7be844b518
Add feature : loading unsigned driver
2023-10-06 12:48:29 +02:00
0bbe76aab1
New BYOVD-driver support: GDRV.sys (GigaByte)
2023-10-06 12:45:28 +02:00
9939301140
ExtractOffsets.py: added safety check in version number recovery
2023-10-06 11:46:25 +02:00
a49f69b122
ExtractOffsets.py: adds an optionnal control on number of threads
2023-10-06 11:46:25 +02:00
e479bef8f5
Merge pull request #14 from v1k1ngfr/g_CiOptionExtract
...
Add g_CiOptions offset extract "feature"
2023-10-06 10:33:17 +02:00
5f82ba2efe
ExtractOffsets.py: minor syntactic, cosmetic and safety changes
2023-10-06 10:31:26 +02:00
75b0168045
Merge branch 'master' into g_CiOptionExtract
2023-10-06 10:24:05 +02:00
a561976b5d
Fix version parsing issue in offsets extractor
...
Now finding version information in the nested json file to prevent some
crashes and potentially retrieving more ntoskrnl.exe files
2023-10-05 15:11:16 +02:00
45d3ff5486
Fix concurrency issues in offsets extractor
...
Fixes the following:
* The progress not showing correctly when downloading and processing files.
I had to remove some verbose information to avoid the progress being rewritten
* Introducing locks when downloading files to prevent any race when printing
2023-10-05 14:34:58 +02:00
bafddfbced
Fixed a radare2 version parsing error in extractoffsets.py
2023-04-17 16:07:09 +02:00
7572f09ae3
[Bugfix] _fputts did not add a LF
2023-03-16 16:41:29 +01:00
a3966d34b3
Update CiOffsets.csv
2022-12-28 17:08:06 +01:00
919ec7dea1
Add CiOffsets.csv
...
It contains g_CiOptions offset for several ci.dll version
2022-12-11 11:02:21 +01:00
5f2734a888
Add g_CiOptions offset extract "feature"
...
Here is an example :
ExtractOffsets.py ci -i C:\Windows\System32\ci.dll
2022-12-06 18:13:53 +01:00
f760cd20bf
Remove possibility of crash when giving a malformed CSV
2022-11-15 16:38:40 +01:00
fe4ab633da
Ensure retrocompatibility with Windows XP->Windows 7
...
Replaced PathCch* function with Path* functions
2022-11-15 16:05:05 +01:00
5ac077e81f
Change compilation options to fix Debug build profile
2022-11-15 16:03:46 +01:00
f1a4d1c38c
Fixes a relative/absolute driver path problem with service registering
2022-11-07 16:29:38 +01:00
1dab1efdd6
Changed enum names in API
2022-08-22 10:45:23 +02:00
49fbc5d924
Updated README with ObRegisterCallbacks and offsets retrieval info
2022-08-19 22:20:46 +02:00
48a75a7029
D3FC0N 30 release: Obj callbacks, firewalling, symbols w/ internet, and more
...
Co-authored-by: Maxime Meignan <maxime.meignan@wavestone.com >
2022-08-13 09:23:48 -07:00
2e037a379b
Merge pull request #8 from xalicex/master
...
Add new Tehtris driver name
2022-06-17 18:26:24 +02:00
0109de4937
add new Tehtris driver
...
new name for the Tehtris driver
2022-06-15 11:36:31 +02:00
487047f9db
clarifies some parts of the README
2022-01-27 14:20:06 +01:00
e8671c36b7
Fixes a few typos in README & "usage" message
2022-01-27 11:37:20 +01:00
31df6f1db8
Fixes an error in CLI handling
2022-01-27 11:03:37 +01:00
744754ae04
Fixes typos in ExtractOffsets script
2022-01-17 23:51:05 +01:00
d29986ab80
Improved error verbosity
2022-01-17 17:19:21 +01:00
c058ff312a
[Offsets] adds new ntoskrnl offsets
2022-01-07 12:29:08 +01:00
cd0d983525
Update README.md
2022-01-07 10:02:29 +01:00
fa75dd9ec1
Header inclusion feng-shui (each file only includes what it needs)
2021-12-31 17:29:14 +01:00
4ae1872ae9
userland hooking audit: add an option to load arbitrary DLL before auditing
2021-12-31 16:02:50 +01:00
3c81bd4f26
execute userland hook removal before kerneland tampering activity
2021-12-31 15:52:28 +01:00
d676ff82f5
Added some safety check in hook resolving code
2021-12-08 18:24:27 +01:00
7587511330
Merge pull request #2 from JohnLaTwC/patch-1
...
Fix potential buffer overrun in credguard disable
2021-12-08 18:18:19 +01:00
7c6eb8173d
Update CredGuard.c
2021-12-08 08:26:18 -08:00
2072b71d05
Fix potential buffer overrun in credguard disable
...
The call to `GetModuleFileNameEx` passes in `sizeof(szModulename)` for the size parameter. The documentation for that API says the size parameter is a character count, not a byte count ("The size of the lpFilename buffer, in characters."). Since the code currently passes in a byte count, this opens up the possibility for a stack buffer overrun on UNICODE compilations of this tool where the byte count will be `2*MAX_PATH` which `GetModuleFileNameEx` will interpret as a character count and potentially write up to `2*2*MAX_PATH' bytes into the buffer. Fix by passing in a character count. You could also use a macro like `ARRAYSIZE(szModulename)`.
```diff
TCHAR szModulename[MAX_PATH];
for (DWORD i = 0; i < (lpcbNeeded / sizeof(HMODULE)); i++) {
if (hModulesArray[i] && !GetModuleFileNameEx(hLsass, hModulesArray[i], szModulename, sizeof(szModulename))) {
... }
```
[1] Docs for GetModuleFileNameEx are here (https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getmodulefilenameexa )
2021-12-08 07:15:06 -08:00
f3147ecb8a
Merge pull request #1 from zeronounours/master
...
Make extraction of offsets compatible with Linux
2021-12-08 14:52:44 +01:00
10c04a9174
Rather use r2 to get file version than pefile
2021-12-08 13:55:16 +01:00
82704114b3
Make ExtractOffsets.py compatible with Linux
2021-12-08 13:43:29 +01:00
ab6188aece
Removed a typo in README.md
2021-12-08 10:54:51 +01:00
894f58377b
[Offsets] adds new ntoskrnl & wdigest offsets
2021-12-07 15:49:28 +01:00
3c17e09d50
Update README.md with detections insights
2021-12-02 13:47:05 +01:00
907d6b0a87
Cleaning up some code
2021-11-10 16:19:41 +01:00
9957b7a38e
Adds randomization of service name
2021-11-10 01:12:48 +01:00
4bff81986b
Initial commit for public version
...
Co-authored-by: Thomas Diot <thomas.diot@wavestone.com >
2021-11-08 09:54:05 +01:00
v1k1ngfr