8579e92a0a
Update reference to vulnerable driver
2024-01-28 16:02:08 +01:00
80bcc61db8
Merge pull request #27 from nuts7/SentinelOneEdrBinaryTypo
...
Fix typo SentinelOne EDR binary
2024-01-28 14:39:42 +01:00
2bfa327afb
Merge pull request #26 from laxa/master
...
Added a missing include header for SetPrivilege function
2024-01-28 14:37:41 +01:00
2f80104a3d
Fix typo SentinelOne EDR binary
2024-01-24 16:50:03 +01:00
ea245f7642
Fix current build
2024-01-16 16:41:28 +01:00
0e2b725590
Various fixes (TCHAR/WCHAR confusions & handle leaks)
2023-11-29 17:41:10 +01:00
ea27242fa2
SandMiniDumpWriteDump: changed SetPrivilege location for reliable process listing
2023-11-29 17:39:49 +01:00
794dd9c254
CLI: bugfix: the output path was too small to be overwritten
2023-11-29 17:39:49 +01:00
77953c60bd
fix syscall dump method, enable sedebugprivilege
2023-11-29 14:44:35 +01:00
fa8f55ad83
Fix lsass pid retrieval
...
use MAXIMUM_ALLOWED instead of PROCESS_QUERY_INFORMATION
2023-11-29 14:44:35 +01:00
2cf0c0a54f
Merge pull request #22 from wavestone-cdt/minifilters
...
Finished implementing minifilter handling
2023-11-29 14:37:53 +01:00
6a78be1532
Thanking 0mWindyBug on the README
...
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com >
2023-11-29 14:35:23 +01:00
3ee6780751
add documentation for minifilter-related functions
2023-11-29 14:35:23 +01:00
396e6edbf4
Provide a high-level description of the minifilter bypass in the README
2023-11-29 14:35:23 +01:00
e567c488ff
[new feature] Implements EDR minifilter callbacks detection and removal
...
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com >
2023-11-29 14:32:35 +01:00
1b1919ba8a
Introduced the info about atomic/non-atomic write primitives
2023-11-29 14:30:07 +01:00
eeefd835fe
Refactored the extraction script for easier integration of new images/symbols
2023-11-29 14:28:17 +01:00
4c2449cfd4
Changed the way found callbacks are stored (removed the size limit)
2023-11-29 14:25:39 +01:00
5bfd633022
Various cosmetic changes
2023-11-29 00:03:46 +01:00
5e1d1daf6d
Updating the "thanks" section
...
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com >
2023-11-03 16:32:30 +01:00
eadbeaaad0
Added directions when the vulnerable driver does not unload correctly
2023-11-03 16:23:17 +01:00
3c3cc307ce
Userland hooks: ignore api-ms-* DLLs
2023-11-03 16:17:59 +01:00
bf749f54c7
PE parser: added a feature to parse a PE directly from kernel memory
...
Could be used in the future to resolve export instead of a
suspicious LoadLibrary("ntoskrnl.exe")
2023-11-03 16:13:13 +01:00
b7b17f8b51
visual studio configuration changes
2023-11-03 16:11:39 +01:00
4fde66c86d
cosmetic changes
2023-11-03 16:10:40 +01:00
b1321850c1
ExtractOffsets.py: detect invalid PDB
2023-11-03 15:57:35 +01:00
43b159e2b1
ExtractOffsets.py: handle new offsets & duplicate PEs on MS servers
2023-11-03 15:57:10 +01:00
f15471d12c
DSE bypass : implemented "callback swapping" method
...
The new default method for unsigned driver loading uses a KDP compatible
technique, since it does not overwrite the protected variable g_CiOptions.
Based on the work of: https://github.com/0mWindyBug/KDP-compatible-driver-loader
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com >
2023-11-03 15:13:36 +01:00
15c3b706f1
various cosmetic changes to please the code analyzer
2023-10-31 17:07:17 +01:00
09dc67bc65
v1.0 of the pypdb parser: completely removed the radare2 dependency
2023-10-31 17:06:20 +01:00
d38b84d179
starting removing the PE parsing in ExtractOffsets.py to get rid of r2
2023-10-27 16:18:42 +02:00
aa408ced60
tweaking configuration files
2023-10-19 11:20:41 +02:00
4d2789b21b
added a PE_find_static_relative_reference function (not used yet)
...
Function that can be used to find cross-references of a global variable
or a function
2023-10-19 11:20:30 +02:00
1e8713cfb5
removed useless macros
2023-10-11 11:16:57 +02:00
f1fc3a8d04
Update README.md (thanking v1k1ngfr)
2023-10-10 17:39:50 +02:00
02490ec4ca
Merge pull request #17 from nuts7/new-edr-drivers
...
New EDR drivers
2023-10-10 16:18:42 +02:00
4d414edb77
Implements a check on PDB files to avoid using an invalid one and crash the machine
...
When loading a PDB that was already on disk (not downloaded) for a specific PE,
verifies that the PDB file is indeed for the current version of the target PE.
(Did I just started to write a PDB file parser ?)
2023-10-10 15:44:20 +02:00
482ab84a11
CLI: adding a small todo regarding DSE bypass
2023-10-10 15:44:20 +02:00
c9ee91eaa8
CLI: added the correct flags for DSE bypass
2023-10-10 15:44:08 +02:00
7590a11389
CiOptions: Simplifies the way CI.dll base address is recovered
...
Instead of using the kernel R/W primitive, uses userland API to enumerate
kernel modules
2023-10-09 16:30:36 +02:00
0a817fea93
g_CiOptions patching: fixed a crash
2023-10-09 14:59:10 +02:00
0b0086ea92
cosmetic changes & compiler warnings fixes
2023-10-09 14:57:49 +02:00
43cea1f08b
small cleanup in header files
2023-10-06 16:12:52 +02:00
7be844b518
Add feature : loading unsigned driver
2023-10-06 12:48:29 +02:00
0bbe76aab1
New BYOVD-driver support: GDRV.sys (GigaByte)
2023-10-06 12:45:28 +02:00
9939301140
ExtractOffsets.py: added safety check in version number recovery
2023-10-06 11:46:25 +02:00
a49f69b122
ExtractOffsets.py: adds an optionnal control on number of threads
2023-10-06 11:46:25 +02:00
e479bef8f5
Merge pull request #14 from v1k1ngfr/g_CiOptionExtract
...
Add g_CiOptions offset extract "feature"
2023-10-06 10:33:17 +02:00
5f82ba2efe
ExtractOffsets.py: minor syntactic, cosmetic and safety changes
2023-10-06 10:31:26 +02:00
75b0168045
Merge branch 'master' into g_CiOptionExtract
2023-10-06 10:24:05 +02:00
maxbeckmann