Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-08 16:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
92 Commits 2 Branches 0 Tags
master
Commit Graph

22 Commits

Author SHA1 Message Date
Maxime Meignan 0e2b725590 Various fixes (TCHAR/WCHAR confusions & handle leaks) 2023-11-29 17:41:10 +01:00
NK 77953c60bd fix syscall dump method, enable sedebugprivilege 2023-11-29 14:44:35 +01:00
Maxime Meignan e567c488ff [new feature] Implements EDR minifilter callbacks detection and removal 
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com>
 2023-11-29 14:32:35 +01:00
Maxime Meignan 1b1919ba8a Introduced the info about atomic/non-atomic write primitives 2023-11-29 14:30:07 +01:00
Maxime Meignan 4c2449cfd4 Changed the way found callbacks are stored (removed the size limit) 2023-11-29 14:25:39 +01:00
Maxime Meignan 5bfd633022 Various cosmetic changes 2023-11-29 00:03:46 +01:00
Maxime Meignan bf749f54c7 PE parser: added a feature to parse a PE directly from kernel memory 
Could be used in the future to resolve export instead of a
suspicious LoadLibrary("ntoskrnl.exe")
 2023-11-03 16:13:13 +01:00
Maxime Meignan f15471d12c DSE bypass : implemented "callback swapping" method 
The new default method for unsigned driver loading uses a KDP compatible
technique, since it does not overwrite the protected variable g_CiOptions.
Based on the work of: https://github.com/0mWindyBug/KDP-compatible-driver-loader

Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com>
 2023-11-03 15:13:36 +01:00
Maxime Meignan 15c3b706f1 various cosmetic changes to please the code analyzer 2023-10-31 17:07:17 +01:00
Maxime Meignan 4d2789b21b added a PE_find_static_relative_reference function (not used yet) 
Function that can be used to find cross-references of a global variable
or a function
 2023-10-19 11:20:30 +02:00
Maxime Meignan 4d414edb77 Implements a check on PDB files to avoid using an invalid one and crash the machine 
When loading a PDB that was already on disk (not downloaded) for a specific PE,
verifies that the PDB file is indeed for the current version of the target PE.

(Did I just started to write a PDB file parser ?)
 2023-10-10 15:44:20 +02:00
Maxime Meignan 7590a11389 CiOptions: Simplifies the way CI.dll base address is recovered 
Instead of using the kernel R/W primitive, uses userland API to enumerate
kernel modules
 2023-10-09 16:30:36 +02:00
Maxime Meignan 0b0086ea92 cosmetic changes & compiler warnings fixes 2023-10-09 14:57:49 +02:00
Maxime Meignan 43cea1f08b small cleanup in header files 2023-10-06 16:12:52 +02:00
v1k1ngfr 7be844b518 Add feature : loading unsigned driver 2023-10-06 12:48:29 +02:00
v1k1ngfr 0bbe76aab1 New BYOVD-driver support: GDRV.sys (GigaByte) 2023-10-06 12:45:28 +02:00
Maxime Meignan 49fbc5d924 Updated README with ObRegisterCallbacks and offsets retrieval info 2022-08-19 22:20:46 +02:00
Qazeer 48a75a7029 D3FC0N 30 release: Obj callbacks, firewalling, symbols w/ internet, and more 
Co-authored-by: Maxime Meignan <maxime.meignan@wavestone.com>
 2022-08-13 09:23:48 -07:00
Maxime Meignan fa75dd9ec1 Header inclusion feng-shui (each file only includes what it needs) 2021-12-31 17:29:14 +01:00
Maxime Meignan 907d6b0a87 Cleaning up some code 2021-11-10 16:19:41 +01:00
Qazeer 9957b7a38e Adds randomization of service name 2021-11-10 01:12:48 +01:00
Maxime Meignan 4bff81986b Initial commit for public version 
Co-authored-by: Thomas Diot <thomas.diot@wavestone.com>
 2021-11-08 09:54:05 +01:00