bf749f54c7
PE parser: added a feature to parse a PE directly from kernel memory
...
Could be used in the future to resolve export instead of a
suspicious LoadLibrary("ntoskrnl.exe")
2023-11-03 16:13:13 +01:00
b7b17f8b51
visual studio configuration changes
2023-11-03 16:11:39 +01:00
4fde66c86d
cosmetic changes
2023-11-03 16:10:40 +01:00
f15471d12c
DSE bypass : implemented "callback swapping" method
...
The new default method for unsigned driver loading uses a KDP compatible
technique, since it does not overwrite the protected variable g_CiOptions.
Based on the work of: https://github.com/0mWindyBug/KDP-compatible-driver-loader
Co-authored-by: Windy Bug <139051196+0mWindyBug@users.noreply.github.com >
2023-11-03 15:13:36 +01:00
15c3b706f1
various cosmetic changes to please the code analyzer
2023-10-31 17:07:17 +01:00
d38b84d179
starting removing the PE parsing in ExtractOffsets.py to get rid of r2
2023-10-27 16:18:42 +02:00
aa408ced60
tweaking configuration files
2023-10-19 11:20:41 +02:00
4d2789b21b
added a PE_find_static_relative_reference function (not used yet)
...
Function that can be used to find cross-references of a global variable
or a function
2023-10-19 11:20:30 +02:00
1e8713cfb5
removed useless macros
2023-10-11 11:16:57 +02:00
02490ec4ca
Merge pull request #17 from nuts7/new-edr-drivers
...
New EDR drivers
2023-10-10 16:18:42 +02:00
4d414edb77
Implements a check on PDB files to avoid using an invalid one and crash the machine
...
When loading a PDB that was already on disk (not downloaded) for a specific PE,
verifies that the PDB file is indeed for the current version of the target PE.
(Did I just started to write a PDB file parser ?)
2023-10-10 15:44:20 +02:00
7590a11389
CiOptions: Simplifies the way CI.dll base address is recovered
...
Instead of using the kernel R/W primitive, uses userland API to enumerate
kernel modules
2023-10-09 16:30:36 +02:00
0b0086ea92
cosmetic changes & compiler warnings fixes
2023-10-09 14:57:49 +02:00
43cea1f08b
small cleanup in header files
2023-10-06 16:12:52 +02:00
7be844b518
Add feature : loading unsigned driver
2023-10-06 12:48:29 +02:00
0bbe76aab1
New BYOVD-driver support: GDRV.sys (GigaByte)
2023-10-06 12:45:28 +02:00
3ed5638366
New EDR drivers
...
This commit add some EDR drivers: BDSandBox.sys (BitDefender), MfeEEFF.sys mfprom.sys hdlpflt.sys (McAfee Inc.), TmFileEncDmk.sys (Trend Micro Inc.), psepfilter.sys (Absolute Software), cve.sys (Absolute Software Corp.), medlpflt.sys dsfa.sys cposfw.sys (Check Point Software), cpbak.sys (Checkpoint Software), SISIPSFileFilter.sys (Symantec Corp.), cbstream.sys cbk7.sys (Carbon Black) and dgdmk.sys (Verdasys Inc)
2023-09-22 16:14:11 +02:00
7572f09ae3
[Bugfix] _fputts did not add a LF
2023-03-16 16:41:29 +01:00
f760cd20bf
Remove possibility of crash when giving a malformed CSV
2022-11-15 16:38:40 +01:00
fe4ab633da
Ensure retrocompatibility with Windows XP->Windows 7
...
Replaced PathCch* function with Path* functions
2022-11-15 16:05:05 +01:00
5ac077e81f
Change compilation options to fix Debug build profile
2022-11-15 16:03:46 +01:00
f1a4d1c38c
Fixes a relative/absolute driver path problem with service registering
2022-11-07 16:29:38 +01:00
49fbc5d924
Updated README with ObRegisterCallbacks and offsets retrieval info
2022-08-19 22:20:46 +02:00
48a75a7029
D3FC0N 30 release: Obj callbacks, firewalling, symbols w/ internet, and more
...
Co-authored-by: Maxime Meignan <maxime.meignan@wavestone.com >
2022-08-13 09:23:48 -07:00
0109de4937
add new Tehtris driver
...
new name for the Tehtris driver
2022-06-15 11:36:31 +02:00
e8671c36b7
Fixes a few typos in README & "usage" message
2022-01-27 11:37:20 +01:00
31df6f1db8
Fixes an error in CLI handling
2022-01-27 11:03:37 +01:00
d29986ab80
Improved error verbosity
2022-01-17 17:19:21 +01:00
fa75dd9ec1
Header inclusion feng-shui (each file only includes what it needs)
2021-12-31 17:29:14 +01:00
4ae1872ae9
userland hooking audit: add an option to load arbitrary DLL before auditing
2021-12-31 16:02:50 +01:00
3c81bd4f26
execute userland hook removal before kerneland tampering activity
2021-12-31 15:52:28 +01:00
d676ff82f5
Added some safety check in hook resolving code
2021-12-08 18:24:27 +01:00
7c6eb8173d
Update CredGuard.c
2021-12-08 08:26:18 -08:00
2072b71d05
Fix potential buffer overrun in credguard disable
...
The call to `GetModuleFileNameEx` passes in `sizeof(szModulename)` for the size parameter. The documentation for that API says the size parameter is a character count, not a byte count ("The size of the lpFilename buffer, in characters."). Since the code currently passes in a byte count, this opens up the possibility for a stack buffer overrun on UNICODE compilations of this tool where the byte count will be `2*MAX_PATH` which `GetModuleFileNameEx` will interpret as a character count and potentially write up to `2*2*MAX_PATH' bytes into the buffer. Fix by passing in a character count. You could also use a macro like `ARRAYSIZE(szModulename)`.
```diff
TCHAR szModulename[MAX_PATH];
for (DWORD i = 0; i < (lpcbNeeded / sizeof(HMODULE)); i++) {
if (hModulesArray[i] && !GetModuleFileNameEx(hLsass, hModulesArray[i], szModulename, sizeof(szModulename))) {
... }
```
[1] Docs for GetModuleFileNameEx are here (https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getmodulefilenameexa )
2021-12-08 07:15:06 -08:00
907d6b0a87
Cleaning up some code
2021-11-10 16:19:41 +01:00
9957b7a38e
Adds randomization of service name
2021-11-10 01:12:48 +01:00
4bff81986b
Initial commit for public version
...
Co-authored-by: Thomas Diot <thomas.diot@wavestone.com >
2021-11-08 09:54:05 +01:00
Maxime Meignan