jthuraisamy / telemetrysourcerer Goto Github PK
View Code? Open in Web Editor NEWEnumerate and disable common sources of telemetry used by AV/EDR.
License: Apache License 2.0
Enumerate and disable common sources of telemetry used by AV/EDR.
License: Apache License 2.0
In IsProcessElevated()
:
In LoadDriver()
:
WCHAR ExecutableDirectory[MAX_PATH] = { 0 };
- GetModuleFileNameW(GetModuleHandle(NULL), (LPWSTR)&ExecutableDirectory, MAX_PATH * 2);
+ GetModuleFileNameW(GetModuleHandle(NULL), (LPWSTR)&ExecutableDirectory, MAX_PATH - 1);
StringCbPrintfW
which is the "count of bytes" version of Printf but it passes in a count of characters (MAX_PATH).
WCHAR DriverPath[MAX_PATH] = { 0 };
- StringCbPrintfW(DriverPath, MAX_PATH, LR"(\??\%ls\TelemetrySourcererDriver.sys)", ExecutableDirectory);
+ StringCchPrintfW(DriverPath, MAX_PATH, LR"(\??\%ls\TelemetrySourcererDriver.sys)", ExecutableDirectory);
None of the exit paths free the obtained resources (SCM handles, driver handle)
if (ServiceStarted)
return ERROR_SUCCESS;
! fails to release resources
else
return GetLastError();
! fails to release resources
In GetCallbacks(std::vector<PCALLBACK_ENTRY> OldCallbackEntries)
:
ModuleInfos
and leaks it. Same with CallbackInfos
In DriverEntry()
The driver object is created with default permissions that allow any user to open it. Since the driver exposes read/write primitives (IOCTL_GET_QWORD
, IOCTL_SET_QWORD
), this allows abuse and repurposing of this driver (esp if signed) to do anything (corrupt anything, read any secret). A redteam using this driver would weaken the security of a system beyond the scope of modifying telemetry.
The link for tips on creating a private lab leads to a page with a 401 error.
I was trying to access the post but it seems to have gone private. Is it still available elsewhere?
Hi,
I tried the tool against below system and it is only showing me FileSystem Collection Type kernel callbacks. How do I see other callbacks like Thread Creation, Image Load etc
Host Name: xxxxxxx
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.19043 N/A Build 19043
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: N/A
Registered Organization: N/A
Product ID: xxxxxxxx
Original Install Date: 23-09-2020, 16:38:44
System Boot Time: 01-07-2021, 15:34:22
System Manufacturer: LENOVO
System Model: xxxxxxx
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 142 Stepping 12 GenuineIntel ~801 Mhz
BIOS Version: LENOVO xxxxxx 01-07-2020
Regards
Pravesh
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.