77953c60bd
fix syscall dump method, enable sedebugprivilege
2023-11-29 14:44:35 +01:00
fa8f55ad83
Fix lsass pid retrieval
...
use MAXIMUM_ALLOWED instead of PROCESS_QUERY_INFORMATION
2023-11-29 14:44:35 +01:00
2cf0c0a54f
Merge pull request #22 from wavestone-cdt/minifilters
...
Finished implementing minifilter handling
2023-11-29 14:37:53 +01:00
6a78be1532
Thanking 0mWindyBug on the README
...
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com >
2023-11-29 14:35:23 +01:00
3ee6780751
add documentation for minifilter-related functions
2023-11-29 14:35:23 +01:00
396e6edbf4
Provide a high-level description of the minifilter bypass in the README
2023-11-29 14:35:23 +01:00
e567c488ff
[new feature] Implements EDR minifilter callbacks detection and removal
...
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com >
2023-11-29 14:32:35 +01:00
1b1919ba8a
Introduced the info about atomic/non-atomic write primitives
2023-11-29 14:30:07 +01:00
eeefd835fe
Refactored the extraction script for easier integration of new images/symbols
2023-11-29 14:28:17 +01:00
4c2449cfd4
Changed the way found callbacks are stored (removed the size limit)
2023-11-29 14:25:39 +01:00
5bfd633022
Various cosmetic changes
2023-11-29 00:03:46 +01:00
5e1d1daf6d
Updating the "thanks" section
...
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com >
2023-11-03 16:32:30 +01:00
eadbeaaad0
Added directions when the vulnerable driver does not unload correctly
2023-11-03 16:23:17 +01:00
3c3cc307ce
Userland hooks: ignore api-ms-* DLLs
2023-11-03 16:17:59 +01:00
bf749f54c7
PE parser: added a feature to parse a PE directly from kernel memory
...
Could be used in the future to resolve export instead of a
suspicious LoadLibrary("ntoskrnl.exe")
2023-11-03 16:13:13 +01:00
b7b17f8b51
visual studio configuration changes
2023-11-03 16:11:39 +01:00
4fde66c86d
cosmetic changes
2023-11-03 16:10:40 +01:00
b1321850c1
ExtractOffsets.py: detect invalid PDB
2023-11-03 15:57:35 +01:00
43b159e2b1
ExtractOffsets.py: handle new offsets & duplicate PEs on MS servers
2023-11-03 15:57:10 +01:00
f15471d12c
DSE bypass : implemented "callback swapping" method
...
The new default method for unsigned driver loading uses a KDP compatible
technique, since it does not overwrite the protected variable g_CiOptions.
Based on the work of: https://github.com/0mWindyBug/KDP-compatible-driver-loader
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com >
2023-11-03 15:13:36 +01:00
15c3b706f1
various cosmetic changes to please the code analyzer
2023-10-31 17:07:17 +01:00
09dc67bc65
v1.0 of the pypdb parser: completely removed the radare2 dependency
2023-10-31 17:06:20 +01:00
d38b84d179
starting removing the PE parsing in ExtractOffsets.py to get rid of r2
2023-10-27 16:18:42 +02:00
aa408ced60
tweaking configuration files
2023-10-19 11:20:41 +02:00
4d2789b21b
added a PE_find_static_relative_reference function (not used yet)
...
Function that can be used to find cross-references of a global variable
or a function
2023-10-19 11:20:30 +02:00
1e8713cfb5
removed useless macros
2023-10-11 11:16:57 +02:00
f1fc3a8d04
Update README.md (thanking v1k1ngfr)
2023-10-10 17:39:50 +02:00
02490ec4ca
Merge pull request #17 from nuts7/new-edr-drivers
...
New EDR drivers
2023-10-10 16:18:42 +02:00
4d414edb77
Implements a check on PDB files to avoid using an invalid one and crash the machine
...
When loading a PDB that was already on disk (not downloaded) for a specific PE,
verifies that the PDB file is indeed for the current version of the target PE.
(Did I just started to write a PDB file parser ?)
2023-10-10 15:44:20 +02:00
482ab84a11
CLI: adding a small todo regarding DSE bypass
2023-10-10 15:44:20 +02:00
c9ee91eaa8
CLI: added the correct flags for DSE bypass
2023-10-10 15:44:08 +02:00
7590a11389
CiOptions: Simplifies the way CI.dll base address is recovered
...
Instead of using the kernel R/W primitive, uses userland API to enumerate
kernel modules
2023-10-09 16:30:36 +02:00
0a817fea93
g_CiOptions patching: fixed a crash
2023-10-09 14:59:10 +02:00
0b0086ea92
cosmetic changes & compiler warnings fixes
2023-10-09 14:57:49 +02:00
43cea1f08b
small cleanup in header files
2023-10-06 16:12:52 +02:00
7be844b518
Add feature : loading unsigned driver
2023-10-06 12:48:29 +02:00
0bbe76aab1
New BYOVD-driver support: GDRV.sys (GigaByte)
2023-10-06 12:45:28 +02:00
9939301140
ExtractOffsets.py: added safety check in version number recovery
2023-10-06 11:46:25 +02:00
a49f69b122
ExtractOffsets.py: adds an optionnal control on number of threads
2023-10-06 11:46:25 +02:00
e479bef8f5
Merge pull request #14 from v1k1ngfr/g_CiOptionExtract
...
Add g_CiOptions offset extract "feature"
2023-10-06 10:33:17 +02:00
5f82ba2efe
ExtractOffsets.py: minor syntactic, cosmetic and safety changes
2023-10-06 10:31:26 +02:00
75b0168045
Merge branch 'master' into g_CiOptionExtract
2023-10-06 10:24:05 +02:00
a561976b5d
Fix version parsing issue in offsets extractor
...
Now finding version information in the nested json file to prevent some
crashes and potentially retrieving more ntoskrnl.exe files
2023-10-05 15:11:16 +02:00
45d3ff5486
Fix concurrency issues in offsets extractor
...
Fixes the following:
* The progress not showing correctly when downloading and processing files.
I had to remove some verbose information to avoid the progress being rewritten
* Introducing locks when downloading files to prevent any race when printing
2023-10-05 14:34:58 +02:00
3ed5638366
New EDR drivers
...
This commit add some EDR drivers: BDSandBox.sys (BitDefender), MfeEEFF.sys mfprom.sys hdlpflt.sys (McAfee Inc.), TmFileEncDmk.sys (Trend Micro Inc.), psepfilter.sys (Absolute Software), cve.sys (Absolute Software Corp.), medlpflt.sys dsfa.sys cposfw.sys (Check Point Software), cpbak.sys (Checkpoint Software), SISIPSFileFilter.sys (Symantec Corp.), cbstream.sys cbk7.sys (Carbon Black) and dgdmk.sys (Verdasys Inc)
2023-09-22 16:14:11 +02:00
bafddfbced
Fixed a radare2 version parsing error in extractoffsets.py
2023-04-17 16:07:09 +02:00
7572f09ae3
[Bugfix] _fputts did not add a LF
2023-03-16 16:41:29 +01:00
a3966d34b3
Update CiOffsets.csv
2022-12-28 17:08:06 +01:00
919ec7dea1
Add CiOffsets.csv
...
It contains g_CiOptions offset for several ci.dll version
2022-12-11 11:02:21 +01:00
5f2734a888
Add g_CiOptions offset extract "feature"
...
Here is an example :
ExtractOffsets.py ci -i C:\Windows\System32\ci.dll
2022-12-06 18:13:53 +01:00
NK