Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-08 16:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
83 Commits 2 Branches 0 Tags
794dd9c254c924dcd14a4d41b74a0f33cfdceee0
Commit Graph

83 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Maxime Meignan 794dd9c254 CLI: bugfix: the output path was too small to be overwritten 2023-11-29 17:39:49 +01:00
NK 77953c60bd fix syscall dump method, enable sedebugprivilege 2023-11-29 14:44:35 +01:00
nikaiw fa8f55ad83 Fix lsass pid retrieval 
use MAXIMUM_ALLOWED instead of PROCESS_QUERY_INFORMATION
 2023-11-29 14:44:35 +01:00
Maxime Meignan 2cf0c0a54f Merge pull request #22 from wavestone-cdt/minifilters 
Finished implementing minifilter handling
 2023-11-29 14:37:53 +01:00
Maxime Meignan 6a78be1532 Thanking 0mWindyBug on the README 
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com>
 2023-11-29 14:35:23 +01:00
Maxime Meignan 3ee6780751 add documentation for minifilter-related functions 2023-11-29 14:35:23 +01:00
Maxime Meignan 396e6edbf4 Provide a high-level description of the minifilter bypass in the README 2023-11-29 14:35:23 +01:00
Maxime Meignan e567c488ff [new feature] Implements EDR minifilter callbacks detection and removal 
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com>
 2023-11-29 14:32:35 +01:00
Maxime Meignan 1b1919ba8a Introduced the info about atomic/non-atomic write primitives 2023-11-29 14:30:07 +01:00
Maxime Meignan eeefd835fe Refactored the extraction script for easier integration of new images/symbols 2023-11-29 14:28:17 +01:00
Maxime Meignan 4c2449cfd4 Changed the way found callbacks are stored (removed the size limit) 2023-11-29 14:25:39 +01:00
Maxime Meignan 5bfd633022 Various cosmetic changes 2023-11-29 00:03:46 +01:00
Maxime Meignan 5e1d1daf6d Updating the "thanks" section 
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com>
 2023-11-03 16:32:30 +01:00
Maxime Meignan eadbeaaad0 Added directions when the vulnerable driver does not unload correctly 2023-11-03 16:23:17 +01:00
Maxime Meignan 3c3cc307ce Userland hooks: ignore api-ms-* DLLs 2023-11-03 16:17:59 +01:00
Maxime Meignan bf749f54c7 PE parser: added a feature to parse a PE directly from kernel memory 
Could be used in the future to resolve export instead of a
suspicious LoadLibrary("ntoskrnl.exe")
 2023-11-03 16:13:13 +01:00
Maxime Meignan b7b17f8b51 visual studio configuration changes 2023-11-03 16:11:39 +01:00
Maxime Meignan 4fde66c86d cosmetic changes 2023-11-03 16:10:40 +01:00
Maxime Meignan b1321850c1 ExtractOffsets.py: detect invalid PDB 2023-11-03 15:57:35 +01:00
Maxime Meignan 43b159e2b1 ExtractOffsets.py: handle new offsets & duplicate PEs on MS servers 2023-11-03 15:57:10 +01:00
Maxime Meignan f15471d12c DSE bypass : implemented "callback swapping" method 
The new default method for unsigned driver loading uses a KDP compatible
technique, since it does not overwrite the protected variable g_CiOptions.
Based on the work of: https://github.com/0mWindyBug/KDP-compatible-driver-loader

Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com>
 2023-11-03 15:13:36 +01:00
Maxime Meignan 15c3b706f1 various cosmetic changes to please the code analyzer 2023-10-31 17:07:17 +01:00
Maxime Meignan 09dc67bc65 v1.0 of the pypdb parser: completely removed the radare2 dependency 2023-10-31 17:06:20 +01:00
Maxime Meignan d38b84d179 starting removing the PE parsing in ExtractOffsets.py to get rid of r2 2023-10-27 16:18:42 +02:00
Maxime Meignan aa408ced60 tweaking configuration files 2023-10-19 11:20:41 +02:00
Maxime Meignan 4d2789b21b added a PE_find_static_relative_reference function (not used yet) 
Function that can be used to find cross-references of a global variable
or a function
 2023-10-19 11:20:30 +02:00
Maxime Meignan 1e8713cfb5 removed useless macros 2023-10-11 11:16:57 +02:00
Maxime Meignan f1fc3a8d04 Update README.md (thanking v1k1ngfr) 2023-10-10 17:39:50 +02:00
Maxime Meignan 02490ec4ca Merge pull request #17 from nuts7/new-edr-drivers 
New EDR drivers
 2023-10-10 16:18:42 +02:00
Maxime Meignan 4d414edb77 Implements a check on PDB files to avoid using an invalid one and crash the machine 
When loading a PDB that was already on disk (not downloaded) for a specific PE,
verifies that the PDB file is indeed for the current version of the target PE.

(Did I just started to write a PDB file parser ?)
 2023-10-10 15:44:20 +02:00
Maxime Meignan 482ab84a11 CLI: adding a small todo regarding DSE bypass 2023-10-10 15:44:20 +02:00
Maxime Meignan c9ee91eaa8 CLI: added the correct flags for DSE bypass 2023-10-10 15:44:08 +02:00
Maxime Meignan 7590a11389 CiOptions: Simplifies the way CI.dll base address is recovered 
Instead of using the kernel R/W primitive, uses userland API to enumerate
kernel modules
 2023-10-09 16:30:36 +02:00
Maxime Meignan 0a817fea93 g_CiOptions patching: fixed a crash 2023-10-09 14:59:10 +02:00
Maxime Meignan 0b0086ea92 cosmetic changes & compiler warnings fixes 2023-10-09 14:57:49 +02:00
Maxime Meignan 43cea1f08b small cleanup in header files 2023-10-06 16:12:52 +02:00
v1k1ngfr 7be844b518 Add feature : loading unsigned driver 2023-10-06 12:48:29 +02:00
v1k1ngfr 0bbe76aab1 New BYOVD-driver support: GDRV.sys (GigaByte) 2023-10-06 12:45:28 +02:00
Maxime Meignan 9939301140 ExtractOffsets.py: added safety check in version number recovery 2023-10-06 11:46:25 +02:00
Maxime Meignan a49f69b122 ExtractOffsets.py: adds an optionnal control on number of threads 2023-10-06 11:46:25 +02:00
Maxime Meignan e479bef8f5 Merge pull request #14 from v1k1ngfr/g_CiOptionExtract 
Add g_CiOptions offset extract "feature"
 2023-10-06 10:33:17 +02:00
Maxime Meignan 5f82ba2efe ExtractOffsets.py: minor syntactic, cosmetic and safety changes 2023-10-06 10:31:26 +02:00
Maxime Meignan 75b0168045 Merge branch 'master' into g_CiOptionExtract 2023-10-06 10:24:05 +02:00
laxa a561976b5d Fix version parsing issue in offsets extractor 
Now finding version information in the nested json file to prevent some
crashes and potentially retrieving more ntoskrnl.exe files
 2023-10-05 15:11:16 +02:00
laxa 45d3ff5486 Fix concurrency issues in offsets extractor 
Fixes the following:
* The progress not showing correctly when downloading and processing files.
    I had to remove some verbose information to avoid the progress being rewritten
* Introducing locks when downloading files to prevent any race when printing
 2023-10-05 14:34:58 +02:00
nuts7 3ed5638366 New EDR drivers 
This commit add some EDR drivers: BDSandBox.sys (BitDefender), MfeEEFF.sys mfprom.sys hdlpflt.sys (McAfee Inc.), TmFileEncDmk.sys (Trend Micro Inc.), psepfilter.sys (Absolute Software), cve.sys (Absolute Software Corp.), medlpflt.sys dsfa.sys cposfw.sys (Check Point Software), cpbak.sys (Checkpoint Software), SISIPSFileFilter.sys (Symantec Corp.), cbstream.sys cbk7.sys (Carbon Black) and dgdmk.sys (Verdasys Inc)
 2023-09-22 16:14:11 +02:00
Maxime Meignan bafddfbced Fixed a radare2 version parsing error in extractoffsets.py 2023-04-17 16:07:09 +02:00
Maxime Meignan 7572f09ae3 [Bugfix] _fputts did not add a LF 2023-03-16 16:41:29 +01:00
Viking a3966d34b3 Update CiOffsets.csv 2022-12-28 17:08:06 +01:00
Viking 919ec7dea1 Add CiOffsets.csv 
It contains g_CiOptions offset for several ci.dll version
 2022-12-11 11:02:21 +01:00