netero1010 / edrsilencer Goto Github PK
View Code? Open in Web Editor NEWA tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.
License: MIT License
A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.
License: MIT License
Attempting to compile your project for testing, and getting the issues below.
I cloned down your project, following the readme used x86_64-w64-mingw32-gcc EDRSilencer.c -o EDRSilencer.exe -lfwpuclnt utils.c
to attempt to compile.
Any help getting the build enviroment setup correct would be much apperciated.
my current mingw packages that are installed.
~/EDRSilencer(main) » apt search mingw | grep installed 11:31:09
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
binutils-mingw-w64-i686/focal,now 2.34-5ubuntu1+8.8 amd64 [installed,automatic]
binutils-mingw-w64-x86-64/focal,now 2.34-5ubuntu1+8.8 amd64 [installed,automatic]
g++-mingw-w64/focal,focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 all [installed,automatic]
g++-mingw-w64-i686/focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 amd64 [installed,automatic]
g++-mingw-w64-x86-64/focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 amd64 [installed,automatic]
gcc-mingw-w64/focal,focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 all [installed,automatic]
gcc-mingw-w64-base/focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 amd64 [installed,automatic]
gcc-mingw-w64-i686/focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 amd64 [installed,automatic]
gcc-mingw-w64-x86-64/focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 amd64 [installed,automatic]
gobjc-mingw-w64-x86-64/focal,now 9.3.0-7ubuntu1+22~exp1ubuntu4 amd64 [installed]
libnpth-mingw-w64-dev/focal,focal,now 1.6-1 all [installed]
mingw-w64/focal,focal,now 7.0.0-2 all [installed]
mingw-w64-common/focal,focal,now 7.0.0-2 all [installed]
mingw-w64-i686-dev/focal,focal,now 7.0.0-2 all [installed,automatic]
mingw-w64-tools/focal,now 7.0.0-2 amd64 [installed]
mingw-w64-x86-64-dev/focal,focal,now 7.0.0-2 all [installed,automatic]
~/EDRSilencer(main) » x86_64-w64-mingw32-gcc --version
x86_64-w64-mingw32-gcc (GCC) 9.3-win32 20200320
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
~/EDRSilencer(main) » x86_64-w64-mingw32-gcc EDRSilencer.c -o EDRSilencer.exe -lfwpuclnt utils.c
EDRSilencer.c: In function ‘GetProviderGUIDByDescription’:
EDRSilencer.c:128:5: error: unknown type name ‘FWPM_PROVIDER0’; did you mean ‘CRYPT_PROVIDERS’?
128 | FWPM_PROVIDER0** providers = NULL;
| ^~~~~~~~~~~~~~
| CRYPT_PROVIDERS
EDRSilencer.c:131:14: warning: implicit declaration of function ‘FwpmEngineOpen0’ [-Wimplicit-function-declaration]
131 | result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
| ^~~~~~~~~~~~~~~
EDRSilencer.c:137:14: warning: implicit declaration of function ‘FwpmProviderCreateEnumHandle0’ [-Wimplicit-function-declaration]
137 | result = FwpmProviderCreateEnumHandle0(hEngine, NULL, &enumHandle);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:140:9: warning: implicit declaration of function ‘FwpmEngineClose0’ [-Wimplicit-function-declaration]
140 | FwpmEngineClose0(hEngine);
| ^~~~~~~~~~~~~~~~
EDRSilencer.c:144:14: warning: implicit declaration of function ‘FwpmProviderEnum0’ [-Wimplicit-function-declaration]
144 | result = FwpmProviderEnum0(hEngine, enumHandle, 100, &providers, &numProviders);
| ^~~~~~~~~~~~~~~~~
EDRSilencer.c:152:25: error: request for member ‘displayData’ in something not a structure or union
152 | if (providers[i]->displayData.description != NULL) {
| ^~
EDRSilencer.c:153:36: error: request for member ‘displayData’ in something not a structure or union
153 | if (wcscmp(providers[i]->displayData.description, providerDescription) == 0) {
| ^~
EDRSilencer.c:154:48: error: request for member ‘providerKey’ in something not a structure or union
154 | *outProviderGUID = providers[i]->providerKey;
| ^~
EDRSilencer.c:161:9: warning: implicit declaration of function ‘FwpmFreeMemory0’ [-Wimplicit-function-declaration]
161 | FwpmFreeMemory0((void**)&providers);
| ^~~~~~~~~~~~~~~
EDRSilencer.c:164:5: warning: implicit declaration of function ‘FwpmProviderDestroyEnumHandle0’ [-Wimplicit-function-declaration]
164 | FwpmProviderDestroyEnumHandle0(hEngine, enumHandle);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c: In function ‘BlockEdrProcessTraffic’:
EDRSilencer.c:208:17: error: unknown type name ‘FWPM_FILTER_CONDITION0’
208 | FWPM_FILTER_CONDITION0 cond = {0};
| ^~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:209:17: error: unknown type name ‘FWPM_FILTER0’
209 | FWPM_FILTER0 filter = {0};
| ^~~~~~~~~~~~
EDRSilencer.c:210:17: error: unknown type name ‘FWPM_PROVIDER0’; did you mean ‘CRYPT_PROVIDERS’?
210 | FWPM_PROVIDER0 provider = {0};
| ^~~~~~~~~~~~~~
| CRYPT_PROVIDERS
EDRSilencer.c:215:17: warning: implicit declaration of function ‘QueryFullProcessImageNameW’ [-Wimplicit-function-declaration]
215 | QueryFullProcessImageNameW(hProcess, 0, fullPath, &size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:216:32: warning: implicit declaration of function ‘FwpmGetAppIdFromFileName0’ [-Wimplicit-function-declaration]
216 | DWORD result = FwpmGetAppIdFromFileName0(fullPath, &appId);
| ^~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:225:23: error: request for member ‘displayData’ in something not a structure or union
225 | filter.displayData.name = filterName;
| ^
EDRSilencer.c:226:23: error: request for member ‘flags’ in something not a structure or union
226 | filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
| ^
EDRSilencer.c:227:23: error: request for member ‘layerKey’ in something not a structure or union
227 | filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
| ^
EDRSilencer.c:228:23: error: request for member ‘action’ in something not a structure or union
228 | filter.action.type = FWP_ACTION_BLOCK;
| ^
EDRSilencer.c:229:21: error: request for member ‘fieldKey’ in something not a structure or union
229 | cond.fieldKey = FWPM_CONDITION_ALE_APP_ID;
| ^
EDRSilencer.c:230:21: error: request for member ‘matchType’ in something not a structure or union
230 | cond.matchType = FWP_MATCH_EQUAL;
| ^
EDRSilencer.c:231:21: error: request for member ‘conditionValue’ in something not a structure or union
231 | cond.conditionValue.type = FWP_BYTE_BLOB_TYPE;
| ^
EDRSilencer.c:232:21: error: request for member ‘conditionValue’ in something not a structure or union
232 | cond.conditionValue.byteBlob = appId;
| ^
EDRSilencer.c:233:23: error: request for member ‘filterCondition’ in something not a structure or union
233 | filter.filterCondition = &cond;
| ^
EDRSilencer.c:234:23: error: request for member ‘numFilterConditions’ in something not a structure or union
234 | filter.numFilterConditions = 1;
| ^
EDRSilencer.c:238:27: error: request for member ‘providerKey’ in something not a structure or union
238 | filter.providerKey = &providerGuid;
| ^
EDRSilencer.c:240:29: error: request for member ‘displayData’ in something not a structure or union
240 | provider.displayData.name = providerName;
| ^
EDRSilencer.c:241:29: error: request for member ‘displayData’ in something not a structure or union
241 | provider.displayData.description = providerDescription;
| ^
EDRSilencer.c:242:29: error: request for member ‘flags’ in something not a structure or union
242 | provider.flags = FWPM_PROVIDER_FLAG_PERSISTENT;
| ^
EDRSilencer.c:243:30: warning: implicit declaration of function ‘FwpmProviderAdd0’ [-Wimplicit-function-declaration]
243 | result = FwpmProviderAdd0(hEngine, &provider, NULL);
| ^~~~~~~~~~~~~~~~
EDRSilencer.c:248:35: error: request for member ‘providerKey’ in something not a structure or union
248 | filter.providerKey = &providerGuid;
| ^
EDRSilencer.c:254:26: warning: implicit declaration of function ‘FwpmFilterAdd0’ [-Wimplicit-function-declaration]
254 | result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId);
| ^~~~~~~~~~~~~~
EDRSilencer.c:261:23: error: request for member ‘layerKey’ in something not a structure or union
261 | filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
| ^
EDRSilencer.c: In function ‘BlockProcessTraffic’:
EDRSilencer.c:291:5: error: unknown type name ‘FWPM_FILTER_CONDITION0’
291 | FWPM_FILTER_CONDITION0 cond = {0};
| ^~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:292:5: error: unknown type name ‘FWPM_FILTER0’
292 | FWPM_FILTER0 filter = {0};
| ^~~~~~~~~~~~
EDRSilencer.c:293:5: error: unknown type name ‘FWPM_PROVIDER0’; did you mean ‘CRYPT_PROVIDERS’?
293 | FWPM_PROVIDER0 provider = {0};
| ^~~~~~~~~~~~~~
| CRYPT_PROVIDERS
EDRSilencer.c:312:11: error: request for member ‘displayData’ in something not a structure or union
312 | filter.displayData.name = filterName;
| ^
EDRSilencer.c:313:11: error: request for member ‘flags’ in something not a structure or union
313 | filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
| ^
EDRSilencer.c:314:11: error: request for member ‘layerKey’ in something not a structure or union
314 | filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
| ^
EDRSilencer.c:315:11: error: request for member ‘action’ in something not a structure or union
315 | filter.action.type = FWP_ACTION_BLOCK;
| ^
EDRSilencer.c:316:9: error: request for member ‘fieldKey’ in something not a structure or union
316 | cond.fieldKey = FWPM_CONDITION_ALE_APP_ID;
| ^
EDRSilencer.c:317:9: error: request for member ‘matchType’ in something not a structure or union
317 | cond.matchType = FWP_MATCH_EQUAL;
| ^
EDRSilencer.c:318:9: error: request for member ‘conditionValue’ in something not a structure or union
318 | cond.conditionValue.type = FWP_BYTE_BLOB_TYPE;
| ^
EDRSilencer.c:319:9: error: request for member ‘conditionValue’ in something not a structure or union
319 | cond.conditionValue.byteBlob = appId;
| ^
EDRSilencer.c:320:11: error: request for member ‘filterCondition’ in something not a structure or union
320 | filter.filterCondition = &cond;
| ^
EDRSilencer.c:321:11: error: request for member ‘numFilterConditions’ in something not a structure or union
321 | filter.numFilterConditions = 1;
| ^
EDRSilencer.c:325:15: error: request for member ‘providerKey’ in something not a structure or union
325 | filter.providerKey = &providerGuid;
| ^
EDRSilencer.c:327:17: error: request for member ‘displayData’ in something not a structure or union
327 | provider.displayData.name = providerName;
| ^
EDRSilencer.c:328:17: error: request for member ‘displayData’ in something not a structure or union
328 | provider.displayData.description = providerDescription;
| ^
EDRSilencer.c:329:17: error: request for member ‘flags’ in something not a structure or union
329 | provider.flags = FWPM_PROVIDER_FLAG_PERSISTENT;
| ^
EDRSilencer.c:335:23: error: request for member ‘providerKey’ in something not a structure or union
335 | filter.providerKey = &providerGuid;
| ^
EDRSilencer.c:348:11: error: request for member ‘layerKey’ in something not a structure or union
348 | filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
| ^
EDRSilencer.c: In function ‘UnblockAllWfpFilters’:
EDRSilencer.c:366:5: error: unknown type name ‘FWPM_FILTER0’
366 | FWPM_FILTER0** filters = NULL;
| ^~~~~~~~~~~~
EDRSilencer.c:376:14: warning: implicit declaration of function ‘FwpmFilterCreateEnumHandle0’ [-Wimplicit-function-declaration]
376 | result = FwpmFilterCreateEnumHandle0(hEngine, NULL, &enumHandle);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:383:18: warning: implicit declaration of function ‘FwpmFilterEnum0’ [-Wimplicit-function-declaration]
383 | result = FwpmFilterEnum0(hEngine, enumHandle, 1, &filters, &numFilters);
| ^~~~~~~~~~~~~~~
EDRSilencer.c:387:13: warning: implicit declaration of function ‘FwpmFilterDestroyEnumHandle0’ [-Wimplicit-function-declaration]
387 | FwpmFilterDestroyEnumHandle0(hEngine, enumHandle);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:396:9: error: unknown type name ‘FWPM_DISPLAY_DATA0’
396 | FWPM_DISPLAY_DATA0 *data = &filters[0]->displayData;
| ^~~~~~~~~~~~~~~~~~
EDRSilencer.c:396:47: error: request for member ‘displayData’ in something not a structure or union
396 | FWPM_DISPLAY_DATA0 *data = &filters[0]->displayData;
| ^~
EDRSilencer.c:397:40: error: request for member ‘name’ in something not a structure or union
397 | WCHAR* currentFilterName = data->name;
| ^~
EDRSilencer.c:400:41: error: request for member ‘filterId’ in something not a structure or union
400 | UINT64 filterId = filters[0]->filterId;
| ^~
EDRSilencer.c:401:22: warning: implicit declaration of function ‘FwpmFilterDeleteById0’ [-Wimplicit-function-declaration]
401 | result = FwpmFilterDeleteById0(hEngine, filterId);
| ^~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:411:18: warning: implicit declaration of function ‘FwpmProviderDeleteByKey0’ [-Wimplicit-function-declaration]
411 | result = FwpmProviderDeleteByKey0(hEngine, &providerGuid);
| ^~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:413:27: error: ‘FWP_E_IN_USE’ undeclared (first use in this function); did you mean ‘STG_E_INUSE’?
413 | if (result != FWP_E_IN_USE) {
| ^~~~~~~~~~~~
| STG_E_INUSE
EDRSilencer.c:413:27: note: each undeclared identifier is reported only once for each function it appears in
EDRSilencer.c: In function ‘UnblockWfpFilter’:
EDRSilencer.c:445:24: error: ‘FWP_E_FILTER_NOT_FOUND’ undeclared (first use in this function); did you mean ‘ERROR_FILE_NOT_FOUND’?
445 | else if (result == FWP_E_FILTER_NOT_FOUND) {
| ^~~~~~~~~~~~~~~~~~~~~~
| ERROR_FILE_NOT_FOUND
EDRSilencer.c:454:27: error: ‘FWP_E_IN_USE’ undeclared (first use in this function); did you mean ‘STG_E_INUSE’?
454 | if (result != FWP_E_IN_USE) {
| ^~~~~~~~~~~~
| STG_E_INUSE
GCC version:
> x86_64-w64-mingw32-gcc --version
x86_64-w64-mingw32-gcc (GCC) 9.3-win32 20200320
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Error log:
EDRSilencer.c: In function ‘BlockEdrProcessTraffic’:
EDRSilencer.c:106:5: warning: implicit declaration of function ‘FwpmEngineOpen0’ [-Wimplicit-function-declaration]
106 | FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL, &hEngine);
| ^~~~~~~~~~~~~~~
EDRSilencer.c:137:17: warning: implicit declaration of function ‘QueryFullProcessImageNameW’ [-Wimplicit-function-declaration]
137 | QueryFullProcessImageNameW(hProcess, 0, fullPath, &size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:138:17: error: unknown type name ‘FWPM_FILTER_CONDITION0’
138 | FWPM_FILTER_CONDITION0 cond;
| ^~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:139:17: error: unknown type name ‘FWPM_FILTER0’
139 | FWPM_FILTER0 filter = {0};
| ^~~~~~~~~~~~
EDRSilencer.c:142:21: warning: implicit declaration of function ‘FwpmGetAppIdFromFileName0’ [-Wimplicit-function-declaration]
142 | if (FwpmGetAppIdFromFileName0(fullPath, &appId) != ERROR_SUCCESS) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:149:23: error: request for member ‘displayData’ in something not a structure or union
149 | filter.displayData.name = filterName;
| ^
EDRSilencer.c:150:23: error: request for member ‘flags’ in something not a structure or union
150 | filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
| ^
EDRSilencer.c:151:23: error: request for member ‘layerKey’ in something not a structure or union
151 | filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
| ^
EDRSilencer.c:152:23: error: request for member ‘action’ in something not a structure or union
152 | filter.action.type = FWP_ACTION_BLOCK;
| ^
EDRSilencer.c:153:21: error: request for member ‘fieldKey’ in something not a structure or union
153 | cond.fieldKey = FWPM_CONDITION_ALE_APP_ID;
| ^
EDRSilencer.c:154:21: error: request for member ‘matchType’ in something not a structure or union
154 | cond.matchType = FWP_MATCH_EQUAL;
| ^
EDRSilencer.c:155:21: error: request for member ‘conditionValue’ in something not a structure or union
155 | cond.conditionValue.type = FWP_BYTE_BLOB_TYPE;
| ^
EDRSilencer.c:156:21: error: request for member ‘conditionValue’ in something not a structure or union
156 | cond.conditionValue.byteBlob = appId;
| ^
EDRSilencer.c:157:23: error: request for member ‘filterCondition’ in something not a structure or union
157 | filter.filterCondition = &cond;
| ^
EDRSilencer.c:158:23: error: request for member ‘numFilterConditions’ in something not a structure or union
158 | filter.numFilterConditions = 1;
| ^
EDRSilencer.c:164:26: warning: implicit declaration of function ‘FwpmFilterAdd0’ [-Wimplicit-function-declaration]
164 | result = FwpmFilterAdd0(hEngine, &filter, NULL, &filterId);
| ^~~~~~~~~~~~~~
EDRSilencer.c:171:23: error: request for member ‘layerKey’ in something not a structure or union
171 | filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
| ^
EDRSilencer.c:179:17: warning: implicit declaration of function ‘FwpmFreeMemory0’ [-Wimplicit-function-declaration]
179 | FwpmFreeMemory0((void**)&appId);
| ^~~~~~~~~~~~~~~
EDRSilencer.c:191:5: warning: implicit declaration of function ‘FwpmEngineClose0’ [-Wimplicit-function-declaration]
191 | FwpmEngineClose0(hEngine);
| ^~~~~~~~~~~~~~~~
EDRSilencer.c: In function ‘BlockProcessTraffic’:
EDRSilencer.c:203:5: error: unknown type name ‘FWPM_FILTER_CONDITION0’
203 | FWPM_FILTER_CONDITION0 cond;
| ^~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:204:5: error: unknown type name ‘FWPM_FILTER0’
204 | FWPM_FILTER0 filter = {0};
| ^~~~~~~~~~~~
EDRSilencer.c:214:11: error: request for member ‘displayData’ in something not a structure or union
214 | filter.displayData.name = filterName;
| ^
EDRSilencer.c:215:11: error: request for member ‘flags’ in something not a structure or union
215 | filter.flags = FWPM_FILTER_FLAG_PERSISTENT;
| ^
EDRSilencer.c:216:11: error: request for member ‘layerKey’ in something not a structure or union
216 | filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
| ^
EDRSilencer.c:217:11: error: request for member ‘action’ in something not a structure or union
217 | filter.action.type = FWP_ACTION_BLOCK;
| ^
EDRSilencer.c:218:9: error: request for member ‘fieldKey’ in something not a structure or union
218 | cond.fieldKey = FWPM_CONDITION_ALE_APP_ID;
| ^
EDRSilencer.c:219:9: error: request for member ‘matchType’ in something not a structure or union
219 | cond.matchType = FWP_MATCH_EQUAL;
| ^
EDRSilencer.c:220:9: error: request for member ‘conditionValue’ in something not a structure or union
220 | cond.conditionValue.type = FWP_BYTE_BLOB_TYPE;
| ^
EDRSilencer.c:221:9: error: request for member ‘conditionValue’ in something not a structure or union
221 | cond.conditionValue.byteBlob = appId;
| ^
EDRSilencer.c:222:11: error: request for member ‘filterCondition’ in something not a structure or union
222 | filter.filterCondition = &cond;
| ^
EDRSilencer.c:223:11: error: request for member ‘numFilterConditions’ in something not a structure or union
223 | filter.numFilterConditions = 1;
| ^
EDRSilencer.c:236:11: error: request for member ‘layerKey’ in something not a structure or union
236 | filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;
| ^
EDRSilencer.c: In function ‘UnblockAllWfpFilters’:
EDRSilencer.c:254:5: error: unknown type name ‘FWPM_FILTER0’
254 | FWPM_FILTER0** filters;
| ^~~~~~~~~~~~
EDRSilencer.c:263:14: warning: implicit declaration of function ‘FwpmFilterCreateEnumHandle0’ [-Wimplicit-function-declaration]
263 | result = FwpmFilterCreateEnumHandle0(hEngine, NULL, &enumHandle);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:270:18: warning: implicit declaration of function ‘FwpmFilterEnum0’ [-Wimplicit-function-declaration]
270 | result = FwpmFilterEnum0(hEngine, enumHandle, 1, &filters, &numFilters);
| ^~~~~~~~~~~~~~~
EDRSilencer.c:274:13: warning: implicit declaration of function ‘FwpmFilterDestroyEnumHandle0’ [-Wimplicit-function-declaration]
274 | FwpmFilterDestroyEnumHandle0(hEngine, enumHandle);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c:283:9: error: unknown type name ‘FWPM_DISPLAY_DATA0’
283 | FWPM_DISPLAY_DATA0 *data = &filters[0]->displayData;
| ^~~~~~~~~~~~~~~~~~
EDRSilencer.c:283:47: error: request for member ‘displayData’ in something not a structure or union
283 | FWPM_DISPLAY_DATA0 *data = &filters[0]->displayData;
| ^~
EDRSilencer.c:284:40: error: request for member ‘name’ in something not a structure or union
284 | WCHAR* currentFilterName = data->name;
| ^~
EDRSilencer.c:287:41: error: request for member ‘filterId’ in something not a structure or union
287 | UINT64 filterId = filters[0]->filterId;
| ^~
EDRSilencer.c:288:22: warning: implicit declaration of function ‘FwpmFilterDeleteById0’ [-Wimplicit-function-declaration]
288 | result = FwpmFilterDeleteById0(hEngine, filterId);
| ^~~~~~~~~~~~~~~~~~~~~
EDRSilencer.c: In function ‘UnblockWfpFilter’:
EDRSilencer.c:320:24: error: ‘FWP_E_FILTER_NOT_FOUND’ undeclared (first use in this function); did you mean ‘ERROR_FILE_NOT_FOUND’?
320 | else if (result == FWP_E_FILTER_NOT_FOUND) {
| ^~~~~~~~~~~~~~~~~~~~~~
| ERROR_FILE_NOT_FOUND
EDRSilencer.c:320:24: note: each undeclared identifier is reported only once for each function it appears in
Hello, is it possible to apply WPF filter to some specific driver ? Thanks,
I can see there is the ability to remove filters based on FilterID, can this be implemented for blocking too?
Example:
EDRSilencer.exe block 5747702
Thanks!
Hi,
Is this meant by you that it doesn't add or link to an existing WFP Provider ?
The rules do stand out due to this (for OPSEC perspective)
Regards
K4nfr3
Hey,
Tried the release binary and also to compile my own (BTW, it was really challenging to compile successfully, GCC could not compile and VS required few modifications to succeed), and the WFP blocking doesn't effectively block the network traffic of the binary - I tried a number of binaries.
We can clearly see that the rule added successfully (e.g. by netsh wfp show state
) but still the process can communicate.
Here are two lists of EDR processes you could add.
I haven't tested the tool yet, but it looks great :)
The Cisco Secure Endpoint agent runs as sfc.exe
, which is also the process name of the windows filesystem checker. I'm not sure if this would cause issues but it would at least cause the program to incorrectly identify the host as running Cisco Secure Endpoint.
Default path: C:\Program Files\Cisco\AMP\X.X.X\sfc.exe
(X.X.X denotes the version number)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.