1,3 +1,21 @@
+#include <Windows.h>
+#include <stdio.h>
+#include <Tchar.h>
+
+#ifdef _DEBUG
+#include <assert.h>
+#endif
+
+#include "CredGuard.h"
+#include "DriverOps.h"
+#include "ETWThreatIntel.h"
+#include "KernelCallbacks.h"
+#include "LSASSDump.h"
+#include "NtoskrnlOffsets.h"
+#include "RunAsPPL.h"
+#include "WdigestOffsets.h"
+#include "UserlandHooks.h"
+
 #include "EDRSandBlast.h"

 /*
@@ -13,9 +13,6 @@
      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
    </Filter>
-    <Filter Include="Source Files\LSASSProtectionBypass">
-      <UniqueIdentifier>{54b0d87a-da5b-4c62-99f2-30e8848bbfda}</UniqueIdentifier>
-    </Filter>
  </ItemGroup>
  <ItemGroup>
    <ClCompile Include="EDRSandblast.c">
@@ -1,11 +1,5 @@
 #pragma once

 #include <Windows.h>
-#include <stdio.h>
-
-#include <Psapi.h>
-#include <tlhelp32.h>
-
-#include "WdigestOffsets.h"

 DWORD WINAPI disableCredGuardByPatchingLSASS(void);
@@ -6,13 +6,7 @@
 */

 #pragma once
-
 #include <Windows.h>
-#include <aclapi.h>
-#include <Tchar.h>
-#include <stdio.h>
-#include <time.h>
-

 #if !defined(PRINT_ERROR_AUTO)
 #define PRINT_ERROR_AUTO(func) (_tprintf(TEXT("[!] ERROR ") TEXT(__FUNCTION__) TEXT(" ; ") func TEXT(" (0x%08x)\n"), GetLastError()))
@@ -8,11 +8,6 @@
 #pragma once

 #include <Windows.h>
-#include <Tchar.h>
-#include <stdio.h>
-
-#include "KernelMemoryPrimitives.h"
-#include "NtoskrnlOffsets.h"

 #define DISABLE_PROVIDER 0x0
 #define ENABLE_PROVIDER 0x1
@@ -1,8 +1,6 @@
 #pragma once

 #include <Windows.h>
-#include <Tchar.h>
-#include <stdio.h>

 void GetFileVersion(TCHAR* buffer, SIZE_T bufferLen, TCHAR* filename);

@@ -8,12 +8,7 @@
 #pragma once

 #include <Windows.h>
-#include <Tchar.h>
-#include <stdio.h>

-#include "DriverOps.h"
-#include "KernelMemoryPrimitives.h"
-#include "NtoskrnlOffsets.h"

 /*
 * PspCreateProcessNotifyRoutine / PspCreateThreadNotifyRoutine max: 64 callbacks
@@ -8,9 +8,6 @@
 #pragma once

 #include <Windows.h>
-#include <Psapi.h>
-#include <Tchar.h>
-#include <stdio.h>


 struct RTCORE64_MSR_READ {
@@ -8,10 +8,6 @@
 #pragma once

 #include <Windows.h>
-#include <Tchar.h>
-#include <stdio.h>
-
-#include "KernelMemoryPrimitives.h"

 DWORD64 PatternSearchStartingFromAddress(HANDLE Device, DWORD64 startAddress, DWORD bytesToScan, DWORD64 pattern, DWORD64 mask);

@@ -7,9 +7,6 @@
 #pragma once

 #include <Windows.h>
-#include <Dbghelp.h>
-#include <Tchar.h>
-#include <stdio.h>
-#include <tlhelp32.h>
+

 DWORD WINAPI dumpLSASSProcess(void* data);
@@ -8,9 +8,7 @@
 #pragma once

 #include <Windows.h>
-#include <Tchar.h>

-#include "FileVersion.h"

 enum NtoskrnlOffsetType {
    CREATE_PROCESS_ROUTINE = 0,
@@ -9,11 +9,7 @@
 #pragma once

 #include <Windows.h>
-#include <Tchar.h>
-#include <stdio.h>

-#include "KernelMemoryPrimitives.h"
-#include "NtoskrnlOffsets.h"

 //extern union NtoskrnlOffsets ntoskrnlOffsets;

@@ -1,12 +1,5 @@
 #pragma once
-#include <Windows.h>
-#include "Undoc.h"
 #include "PEParser.h"
-#include "PEBBrowse.h"
-#include <stdio.h>
-#include <TlHelp32.h>
-#include <DbgHelp.h>
-#include <pathcch.h>

 typedef struct diff_t {
 	PVOID disk_ptr;
@@ -9,9 +9,7 @@
 #pragma once

 #include <Windows.h>
-#include <Tchar.h>

-#include "FileVersion.h"

 enum WdigestOffsetType {
    g_fParameter_UseLogonCredential = 0,
@@ -1,4 +1,10 @@
-#include "CredGuard.h"
+#include <Windows.h>
+#include <stdio.h>
+#include <Psapi.h>
+#include <tlhelp32.h>
+#include <Tchar.h>
+
+#include "WdigestOffsets.h"

 DWORD WINAPI disableCredGuardByPatchingLSASS(void) {
    HANDLE hProcessSnap;
@@ -4,7 +4,10 @@
 --- The code to locate the EPROCESS structure is adapted from:
    http://blog.rewolf.pl/blog/?p=1683
 */
+#include <tchar.h>

+#include "KernelMemoryPrimitives.h"
+#include "NtoskrnlOffsets.h"
 #include "RunAsPPL.h"

 DWORD64 GetSelfEPROCESSAddress(BOOL verbose) {
@@ -1,3 +1,7 @@
+/*
+* Functions that browse the PEB structure instead of relying on GetModuleHandle
+*/
+
 #include "Undoc.h"
 #include "PEBBrowse.h"
 #include <stdio.h>
@@ -1,3 +1,8 @@
+/*
+* Full library whose job is to parse PE structures, on disk, on memory and even in another process memory
+* Among other things, reimplements GetProcAddress and the PE relocation process
+*/
+
 #include "PEParser.h"
 #include <stdio.h>
 #include <assert.h>
@@ -1,7 +1,14 @@
-// FreeHookers.cpp : This file contains the 'main' function. Program execution begins and ends there.
-//
+/*
+* All the logic that detects, resolves, patch userland hooks and other related structures
+*/
+
+#include <Windows.h>
+#include <PathCch.h>
+#include <stdio.h>

 #include "UserlandHooks.h"
+#include "PEBBrowse.h"
+#include "Undoc.h"

 #define NT_SUCCESS(StatCode) ((NTSTATUS)(StatCode)>=0)

@@ -4,6 +4,10 @@
 --- Source and credit: https://github.com/gentilkiwi/mimikatz

 */
+#include <Windows.h>
+#include <aclapi.h>
+#include <Tchar.h>
+#include <time.h>

 #include "DriverOps.h"

@@ -3,6 +3,8 @@
 --- ntoskrnl.exe / wdigest.dll version compute functions.

 */
+#include <Tchar.h>
+#include <stdio.h>

 #include "FileVersion.h"

@@ -4,6 +4,9 @@
 --- Source and credit: https://github.com/Barakat/CVE-2019-16098/blob/master/CVE-2019-16098.cpp

 */
+#include <Windows.h>
+#include <Tchar.h>
+#include <Psapi.h>

 #include "KernelMemoryPrimitives.h"

@@ -4,8 +4,9 @@
 --- Ultimately not used because too unreliable and too prone to BSoD.

 */
-
-#include "KernelPatternSearch.h"
+#include <Windows.h>
+#include <Tchar.h>
+#include "KernelMemoryPrimitives.h"

 DWORD64 PatternSearchStartingFromAddress(HANDLE Device, DWORD64 startAddress, DWORD bytesToScan, DWORD64 pattern, DWORD64 mask) {
    for (DWORD i = 0; i < bytesToScan; i++) {
@@ -3,7 +3,10 @@
 --- LSASS dump functions.

 */
-
+#include <Windows.h>
+#include <TlHelp32.h>
+#include <minidumpapiset.h>
+#include <tchar.h>
 #include "LSASSDump.h"

 BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
@@ -4,8 +4,11 @@
 --- Hardcoded patterns, with offsets for 350+ ntoskrnl versions provided in the CSV file.

 */
+#include <tchar.h>
+#include <stdio.h>

 #include "NtoskrnlOffsets.h"
+#include "FileVersion.h"

 union NtoskrnlOffsets ntoskrnlOffsets = { 0 };

@@ -6,6 +6,10 @@

 */

+#include <tchar.h>
+#include <stdio.h>
+
+#include "FileVersion.h"
 #include "WdigestOffsets.h"

 union WdigestOffsets wdigestOffsets = { 0 };