GithubHelp home page GithubHelp logo

jthuraisamy / telemetrysourcerer Goto Github PK

View Code? Open in Web Editor NEW
748.0 30.0 123.0 153 KB

Enumerate and disable common sources of telemetry used by AV/EDR.

License: Apache License 2.0

C++ 94.97% C 4.46% Objective-C 0.57%
av edr evasion security-tools

telemetrysourcerer's Issues

Some code correctness issues

Issue 1

In IsProcessElevated():

  • Leaks TokenHandle on exit
  • Fails to call FreeSid on NtAuthority
  • No checks for API failures. e.g. The return from GetTokenInformation is not checked, and with ElevationType being unintialized, it could be a random value on failure.

Issue 2a

In LoadDriver():

TelemetrySourcerer/TelemetrySourcerer/KmCallbacks.cpp

Line 36 in 72fd542

GetModuleFileNameW(GetModuleHandle(NULL), (LPWSTR)&ExecutableDirectory, MAX_PATH * 2);

This call to GetModuleFileNameW is vulnerable to buffer overrun. The nSize parameter to GetModuleFileNameW should be set to MAX_PATH - 1. It is a character count of the size of the buffer ("The size of the lpFilename buffer, in TCHARs"), not a byte count which is what the code passes in.

	WCHAR ExecutableDirectory[MAX_PATH] = { 0 };
-	GetModuleFileNameW(GetModuleHandle(NULL), (LPWSTR)&ExecutableDirectory, MAX_PATH * 2);  
+	GetModuleFileNameW(GetModuleHandle(NULL), (LPWSTR)&ExecutableDirectory, MAX_PATH - 1);

Issue 2b

TelemetrySourcerer/TelemetrySourcerer/KmCallbacks.cpp

Line 38 in 72fd542

WCHAR DriverPath[MAX_PATH] = { 0 };
:
This code calls StringCbPrintfW which is the "count of bytes" version of Printf but it passes in a count of characters (MAX_PATH).

	WCHAR DriverPath[MAX_PATH] = { 0 };
-	StringCbPrintfW(DriverPath, MAX_PATH, LR"(\??\%ls\TelemetrySourcererDriver.sys)", ExecutableDirectory);
+	StringCchPrintfW(DriverPath, MAX_PATH, LR"(\??\%ls\TelemetrySourcererDriver.sys)", ExecutableDirectory);

Issue 2c

TelemetrySourcerer/TelemetrySourcerer/KmCallbacks.cpp

Line 73 in 72fd542

BOOL ServiceStarted = StartServiceW(SvcHandle, NULL, nullptr);
:

None of the exit paths free the obtained resources (SCM handles, driver handle)

	if (ServiceStarted)
		return ERROR_SUCCESS;
! fails to release resources
	else
		return GetLastError();
! fails to release resources

Issue 3

In GetCallbacks(std::vector<PCALLBACK_ENTRY> OldCallbackEntries):

TelemetrySourcerer/TelemetrySourcerer/KmCallbacks.cpp

Line 281 in 72fd542

return CallbackEntries;

This early exit does not free ModuleInfos and leaks it. Same with CallbackInfos

Issue 4

In DriverEntry()

TelemetrySourcerer/TelemetrySourcererDriver/TelemetrySourcererDriver.cpp

Line 22 in 72fd542

Status = IoCreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &DeviceObject);

The driver object is created with default permissions that allow any user to open it. Since the driver exposes read/write primitives (IOCTL_GET_QWORD, IOCTL_SET_QWORD), this allows abuse and repurposing of this driver (esp if signed) to do anything (corrupt anything, read any secret). A redteam using this driver would weaken the security of a system beyond the scope of modifying telemetry.

README

The link for tips on creating a private lab leads to a page with a 401 error.

Only showing File System Callbacks

Hi,

I tried the tool against below system and it is only showing me FileSystem Collection Type kernel callbacks. How do I see other callbacks like Thread Creation, Image Load etc

Host Name: xxxxxxx
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.19043 N/A Build 19043
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: N/A
Registered Organization: N/A
Product ID: xxxxxxxx
Original Install Date: 23-09-2020, 16:38:44
System Boot Time: 01-07-2021, 15:34:22
System Manufacturer: LENOVO
System Model: xxxxxxx
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 142 Stepping 12 GenuineIntel ~801 Mhz
BIOS Version: LENOVO xxxxxx 01-07-2020

image

Regards
Pravesh

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.