{"id":13640663,"url":"https://github.com/PI-Defender/pi-defender","last_synced_at":"2025-04-20T02:34:38.379Z","repository":{"id":59473649,"uuid":"505729093","full_name":"PI-Defender/pi-defender","owner":"PI-Defender","description":"Kernel Security driver used to block past, current and future process injection techniques on Windows Operating System.","archived":false,"fork":false,"pushed_at":"2022-09-11T12:19:34.000Z","size":3407,"stargazers_count":147,"open_issues_count":1,"forks_count":23,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-08-03T01:17:21.031Z","etag":null,"topics":["anti-injection","anti-malware","antivirus","blue-team","defense","driver","kernel","malware","process-injection","security","windows"],"latest_commit_sha":null,"homepage":"https://pi-defender.github.io/","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PI-Defender.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-06-21T07:07:42.000Z","updated_at":"2024-07-23T03:56:07.000Z","dependencies_parsed_at":"2022-09-17T18:30:22.131Z","dependency_job_id":null,"html_url":"https://github.com/PI-Defender/pi-defender","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PI-Defender%2Fpi-defender","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PI-Defender%2Fpi-defender/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PI-Defender%2Fpi-defender/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PI-Defender%2Fpi-defender/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PI-Defender","download_url":"https://codeload.github.com/PI-Defender/pi-defender/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223816712,"owners_count":17207900,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-injection","anti-malware","antivirus","blue-team","defense","driver","kernel","malware","process-injection","security","windows"],"created_at":"2024-08-02T01:01:13.214Z","updated_at":"2024-11-09T10:31:35.005Z","avatar_url":"https://github.com/PI-Defender.png","language":"C++","funding_links":[],"categories":["Anti Cheat"],"sub_categories":[],"readme":"# PI-Defender\r\n\r\n## What is PI-Defender ?\r\n\r\nPI-Defender is a kernel security driver used to block past, current and future process injection techniques on Windows operating system:\r\n* [Process Hollowing](https://attack.mitre.org/techniques/T1055/012/)\r\n* [Process Doppelgänging](https://attack.mitre.org/techniques/T1055/013/)\r\n* [Process Herpaderping](https://jxy-s.github.io/herpaderping/)\r\n* [Process Ghosting](https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack)\r\n* [Process Overwritting](https://github.com/hasherezade/process_overwriting)\r\n* [Dll Injection](https://attack.mitre.org/techniques/T1055/001/)\r\n\r\n## Demonstration\r\n\r\nProcess Ghosting PoC from [Hasherezade](https://github.com/hasherezade/process_ghosting).  \r\n\r\nhttps://user-images.githubusercontent.com/62078072/185355728-04c7fdca-9b8b-4cee-9296-e60c28c1d794.mp4\r\n\r\n## How does it works ?\r\n\r\nWhenever a binary wants to interact with the memory of a Windows Object, it has to specify rights according to what it wants to achieve.  \r\nThen, the system returns a *handle* associated to this object with the granted rights.  \r\nSince all process injection techniques need to write in the memory of a remote process, they need a handle with specific rights (PROCESS_VM_WRITE and PROCESS_VM_OPERATION).  \r\nThe technique used by PI-Defender is simply to **remove forbidden access rights on handles associated with remote processes**.\r\n\r\n![mermaid_workflow_picture](https://user-images.githubusercontent.com/62078072/189527100-89b83ecd-82b0-48af-9efe-be3369a47986.png)\r\n\r\n### Driver Kernel\r\n\r\n#### Handle Rights\r\n\r\n| Requested                         | Granted            |\r\n| ---------------------------------\t| :----------------: |\r\n| DELETE                            | :heavy_check_mark: |\r\n| READ_CONTROL                      | :heavy_check_mark: |\r\n| WRITE_DAC                         | :heavy_check_mark: |\r\n| WRITE_OWNER                       | :heavy_check_mark: |\r\n| SYNCHRONIZE                       | :heavy_check_mark: |\r\n| PROCESS_TERMINATE                 | :heavy_check_mark: |\r\n| PROCESS_CREATE_THREAD             | :heavy_check_mark: |\r\n| PROCESS_SET_SESSIONID             | :heavy_check_mark: |\r\n| PROCESS_VM_OPERATION              | :x:                |\r\n| PROCESS_VM_READ                   | :heavy_check_mark: |\r\n| PROCESS_VM_WRITE                  | :x:                |\r\n| PROCESS_DUP_HANDLE                | :heavy_check_mark: |\r\n| PROCESS_CREATE_PROCESS            | :heavy_check_mark: |\r\n| PROCESS_SET_QUOTA                 | :heavy_check_mark: |\r\n| PROCESS_SET_INFORMATION           | :heavy_check_mark: |\r\n| PROCESS_QUERY_INFORMATION         | :heavy_check_mark: |\r\n| PROCESS_SUSPEND_RESUME            | :heavy_check_mark: |\r\n| PROCESS_QUERY_LIMITED_INFORMATION | :heavy_check_mark: |\r\n| PROCESS_SET_LIMITED_INFORMATION   | :heavy_check_mark: |\r\n\r\nFor detailled information about Process Security and Access Rights, please visit https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights.\r\n\r\n#### Configuration\r\n\r\n##### Whitelist\r\n\r\nYou can whitelist an entire folder or a simple executable if you don't want the driver to filter these files.  \r\nModify the registry key ```HKLM\\SYSTEM\\CurrentControlSet\\Services\\PI-Defender\\Parameters\\Whitelist```, then add folders and applications.\r\n\r\n##### Cache\r\n\r\nThe cache holds by default 100 hashes corresponding to the last 100 applications that were analyzed.\r\nIt allows the driver to cache recurrent files and save computing time.  \r\nModify the registry key ```HKLM\\SYSTEM\\CurrentControlSet\\Services\\PI-Defender\\Parameters\\CacheSize``` to increase or decrease the number of hashes hold by the cache.\r\n\r\n##### Communication Port\r\n\r\nThe communication port is used by the driver and the user-mode service to communicate through a specified channel.\r\nBy default, the communication port is labelled _\\PIDefenderPort_.  \r\nModify the registry key ```HKLM\\SYSTEM\\CurrentControlSet\\Services\\PI-Defender\\Parameters\\CommunicationPort``` to modify the communication port.\r\n\r\n##### Number of clients\r\n\r\nBy default, the number of clients is set to 1.  \r\nModify the registry key ```HKLM\\SYSTEM\\CurrentControlSet\\Services\\PI-Defender\\Parameters\\MaxClients``` to increase this number.\r\n\r\n### Service User-Mode\r\n\r\n#### Verify Signature\r\n\r\nThere are two kinds of signature in Windows:\r\n* Embedded signature.\r\n* Catalog signature.\r\n\r\nBoth are checked in PI-Defender in order to trust an application.\r\n\r\n#### Configuration\r\n\r\n##### Listener Thread\r\n\r\nThe listener thread purpose is to wait for data send by the driver. Once a data is received it create a work pool and send the data to the worker thread.\r\n\r\nModify the registry key ```HKLM\\SYSTEM\\CurrentControlSet\\Services\\PI-Defender_UM\\Parameters\\ListenerThreads``` to increase this number.\r\n\r\n##### Workers Threads\r\n\r\nWorkers threads have multiple goals:\r\n* Verify the signature of an executable.\r\n* Send the response back to the driver.\r\n* Push a new message in queue for the listener.\r\n\r\nModify the registry key ```HKLM\\SYSTEM\\CurrentControlSet\\Services\\PI-Defender_UM\\Parameters\\MaxWorkerThreads \\ MinWorkerThreads``` to increase/decrease the number of workers threads.\r\n\r\n## Getting Started\r\n\r\nThese instructions will get you a copy of the project up and running on your local machine.\r\n\r\n### Tested on\r\n1. Windows 10 21H2 19044.1415\r\n2. Microsoft Visual Studio version 2019.\r\n3. Windows Driver Kit (WDK) 10.0.19041.685.\r\n4. Windows Software Development Kit (SDK) 10.0.19041.685.\r\n\r\n### Building\r\n1. Clone the project.  \r\n\t```bash\r\n\tgit clone https://github.com/PI-Defender/pi-defender.git\r\n\t```\r\n2. Load PI-Defender.sln with Visual Studio.\r\n3. Make sure the configuration manager is set to x64 (Release).\r\n4. Build the solution (Crtl + Maj + B).\r\n\r\n### Installing\r\n1. The driver uses test signing, so before using it Windows should be set to install and run test signed drivers. \r\n\tEnable test signed drivers can be done with the following steps:\r\n\t* *Reset this PC* (search bar)  \r\n    * *Troubleshoot*\r\n    * *Advanced Options*\r\n    * *Startup repair*\r\n    * Select the number **7** to disable the driver signature enforcement.\r\n\r\n\tWindows will restart for changes to take effect.  \r\n2. Install the driver with the user-mode service.\r\n   ```bash\r\n   PI-Defender_UM.exe install\r\n   ```\r\n   To ensure a smooth installation, *PI-Defender_UM.exe*, *PI-Defender.sys* and *PI-Defender_MsgFile.dll* must be in the same folder before running the previous command.\r\nIf everything went well, you should have a success message.\r\n\r\n## Usage\r\n```\r\n$ PI-Defender_UM.exe [install,start,query,stop,delete]\r\n\r\nProtect your system from process injection.\r\n\r\nActions:\r\n\tinstall\t\tInstall the service User-Mode and the Driver kernel.\r\n\tstart\t\tStart the service User-Mode and the driver kernel.\r\n\tquery\t\tQuery informations about the service and the driver.\r\n\tstop\t\tStop the service user-mode and the driver.\r\n\tdelete\t\tDelete the service user-mode and the driver.\r\n```\r\n\r\n## Documentation\r\n\r\nThe offline documentation is available in the **Doc/** directory.\r\n\r\nThe online documentation is available in the main [website](https://pi-defender.github.io/).\r\n\r\n## Maintainers / Authors\r\n\r\n* Nicolas JALLET (@Nikj-Fr)\r\n* Bérenger BRAULT (@CapitaineHadd0ck)\r\n\r\n## Credits\r\n\r\n* [Naval Group](https://www.naval-group.com/en)\r\n* Baptiste David\r\n\r\n## Licence\r\n\r\nThis project is under [LGPLv3](https://choosealicense.com/licenses/lgpl-3.0) License.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPI-Defender%2Fpi-defender","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FPI-Defender%2Fpi-defender","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPI-Defender%2Fpi-defender/lists"}