5bfd633022
Various cosmetic changes
2023-11-29 00:03:46 +01:00
5e1d1daf6d
Updating the "thanks" section
...
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com >
2023-11-03 16:32:30 +01:00
eadbeaaad0
Added directions when the vulnerable driver does not unload correctly
2023-11-03 16:23:17 +01:00
3c3cc307ce
Userland hooks: ignore api-ms-* DLLs
2023-11-03 16:17:59 +01:00
bf749f54c7
PE parser: added a feature to parse a PE directly from kernel memory
...
Could be used in the future to resolve export instead of a
suspicious LoadLibrary("ntoskrnl.exe")
2023-11-03 16:13:13 +01:00
b7b17f8b51
visual studio configuration changes
2023-11-03 16:11:39 +01:00
4fde66c86d
cosmetic changes
2023-11-03 16:10:40 +01:00
b1321850c1
ExtractOffsets.py: detect invalid PDB
2023-11-03 15:57:35 +01:00
43b159e2b1
ExtractOffsets.py: handle new offsets & duplicate PEs on MS servers
2023-11-03 15:57:10 +01:00
f15471d12c
DSE bypass : implemented "callback swapping" method
...
The new default method for unsigned driver loading uses a KDP compatible
technique, since it does not overwrite the protected variable g_CiOptions.
Based on the work of: https://github.com/0mWindyBug/KDP-compatible-driver-loader
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com >
2023-11-03 15:13:36 +01:00
15c3b706f1
various cosmetic changes to please the code analyzer
2023-10-31 17:07:17 +01:00
09dc67bc65
v1.0 of the pypdb parser: completely removed the radare2 dependency
2023-10-31 17:06:20 +01:00
d38b84d179
starting removing the PE parsing in ExtractOffsets.py to get rid of r2
2023-10-27 16:18:42 +02:00
aa408ced60
tweaking configuration files
2023-10-19 11:20:41 +02:00
4d2789b21b
added a PE_find_static_relative_reference function (not used yet)
...
Function that can be used to find cross-references of a global variable
or a function
2023-10-19 11:20:30 +02:00
1e8713cfb5
removed useless macros
2023-10-11 11:16:57 +02:00
f1fc3a8d04
Update README.md (thanking v1k1ngfr)
2023-10-10 17:39:50 +02:00
02490ec4ca
Merge pull request #17 from nuts7/new-edr-drivers
...
New EDR drivers
2023-10-10 16:18:42 +02:00
4d414edb77
Implements a check on PDB files to avoid using an invalid one and crash the machine
...
When loading a PDB that was already on disk (not downloaded) for a specific PE,
verifies that the PDB file is indeed for the current version of the target PE.
(Did I just started to write a PDB file parser ?)
2023-10-10 15:44:20 +02:00
482ab84a11
CLI: adding a small todo regarding DSE bypass
2023-10-10 15:44:20 +02:00
c9ee91eaa8
CLI: added the correct flags for DSE bypass
2023-10-10 15:44:08 +02:00
7590a11389
CiOptions: Simplifies the way CI.dll base address is recovered
...
Instead of using the kernel R/W primitive, uses userland API to enumerate
kernel modules
2023-10-09 16:30:36 +02:00
0a817fea93
g_CiOptions patching: fixed a crash
2023-10-09 14:59:10 +02:00
0b0086ea92
cosmetic changes & compiler warnings fixes
2023-10-09 14:57:49 +02:00
43cea1f08b
small cleanup in header files
2023-10-06 16:12:52 +02:00
7be844b518
Add feature : loading unsigned driver
2023-10-06 12:48:29 +02:00
0bbe76aab1
New BYOVD-driver support: GDRV.sys (GigaByte)
2023-10-06 12:45:28 +02:00
9939301140
ExtractOffsets.py: added safety check in version number recovery
2023-10-06 11:46:25 +02:00
a49f69b122
ExtractOffsets.py: adds an optionnal control on number of threads
2023-10-06 11:46:25 +02:00
e479bef8f5
Merge pull request #14 from v1k1ngfr/g_CiOptionExtract
...
Add g_CiOptions offset extract "feature"
2023-10-06 10:33:17 +02:00
5f82ba2efe
ExtractOffsets.py: minor syntactic, cosmetic and safety changes
2023-10-06 10:31:26 +02:00
75b0168045
Merge branch 'master' into g_CiOptionExtract
2023-10-06 10:24:05 +02:00
a561976b5d
Fix version parsing issue in offsets extractor
...
Now finding version information in the nested json file to prevent some
crashes and potentially retrieving more ntoskrnl.exe files
2023-10-05 15:11:16 +02:00
45d3ff5486
Fix concurrency issues in offsets extractor
...
Fixes the following:
* The progress not showing correctly when downloading and processing files.
I had to remove some verbose information to avoid the progress being rewritten
* Introducing locks when downloading files to prevent any race when printing
2023-10-05 14:34:58 +02:00
3ed5638366
New EDR drivers
...
This commit add some EDR drivers: BDSandBox.sys (BitDefender), MfeEEFF.sys mfprom.sys hdlpflt.sys (McAfee Inc.), TmFileEncDmk.sys (Trend Micro Inc.), psepfilter.sys (Absolute Software), cve.sys (Absolute Software Corp.), medlpflt.sys dsfa.sys cposfw.sys (Check Point Software), cpbak.sys (Checkpoint Software), SISIPSFileFilter.sys (Symantec Corp.), cbstream.sys cbk7.sys (Carbon Black) and dgdmk.sys (Verdasys Inc)
2023-09-22 16:14:11 +02:00
bafddfbced
Fixed a radare2 version parsing error in extractoffsets.py
2023-04-17 16:07:09 +02:00
7572f09ae3
[Bugfix] _fputts did not add a LF
2023-03-16 16:41:29 +01:00
a3966d34b3
Update CiOffsets.csv
2022-12-28 17:08:06 +01:00
919ec7dea1
Add CiOffsets.csv
...
It contains g_CiOptions offset for several ci.dll version
2022-12-11 11:02:21 +01:00
5f2734a888
Add g_CiOptions offset extract "feature"
...
Here is an example :
ExtractOffsets.py ci -i C:\Windows\System32\ci.dll
2022-12-06 18:13:53 +01:00
f760cd20bf
Remove possibility of crash when giving a malformed CSV
2022-11-15 16:38:40 +01:00
fe4ab633da
Ensure retrocompatibility with Windows XP->Windows 7
...
Replaced PathCch* function with Path* functions
2022-11-15 16:05:05 +01:00
5ac077e81f
Change compilation options to fix Debug build profile
2022-11-15 16:03:46 +01:00
f1a4d1c38c
Fixes a relative/absolute driver path problem with service registering
2022-11-07 16:29:38 +01:00
1dab1efdd6
Changed enum names in API
2022-08-22 10:45:23 +02:00
49fbc5d924
Updated README with ObRegisterCallbacks and offsets retrieval info
2022-08-19 22:20:46 +02:00
48a75a7029
D3FC0N 30 release: Obj callbacks, firewalling, symbols w/ internet, and more
...
Co-authored-by: Maxime Meignan <maxime.meignan@wavestone.com >
2022-08-13 09:23:48 -07:00
2e037a379b
Merge pull request #8 from xalicex/master
...
Add new Tehtris driver name
2022-06-17 18:26:24 +02:00
0109de4937
add new Tehtris driver
...
new name for the Tehtris driver
2022-06-15 11:36:31 +02:00
487047f9db
clarifies some parts of the README
2022-01-27 14:20:06 +01:00
Maxime Meignan