Mirrors/wavestone-cdt-edrsandblast
1
0
Fork 0
mirror of https://github.com/wavestone-cdt/EDRSandblast.git synced 2026-06-08 16:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
56 Commits 2 Branches 0 Tags
f1fc3a8d04228dce3d9067000be004a307151c30
Commit Graph

56 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Maxime Meignan f1fc3a8d04 Update README.md (thanking v1k1ngfr) 2023-10-10 17:39:50 +02:00
Maxime Meignan 02490ec4ca Merge pull request #17 from nuts7/new-edr-drivers 
New EDR drivers
 2023-10-10 16:18:42 +02:00
Maxime Meignan 4d414edb77 Implements a check on PDB files to avoid using an invalid one and crash the machine 
When loading a PDB that was already on disk (not downloaded) for a specific PE,
verifies that the PDB file is indeed for the current version of the target PE.

(Did I just started to write a PDB file parser ?)
 2023-10-10 15:44:20 +02:00
Maxime Meignan 482ab84a11 CLI: adding a small todo regarding DSE bypass 2023-10-10 15:44:20 +02:00
Maxime Meignan c9ee91eaa8 CLI: added the correct flags for DSE bypass 2023-10-10 15:44:08 +02:00
Maxime Meignan 7590a11389 CiOptions: Simplifies the way CI.dll base address is recovered 
Instead of using the kernel R/W primitive, uses userland API to enumerate
kernel modules
 2023-10-09 16:30:36 +02:00
Maxime Meignan 0a817fea93 g_CiOptions patching: fixed a crash 2023-10-09 14:59:10 +02:00
Maxime Meignan 0b0086ea92 cosmetic changes & compiler warnings fixes 2023-10-09 14:57:49 +02:00
Maxime Meignan 43cea1f08b small cleanup in header files 2023-10-06 16:12:52 +02:00
v1k1ngfr 7be844b518 Add feature : loading unsigned driver 2023-10-06 12:48:29 +02:00
v1k1ngfr 0bbe76aab1 New BYOVD-driver support: GDRV.sys (GigaByte) 2023-10-06 12:45:28 +02:00
Maxime Meignan 9939301140 ExtractOffsets.py: added safety check in version number recovery 2023-10-06 11:46:25 +02:00
Maxime Meignan a49f69b122 ExtractOffsets.py: adds an optionnal control on number of threads 2023-10-06 11:46:25 +02:00
Maxime Meignan e479bef8f5 Merge pull request #14 from v1k1ngfr/g_CiOptionExtract 
Add g_CiOptions offset extract "feature"
 2023-10-06 10:33:17 +02:00
Maxime Meignan 5f82ba2efe ExtractOffsets.py: minor syntactic, cosmetic and safety changes 2023-10-06 10:31:26 +02:00
Maxime Meignan 75b0168045 Merge branch 'master' into g_CiOptionExtract 2023-10-06 10:24:05 +02:00
laxa a561976b5d Fix version parsing issue in offsets extractor 
Now finding version information in the nested json file to prevent some
crashes and potentially retrieving more ntoskrnl.exe files
 2023-10-05 15:11:16 +02:00
laxa 45d3ff5486 Fix concurrency issues in offsets extractor 
Fixes the following:
* The progress not showing correctly when downloading and processing files.
    I had to remove some verbose information to avoid the progress being rewritten
* Introducing locks when downloading files to prevent any race when printing
 2023-10-05 14:34:58 +02:00
nuts7 3ed5638366 New EDR drivers 
This commit add some EDR drivers: BDSandBox.sys (BitDefender), MfeEEFF.sys mfprom.sys hdlpflt.sys (McAfee Inc.), TmFileEncDmk.sys (Trend Micro Inc.), psepfilter.sys (Absolute Software), cve.sys (Absolute Software Corp.), medlpflt.sys dsfa.sys cposfw.sys (Check Point Software), cpbak.sys (Checkpoint Software), SISIPSFileFilter.sys (Symantec Corp.), cbstream.sys cbk7.sys (Carbon Black) and dgdmk.sys (Verdasys Inc)
 2023-09-22 16:14:11 +02:00
Maxime Meignan bafddfbced Fixed a radare2 version parsing error in extractoffsets.py 2023-04-17 16:07:09 +02:00
Maxime Meignan 7572f09ae3 [Bugfix] _fputts did not add a LF 2023-03-16 16:41:29 +01:00
Viking a3966d34b3 Update CiOffsets.csv 2022-12-28 17:08:06 +01:00
Viking 919ec7dea1 Add CiOffsets.csv 
It contains g_CiOptions offset for several ci.dll version
 2022-12-11 11:02:21 +01:00
Viking 5f2734a888 Add g_CiOptions offset extract "feature" 
Here is an example :  
ExtractOffsets.py ci -i C:\Windows\System32\ci.dll
 2022-12-06 18:13:53 +01:00
Maxime Meignan f760cd20bf Remove possibility of crash when giving a malformed CSV 2022-11-15 16:38:40 +01:00
Maxime Meignan fe4ab633da Ensure retrocompatibility with Windows XP->Windows 7 
Replaced PathCch* function with Path* functions
 2022-11-15 16:05:05 +01:00
Maxime Meignan 5ac077e81f Change compilation options to fix Debug build profile 2022-11-15 16:03:46 +01:00
Maxime Meignan f1a4d1c38c Fixes a relative/absolute driver path problem with service registering 2022-11-07 16:29:38 +01:00
Maxime Meignan 1dab1efdd6 Changed enum names in API 2022-08-22 10:45:23 +02:00
Maxime Meignan 49fbc5d924 Updated README with ObRegisterCallbacks and offsets retrieval info 2022-08-19 22:20:46 +02:00
Qazeer 48a75a7029 D3FC0N 30 release: Obj callbacks, firewalling, symbols w/ internet, and more 
Co-authored-by: Maxime Meignan <maxime.meignan@wavestone.com>
 2022-08-13 09:23:48 -07:00
Maxime Meignan 2e037a379b Merge pull request #8 from xalicex/master 
Add new Tehtris driver name
 2022-06-17 18:26:24 +02:00
Alice 0109de4937 add new Tehtris driver 
new name for the Tehtris driver
 2022-06-15 11:36:31 +02:00
Maxime Meignan 487047f9db clarifies some parts of the README 2022-01-27 14:20:06 +01:00
Maxime Meignan e8671c36b7 Fixes a few typos in README & "usage" message 2022-01-27 11:37:20 +01:00
Maxime Meignan 31df6f1db8 Fixes an error in CLI handling 2022-01-27 11:03:37 +01:00
Qazeer 744754ae04 Fixes typos in ExtractOffsets script 2022-01-17 23:51:05 +01:00
Maxime Meignan d29986ab80 Improved error verbosity 2022-01-17 17:19:21 +01:00
Qazeer c058ff312a [Offsets] adds new ntoskrnl offsets 2022-01-07 12:29:08 +01:00
Maxime Meignan cd0d983525 Update README.md 2022-01-07 10:02:29 +01:00
Maxime Meignan fa75dd9ec1 Header inclusion feng-shui (each file only includes what it needs) 2021-12-31 17:29:14 +01:00
Maxime Meignan 4ae1872ae9 userland hooking audit: add an option to load arbitrary DLL before auditing 2021-12-31 16:02:50 +01:00
Maxime Meignan 3c81bd4f26 execute userland hook removal before kerneland tampering activity 2021-12-31 15:52:28 +01:00
Maxime Meignan d676ff82f5 Added some safety check in hook resolving code 2021-12-08 18:24:27 +01:00
Maxime Meignan 7587511330 Merge pull request #2 from JohnLaTwC/patch-1 
Fix potential buffer overrun in credguard disable
 2021-12-08 18:18:19 +01:00
John Lambert 7c6eb8173d Update CredGuard.c 2021-12-08 08:26:18 -08:00
John Lambert 2072b71d05 Fix potential buffer overrun in credguard disable 
The call to `GetModuleFileNameEx` passes in `sizeof(szModulename)` for the size parameter. The documentation for that API says the size parameter is a character count, not a byte count ("The size of the lpFilename buffer, in characters.").  Since the code currently passes in a byte count, this opens up the possibility for a stack buffer overrun on UNICODE compilations of this tool where the byte count will be `2*MAX_PATH` which `GetModuleFileNameEx` will interpret as a character count and potentially write up to `2*2*MAX_PATH' bytes into the buffer.  Fix by passing in a character count.  You could also use a macro like `ARRAYSIZE(szModulename)`.


```diff
    TCHAR szModulename[MAX_PATH];
    for (DWORD i = 0; i < (lpcbNeeded / sizeof(HMODULE)); i++) {
        if (hModulesArray[i] && !GetModuleFileNameEx(hLsass, hModulesArray[i], szModulename, sizeof(szModulename))) {
...        }
```

[1] Docs for GetModuleFileNameEx are here (https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getmodulefilenameexa)
 2021-12-08 07:15:06 -08:00
Qazeer f3147ecb8a Merge pull request #1 from zeronounours/master 
Make extraction of offsets compatible with Linux
 2021-12-08 14:52:44 +01:00
zeroNounours 10c04a9174 Rather use r2 to get file version than pefile 2021-12-08 13:55:16 +01:00
zeroNounours 82704114b3 Make ExtractOffsets.py compatible with Linux 2021-12-08 13:43:29 +01:00