Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-08 16:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
59 Commits 2 Branches 0 Tags
aa408ced60398356456e102b9e5acdb7cb0f1c8d
Commit Graph

31 Commits

Author SHA1 Message Date
Maxime Meignan aa408ced60 tweaking configuration files 2023-10-19 11:20:41 +02:00
Maxime Meignan 4d2789b21b added a PE_find_static_relative_reference function (not used yet) 
Function that can be used to find cross-references of a global variable
or a function
 2023-10-19 11:20:30 +02:00
Maxime Meignan 1e8713cfb5 removed useless macros 2023-10-11 11:16:57 +02:00
Maxime Meignan 02490ec4ca Merge pull request #17 from nuts7/new-edr-drivers 
New EDR drivers
 2023-10-10 16:18:42 +02:00
Maxime Meignan 4d414edb77 Implements a check on PDB files to avoid using an invalid one and crash the machine 
When loading a PDB that was already on disk (not downloaded) for a specific PE,
verifies that the PDB file is indeed for the current version of the target PE.

(Did I just started to write a PDB file parser ?)
 2023-10-10 15:44:20 +02:00
Maxime Meignan 7590a11389 CiOptions: Simplifies the way CI.dll base address is recovered 
Instead of using the kernel R/W primitive, uses userland API to enumerate
kernel modules
 2023-10-09 16:30:36 +02:00
Maxime Meignan 0b0086ea92 cosmetic changes & compiler warnings fixes 2023-10-09 14:57:49 +02:00
Maxime Meignan 43cea1f08b small cleanup in header files 2023-10-06 16:12:52 +02:00
v1k1ngfr 7be844b518 Add feature : loading unsigned driver 2023-10-06 12:48:29 +02:00
v1k1ngfr 0bbe76aab1 New BYOVD-driver support: GDRV.sys (GigaByte) 2023-10-06 12:45:28 +02:00
nuts7 3ed5638366 New EDR drivers 
This commit add some EDR drivers: BDSandBox.sys (BitDefender), MfeEEFF.sys mfprom.sys hdlpflt.sys (McAfee Inc.), TmFileEncDmk.sys (Trend Micro Inc.), psepfilter.sys (Absolute Software), cve.sys (Absolute Software Corp.), medlpflt.sys dsfa.sys cposfw.sys (Check Point Software), cpbak.sys (Checkpoint Software), SISIPSFileFilter.sys (Symantec Corp.), cbstream.sys cbk7.sys (Carbon Black) and dgdmk.sys (Verdasys Inc)
 2023-09-22 16:14:11 +02:00
Maxime Meignan 7572f09ae3 [Bugfix] _fputts did not add a LF 2023-03-16 16:41:29 +01:00
Maxime Meignan f760cd20bf Remove possibility of crash when giving a malformed CSV 2022-11-15 16:38:40 +01:00
Maxime Meignan fe4ab633da Ensure retrocompatibility with Windows XP->Windows 7 
Replaced PathCch* function with Path* functions
 2022-11-15 16:05:05 +01:00
Maxime Meignan 5ac077e81f Change compilation options to fix Debug build profile 2022-11-15 16:03:46 +01:00
Maxime Meignan f1a4d1c38c Fixes a relative/absolute driver path problem with service registering 2022-11-07 16:29:38 +01:00
Maxime Meignan 49fbc5d924 Updated README with ObRegisterCallbacks and offsets retrieval info 2022-08-19 22:20:46 +02:00
Qazeer 48a75a7029 D3FC0N 30 release: Obj callbacks, firewalling, symbols w/ internet, and more 
Co-authored-by: Maxime Meignan <maxime.meignan@wavestone.com>
 2022-08-13 09:23:48 -07:00
Alice 0109de4937 add new Tehtris driver 
new name for the Tehtris driver
 2022-06-15 11:36:31 +02:00
Maxime Meignan e8671c36b7 Fixes a few typos in README & "usage" message 2022-01-27 11:37:20 +01:00
Maxime Meignan 31df6f1db8 Fixes an error in CLI handling 2022-01-27 11:03:37 +01:00
Maxime Meignan d29986ab80 Improved error verbosity 2022-01-17 17:19:21 +01:00
Maxime Meignan fa75dd9ec1 Header inclusion feng-shui (each file only includes what it needs) 2021-12-31 17:29:14 +01:00
Maxime Meignan 4ae1872ae9 userland hooking audit: add an option to load arbitrary DLL before auditing 2021-12-31 16:02:50 +01:00
Maxime Meignan 3c81bd4f26 execute userland hook removal before kerneland tampering activity 2021-12-31 15:52:28 +01:00
Maxime Meignan d676ff82f5 Added some safety check in hook resolving code 2021-12-08 18:24:27 +01:00
John Lambert 7c6eb8173d Update CredGuard.c 2021-12-08 08:26:18 -08:00
John Lambert 2072b71d05 Fix potential buffer overrun in credguard disable 
The call to `GetModuleFileNameEx` passes in `sizeof(szModulename)` for the size parameter. The documentation for that API says the size parameter is a character count, not a byte count ("The size of the lpFilename buffer, in characters.").  Since the code currently passes in a byte count, this opens up the possibility for a stack buffer overrun on UNICODE compilations of this tool where the byte count will be `2*MAX_PATH` which `GetModuleFileNameEx` will interpret as a character count and potentially write up to `2*2*MAX_PATH' bytes into the buffer.  Fix by passing in a character count.  You could also use a macro like `ARRAYSIZE(szModulename)`.


```diff
    TCHAR szModulename[MAX_PATH];
    for (DWORD i = 0; i < (lpcbNeeded / sizeof(HMODULE)); i++) {
        if (hModulesArray[i] && !GetModuleFileNameEx(hLsass, hModulesArray[i], szModulename, sizeof(szModulename))) {
...        }
```

[1] Docs for GetModuleFileNameEx are here (https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getmodulefilenameexa)
 2021-12-08 07:15:06 -08:00
Maxime Meignan 907d6b0a87 Cleaning up some code 2021-11-10 16:19:41 +01:00
Qazeer 9957b7a38e Adds randomization of service name 2021-11-10 01:12:48 +01:00
Maxime Meignan 4bff81986b Initial commit for public version 
Co-authored-by: Thomas Diot <thomas.diot@wavestone.com>
 2021-11-08 09:54:05 +01:00