/RealBlindingEDR

Remove AV/EDR Kernel ObRegisterCallbacks、CmRegisterCallback、MiniFilter Callback、PsSetCreateProcessNotifyRoutine Callback、PsSetCreateThreadNotifyRoutine Callback、PsSetLoadImageNotifyRoutine Callback...

Primary LanguageC++MIT LicenseMIT

RealBlindingEDR

中文介绍

Utilize arbitrary address read/write implementation with signed driver: completely blind or kill or permanently turn off AV/EDR.

If you want to understand the implementation principle, you can refer to the analysis article: AV/EDR 完全致盲 - 清除6大内核回调实现(Chinese)

Introduction

This project implements the clearing of the following kernel callbacks:

  1. Delete the callback registered by CmRegisterCallback(Ex)
  2. Delete the callback registered by MiniFilter driver (currently adapted to win10 and win11, win7 is being adapted)
  3. Delete the callbacks registered by ObRegisterCallbacks()
  4. Delete the callback registered by PsSetCreateProcessNotifyRoutine(Ex)
  5. Delete the callback registered by PsSetCreateThreadNotifyRoutine(Ex)
  6. Delete the callback registered by PsSetLoadImageNotifyRoutine(Ex)

After deleting the kernel callback, the following 3 effects can finally be achieved:

  1. Blinding AV/EDR

    While keeping the AV/EDR process running normally, it makes it impossible to monitor any process/thread activity, any file landing, registry deletion, high-privilege handle acquisition and many other sensitive behaviors. (Not killing directly is to ensure that EDR maintains communication with the master control and avoid being discovered due to disconnection)

  2. Permanently turn off or disable AV/EDR

    Since the registry and minifilter kernel notification callbacks are deleted, AV/EDR can be permanently turned off (even if the system is restarted) by modifying the registry or directly deleting the AV/EDR file.

  3. Kill AV/EDR process

    Since the object handle notification callback has been removed, it is now possible to terminate the AV/EDR process with normal administrator user rights.

It has been tested on win7, win10, and win11. If you have any problems with other versions, please send feedback through issue and I will adapt it in the future.

Disclaimer

This project is not targeted at any AV/EDR manufacturers. The code examples are only for research and learning, and are not allowed to be used maliciously. If there is any malicious use, it has nothing to do with me.

Usage

  1. Download the project code, open the RealBlindingEDR.h file, and configure the absolute path where the available driver is located.

    This project supports two driver applications: dbutil_2_3.sysecho_driver.sys

    #define DriverType 1 means using echo_driver.sys

    #define DriverType 2 means using dbutil_2_3.sys

    #define DrivePath "driver_fullpath" is used to specify the path where the driver is located

    The dbutil_2_3.sys driver supports win7 and above, However, it may not be loaded on Win11 due to the black certificate issue.

    The echo_driver.sys driver only supports win10 and above versions, and there are currently no other restrictions.

  2. Compile the project and double-click to execute it on the computer with AV/EDR installed. (If the file is not immune to anti-virus, please write your own anti-virus shellcode loader, then convert it into shellcode and load it)

  3. After execution, you will see the following effect: (listing the names of all drivers that registered these callbacks)

  4. Open the RealBlindingEDR.h file again and add the driver names that you are sure are AV/EDR to the CONST CHAR* AVDriver[] = {} array. An example of configuring the Defender driver: You can also try to find the AV/EDR driver name based on the signature in the C:\windows\system32\drivers\ directory.

    Note: Be sure not to add the normal driver name of Windows system to this array, otherwise it may cause the system to crash.

  5. Compile again and run it directly to automatically clear all the above callbacks of the specified driver.

Effect

The following demonstration content is not specific to this AV manufacturer, but is only for educational and research purposes. Most AV/EDR manufacturers are affected.

Tips: By executing the program directly, you can achieve all of the following effects.

DemoVideo

  1. Delete AV/EDR object handle monitoring and kill AV process

  2. Delete AV/EDR registry monitoring and delete AV registry to permanently shut down AV

  3. Delete file landing monitoring and AV/EDR own file protection, delete AV files to permanently close AV

To be done

  1. Clear the handles related to the Windows ETW event provider in the kernel.
  2. Try removing WFP related callbacks.
  3. ...

Acknowledgments

Thanks to the following articles and projects for helping me.

  1. OBREGISTERCALLBACKS AND COUNTERMEASURES
  2. Windows Anti-Debug techniques - OpenProcess filtering
  3. Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver
  4. Part 1: Fs Minifilter Hooking
  5. EchoDrv
  6. Windows Kernel Ps Callbacks Experiments
  7. Silencing the EDR. How to disable process, threads and image-loading detection callbacks
  8. Removing-Kernel-Callbacks-Using-Signed-Drivers
  9. EchOh-No! a Vulnerability and PoC demonstration in a popular Minecraft AntiCheat tool