Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-08 16:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
35 Commits 2 Branches 0 Tags
3ed563836615b557cfc34e29c9146c9e8346a4ed
Commit Graph

35 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
nuts7 3ed5638366 New EDR drivers 
This commit add some EDR drivers: BDSandBox.sys (BitDefender), MfeEEFF.sys mfprom.sys hdlpflt.sys (McAfee Inc.), TmFileEncDmk.sys (Trend Micro Inc.), psepfilter.sys (Absolute Software), cve.sys (Absolute Software Corp.), medlpflt.sys dsfa.sys cposfw.sys (Check Point Software), cpbak.sys (Checkpoint Software), SISIPSFileFilter.sys (Symantec Corp.), cbstream.sys cbk7.sys (Carbon Black) and dgdmk.sys (Verdasys Inc)
 2023-09-22 16:14:11 +02:00
Maxime Meignan bafddfbced Fixed a radare2 version parsing error in extractoffsets.py 2023-04-17 16:07:09 +02:00
Maxime Meignan 7572f09ae3 [Bugfix] _fputts did not add a LF 2023-03-16 16:41:29 +01:00
Maxime Meignan f760cd20bf Remove possibility of crash when giving a malformed CSV 2022-11-15 16:38:40 +01:00
Maxime Meignan fe4ab633da Ensure retrocompatibility with Windows XP->Windows 7 
Replaced PathCch* function with Path* functions
 2022-11-15 16:05:05 +01:00
Maxime Meignan 5ac077e81f Change compilation options to fix Debug build profile 2022-11-15 16:03:46 +01:00
Maxime Meignan f1a4d1c38c Fixes a relative/absolute driver path problem with service registering 2022-11-07 16:29:38 +01:00
Maxime Meignan 1dab1efdd6 Changed enum names in API 2022-08-22 10:45:23 +02:00
Maxime Meignan 49fbc5d924 Updated README with ObRegisterCallbacks and offsets retrieval info 2022-08-19 22:20:46 +02:00
Qazeer 48a75a7029 D3FC0N 30 release: Obj callbacks, firewalling, symbols w/ internet, and more 
Co-authored-by: Maxime Meignan <maxime.meignan@wavestone.com>
 2022-08-13 09:23:48 -07:00
Maxime Meignan 2e037a379b Merge pull request #8 from xalicex/master 
Add new Tehtris driver name
 2022-06-17 18:26:24 +02:00
Alice 0109de4937 add new Tehtris driver 
new name for the Tehtris driver
 2022-06-15 11:36:31 +02:00
Maxime Meignan 487047f9db clarifies some parts of the README 2022-01-27 14:20:06 +01:00
Maxime Meignan e8671c36b7 Fixes a few typos in README & "usage" message 2022-01-27 11:37:20 +01:00
Maxime Meignan 31df6f1db8 Fixes an error in CLI handling 2022-01-27 11:03:37 +01:00
Qazeer 744754ae04 Fixes typos in ExtractOffsets script 2022-01-17 23:51:05 +01:00
Maxime Meignan d29986ab80 Improved error verbosity 2022-01-17 17:19:21 +01:00
Qazeer c058ff312a [Offsets] adds new ntoskrnl offsets 2022-01-07 12:29:08 +01:00
Maxime Meignan cd0d983525 Update README.md 2022-01-07 10:02:29 +01:00
Maxime Meignan fa75dd9ec1 Header inclusion feng-shui (each file only includes what it needs) 2021-12-31 17:29:14 +01:00
Maxime Meignan 4ae1872ae9 userland hooking audit: add an option to load arbitrary DLL before auditing 2021-12-31 16:02:50 +01:00
Maxime Meignan 3c81bd4f26 execute userland hook removal before kerneland tampering activity 2021-12-31 15:52:28 +01:00
Maxime Meignan d676ff82f5 Added some safety check in hook resolving code 2021-12-08 18:24:27 +01:00
Maxime Meignan 7587511330 Merge pull request #2 from JohnLaTwC/patch-1 
Fix potential buffer overrun in credguard disable
 2021-12-08 18:18:19 +01:00
John Lambert 7c6eb8173d Update CredGuard.c 2021-12-08 08:26:18 -08:00
John Lambert 2072b71d05 Fix potential buffer overrun in credguard disable 
The call to `GetModuleFileNameEx` passes in `sizeof(szModulename)` for the size parameter. The documentation for that API says the size parameter is a character count, not a byte count ("The size of the lpFilename buffer, in characters.").  Since the code currently passes in a byte count, this opens up the possibility for a stack buffer overrun on UNICODE compilations of this tool where the byte count will be `2*MAX_PATH` which `GetModuleFileNameEx` will interpret as a character count and potentially write up to `2*2*MAX_PATH' bytes into the buffer.  Fix by passing in a character count.  You could also use a macro like `ARRAYSIZE(szModulename)`.


```diff
    TCHAR szModulename[MAX_PATH];
    for (DWORD i = 0; i < (lpcbNeeded / sizeof(HMODULE)); i++) {
        if (hModulesArray[i] && !GetModuleFileNameEx(hLsass, hModulesArray[i], szModulename, sizeof(szModulename))) {
...        }
```

[1] Docs for GetModuleFileNameEx are here (https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getmodulefilenameexa)
 2021-12-08 07:15:06 -08:00
Qazeer f3147ecb8a Merge pull request #1 from zeronounours/master 
Make extraction of offsets compatible with Linux
 2021-12-08 14:52:44 +01:00
zeroNounours 10c04a9174 Rather use r2 to get file version than pefile 2021-12-08 13:55:16 +01:00
zeroNounours 82704114b3 Make ExtractOffsets.py compatible with Linux 2021-12-08 13:43:29 +01:00
Maxime Meignan ab6188aece Removed a typo in README.md 2021-12-08 10:54:51 +01:00
Qazeer 894f58377b [Offsets] adds new ntoskrnl & wdigest offsets 2021-12-07 15:49:28 +01:00
Maxime Meignan 3c17e09d50 Update README.md with detections insights 2021-12-02 13:47:05 +01:00
Maxime Meignan 907d6b0a87 Cleaning up some code 2021-11-10 16:19:41 +01:00
Qazeer 9957b7a38e Adds randomization of service name 2021-11-10 01:12:48 +01:00
Maxime Meignan 4bff81986b Initial commit for public version 
Co-authored-by: Thomas Diot <thomas.diot@wavestone.com>
 2021-11-08 09:54:05 +01:00