45d3ff5486
Fix concurrency issues in offsets extractor
...
Fixes the following:
* The progress not showing correctly when downloading and processing files.
I had to remove some verbose information to avoid the progress being rewritten
* Introducing locks when downloading files to prevent any race when printing
2023-10-05 14:34:58 +02:00
3ed5638366
New EDR drivers
...
This commit add some EDR drivers: BDSandBox.sys (BitDefender), MfeEEFF.sys mfprom.sys hdlpflt.sys (McAfee Inc.), TmFileEncDmk.sys (Trend Micro Inc.), psepfilter.sys (Absolute Software), cve.sys (Absolute Software Corp.), medlpflt.sys dsfa.sys cposfw.sys (Check Point Software), cpbak.sys (Checkpoint Software), SISIPSFileFilter.sys (Symantec Corp.), cbstream.sys cbk7.sys (Carbon Black) and dgdmk.sys (Verdasys Inc)
2023-09-22 16:14:11 +02:00
bafddfbced
Fixed a radare2 version parsing error in extractoffsets.py
2023-04-17 16:07:09 +02:00
7572f09ae3
[Bugfix] _fputts did not add a LF
2023-03-16 16:41:29 +01:00
a3966d34b3
Update CiOffsets.csv
2022-12-28 17:08:06 +01:00
919ec7dea1
Add CiOffsets.csv
...
It contains g_CiOptions offset for several ci.dll version
2022-12-11 11:02:21 +01:00
5f2734a888
Add g_CiOptions offset extract "feature"
...
Here is an example :
ExtractOffsets.py ci -i C:\Windows\System32\ci.dll
2022-12-06 18:13:53 +01:00
f760cd20bf
Remove possibility of crash when giving a malformed CSV
2022-11-15 16:38:40 +01:00
fe4ab633da
Ensure retrocompatibility with Windows XP->Windows 7
...
Replaced PathCch* function with Path* functions
2022-11-15 16:05:05 +01:00
5ac077e81f
Change compilation options to fix Debug build profile
2022-11-15 16:03:46 +01:00
f1a4d1c38c
Fixes a relative/absolute driver path problem with service registering
2022-11-07 16:29:38 +01:00
1dab1efdd6
Changed enum names in API
2022-08-22 10:45:23 +02:00
49fbc5d924
Updated README with ObRegisterCallbacks and offsets retrieval info
2022-08-19 22:20:46 +02:00
48a75a7029
D3FC0N 30 release: Obj callbacks, firewalling, symbols w/ internet, and more
...
Co-authored-by: Maxime Meignan <maxime.meignan@wavestone.com >
2022-08-13 09:23:48 -07:00
2e037a379b
Merge pull request #8 from xalicex/master
...
Add new Tehtris driver name
2022-06-17 18:26:24 +02:00
0109de4937
add new Tehtris driver
...
new name for the Tehtris driver
2022-06-15 11:36:31 +02:00
487047f9db
clarifies some parts of the README
2022-01-27 14:20:06 +01:00
e8671c36b7
Fixes a few typos in README & "usage" message
2022-01-27 11:37:20 +01:00
31df6f1db8
Fixes an error in CLI handling
2022-01-27 11:03:37 +01:00
744754ae04
Fixes typos in ExtractOffsets script
2022-01-17 23:51:05 +01:00
d29986ab80
Improved error verbosity
2022-01-17 17:19:21 +01:00
c058ff312a
[Offsets] adds new ntoskrnl offsets
2022-01-07 12:29:08 +01:00
cd0d983525
Update README.md
2022-01-07 10:02:29 +01:00
fa75dd9ec1
Header inclusion feng-shui (each file only includes what it needs)
2021-12-31 17:29:14 +01:00
4ae1872ae9
userland hooking audit: add an option to load arbitrary DLL before auditing
2021-12-31 16:02:50 +01:00
3c81bd4f26
execute userland hook removal before kerneland tampering activity
2021-12-31 15:52:28 +01:00
d676ff82f5
Added some safety check in hook resolving code
2021-12-08 18:24:27 +01:00
7587511330
Merge pull request #2 from JohnLaTwC/patch-1
...
Fix potential buffer overrun in credguard disable
2021-12-08 18:18:19 +01:00
7c6eb8173d
Update CredGuard.c
2021-12-08 08:26:18 -08:00
2072b71d05
Fix potential buffer overrun in credguard disable
...
The call to `GetModuleFileNameEx` passes in `sizeof(szModulename)` for the size parameter. The documentation for that API says the size parameter is a character count, not a byte count ("The size of the lpFilename buffer, in characters."). Since the code currently passes in a byte count, this opens up the possibility for a stack buffer overrun on UNICODE compilations of this tool where the byte count will be `2*MAX_PATH` which `GetModuleFileNameEx` will interpret as a character count and potentially write up to `2*2*MAX_PATH' bytes into the buffer. Fix by passing in a character count. You could also use a macro like `ARRAYSIZE(szModulename)`.
```diff
TCHAR szModulename[MAX_PATH];
for (DWORD i = 0; i < (lpcbNeeded / sizeof(HMODULE)); i++) {
if (hModulesArray[i] && !GetModuleFileNameEx(hLsass, hModulesArray[i], szModulename, sizeof(szModulename))) {
... }
```
[1] Docs for GetModuleFileNameEx are here (https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getmodulefilenameexa )
2021-12-08 07:15:06 -08:00
f3147ecb8a
Merge pull request #1 from zeronounours/master
...
Make extraction of offsets compatible with Linux
2021-12-08 14:52:44 +01:00
10c04a9174
Rather use r2 to get file version than pefile
2021-12-08 13:55:16 +01:00
82704114b3
Make ExtractOffsets.py compatible with Linux
2021-12-08 13:43:29 +01:00
ab6188aece
Removed a typo in README.md
2021-12-08 10:54:51 +01:00
894f58377b
[Offsets] adds new ntoskrnl & wdigest offsets
2021-12-07 15:49:28 +01:00
3c17e09d50
Update README.md with detections insights
2021-12-02 13:47:05 +01:00
907d6b0a87
Cleaning up some code
2021-11-10 16:19:41 +01:00
9957b7a38e
Adds randomization of service name
2021-11-10 01:12:48 +01:00
4bff81986b
Initial commit for public version
...
Co-authored-by: Thomas Diot <thomas.diot@wavestone.com >
2021-11-08 09:54:05 +01:00
laxa