Empty Provider

Question

Empty Provider

k4nfr3 opened this issue a year ago · 5 comments

Hi,

Is this meant by you that it doesn't add or link to an existing WFP Provider ?
The rules do stand out due to this (for OPSEC perspective)

Regards
K4nfr3

Answer 1 · 2024-01-03T13:51:19.000Z

The following code: https://github.com/netero1010/EDRSilencer/blob/main/EDRSilencer.c#L62 is used to manage the filter name with which rules are created. You can modify this with your custom (or existing) filter name.

Answer 2 · 2024-01-03T14:11:39.000Z

Hi,
that's the filter rule name, not the provider name ;-)

Answer 3 · 2024-01-03T15:22:37.000Z

My bad. misread as filter.

I think it's possible: by doing something like filter.providerKey = (GUID*)&WFPSAMPLER_PROVIDER; here: https://github.com/netero1010/EDRSilencer/blob/main/EDRSilencer.c#L147-L157

While I play around, I'd wait for @netero1010 to check the references above and see if it's an easy fix for him.

Answer 4 · 2024-01-03T16:56:20.000Z

Hi. I believe adding provider to the custom rule will help in OPSEC perspective. I will check if it is better to get existing provider or creating a new one. I will include this to my to-do list in the next update. Thanks @k4nfr3 and @pbssubhash.

Answer 5 · 2024-01-04T17:42:32.000Z

Updated in version 1.2. A new WFP provider will be created for the custom WFP filter.