jthuraisamy / telemetrysourcerer Goto Github PK
View Code? Open in Web Editor NEWEnumerate and disable common sources of telemetry used by AV/EDR.
License: Apache License 2.0
telemetrysourcerer's People
Contributors
Stargazers
Watchers
Forkers
askyeye analyticsearch w00t3k gavz joshfinley yehias halbachb killerwhiles meesong crackercat scp-66 h1d3r fcccode wbaby killvxk invokethreatguy slooppe yangfan6888 a10ncoder wisdark shantanu561993 digitalarche gkfnf topotam kennyzeng laowang1026 ezhangle suvrajeet01 jack51706 tobey123 fengjixuchui gameofwar12 l1ves dznet alehacksp reposities explife0011 djhohnstein marcosd4h longxinyun-security 5433d-r32433 raystyle aaaddress1 scareing akpotter incod3 tomyang9 asdlei99 pumpkinbro 5l1v3r1 rileyzink fadinglr v4nyl wbglil daffodi1 jilvan1234 ltears y11en boogie77 chaoscalm superuser5 kibercthulhu analystnotes axax002 kungia09 wjcsharp vladtreny servomekanism benheise trac3me classicvalues xiofee mr-cyberpaper hecg119 webvul xalicex muse117 ellen2015 anti-ghosts re-expoc securitystuffbackup 00mjk cyberliv davidmorsalazar roadwy windowskernel sec-fork nanaao zerotens k4nfr3 yeah9782 cvlabsio noostudent thomasxm data-gami pawpatrolryder zha0 gmh5225 shonker codingmantelemetrysourcerer's Issues
README
The link for tips on creating a private lab leads to a page with a 401 error.
Some code correctness issues
Issue 1
In IsProcessElevated():
- Leaks TokenHandle on exit
- Fails to call FreeSid on NtAuthority
- No checks for API failures. e.g. The return from GetTokenInformation is not checked, and with ElevationType being unintialized, it could be a random value on failure.
Issue 2a
In LoadDriver():
This call to GetModuleFileNameW is vulnerable to buffer overrun. The nSize parameter to GetModuleFileNameW should be set to MAX_PATH - 1. It is a character count of the size of the buffer ("The size of the lpFilename buffer, in TCHARs"), not a byte count which is what the code passes in.
WCHAR ExecutableDirectory[MAX_PATH] = { 0 };
- GetModuleFileNameW(GetModuleHandle(NULL), (LPWSTR)&ExecutableDirectory, MAX_PATH * 2);
+ GetModuleFileNameW(GetModuleHandle(NULL), (LPWSTR)&ExecutableDirectory, MAX_PATH - 1); Issue 2b
:This code calls
StringCbPrintfW which is the "count of bytes" version of Printf but it passes in a count of characters (MAX_PATH).
WCHAR DriverPath[MAX_PATH] = { 0 };
- StringCbPrintfW(DriverPath, MAX_PATH, LR"(\??\%ls\TelemetrySourcererDriver.sys)", ExecutableDirectory);
+ StringCchPrintfW(DriverPath, MAX_PATH, LR"(\??\%ls\TelemetrySourcererDriver.sys)", ExecutableDirectory);
Issue 2c
:None of the exit paths free the obtained resources (SCM handles, driver handle)
if (ServiceStarted)
return ERROR_SUCCESS;
! fails to release resources
else
return GetLastError();
! fails to release resourcesIssue 3
In GetCallbacks(std::vector<PCALLBACK_ENTRY> OldCallbackEntries):
This early exit does not free
ModuleInfos and leaks it. Same with CallbackInfos
Issue 4
In DriverEntry()
The driver object is created with default permissions that allow any user to open it. Since the driver exposes read/write primitives (IOCTL_GET_QWORD, IOCTL_SET_QWORD), this allows abuse and repurposing of this driver (esp if signed) to do anything (corrupt anything, read any secret). A redteam using this driver would weaken the security of a system beyond the scope of modifying telemetry.
Explanation post turned private
I was trying to access the post but it seems to have gone private. Is it still available elsewhere?
Only showing File System Callbacks
Hi,
I tried the tool against below system and it is only showing me FileSystem Collection Type kernel callbacks. How do I see other callbacks like Thread Creation, Image Load etc
Host Name: xxxxxxx
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.19043 N/A Build 19043
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: N/A
Registered Organization: N/A
Product ID: xxxxxxxx
Original Install Date: 23-09-2020, 16:38:44
System Boot Time: 01-07-2021, 15:34:22
System Manufacturer: LENOVO
System Model: xxxxxxx
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 142 Stepping 12 GenuineIntel ~801 Mhz
BIOS Version: LENOVO xxxxxx 01-07-2020
Regards
Pravesh
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.