Last active
November 15, 2024 19:11
-
-
Save leechristensen/04811e63a0bb385d20ad1a77c77e54d0 to your computer and use it in GitHub Desktop.
Revisions
-
leechristensen revised this gist
Jul 9, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -26,7 +26,7 @@ function Get-DriversWithCallbacks { if($Callbacks) { New-Object psobject -Property @{ Path = $FilePath Imports = ($Callbacks | select -ExpandProperty Name) } } } -
Jul 9, 2021 . 1 changed file with 24 additions and 19 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,28 +1,33 @@ # Find loaded kernel drivers that register callbacks # Requirements: NtObjectManager (https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager) function Get-DriversWithCallbacks { [CmdletBinding()] Param() Get-NtKernelModule | ForEach-Object { $ModulePath = $_.FullPathName $FilePath = $null try { $FilePath = Get-NtFileFinalPath -FormatWin32Path $ModulePath -ErrorAction Stop } catch { Write-Warning "Could not find Win32 path for the driver $ModulePath" } if($FilePath) { $Module = Get-Win32ModuleImport -Path $FilePath $NtoskrnlFuncs = $Module ` | Where-Object { $_.DllName -match 'ntoskrnl.exe'} ` | Select-Object -ExpandProperty Functions $ImportRegex = 'PsSetCreateProcessNotifyRoutine|PsSetCreateThreadNotifyRoutine|PsSetLoadImageNotifyRoutine|CmRegisterCallback|ObRegisterCallbacks|ExRegisterCallback' $Callbacks = $NtoskrnlFuncs | Where-Object { $_.Name -match $ImportRegex } if($Callbacks) { New-Object psobject -Property @{ Path = $FilePath Callbacks = ($Callbacks | select -ExpandProperty Name) } } } } -
Jul 9, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,29 @@ # Find loaded kernel drivers that register callbacks # Requirements: NtObjectManager (https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager) Get-NtKernelModule | ForEach-Object { $ModulePath = $_.FullPathName $FilePath = $null try { $FilePath = Get-NtFileFinalPath -FormatWin32Path $ModulePath -ErrorAction Stop } catch { Write-Warning "Could not find Win32 path for the driver $ModulePath" } if($FilePath) { $Module = Get-Win32ModuleImport -Path $FilePath $NtoskrnlFuncs = $Module ` | Where-Object { $_.DllName -match 'ntoskrnl.exe'} ` | Select-Object -ExpandProperty Functions $ImportRegex = 'PsSetCreateProcessNotifyRoutine|PsSetCreateThreadNotifyRoutine|PsSetLoadImageNotifyRoutine|CmRegisterCallback|ObRegisterCallbacks|ExRegisterCallback' $Callbacks = $NtoskrnlFuncs | Where-Object { $_.Name -match $ImportRegex } if($Callbacks) { New-Object psobject -Property @{ Path = $FilePath Callbacks = ($Callbacks | select -ExpandProperty Name) } } } }