RealBlindingEDR

2024.3.13 update

Utilize arbitrary address read/write implementation with signed driver: completely blind or kill or permanently turn off AV/EDR.

If you want to understand the implementation principle, you can refer to the analysis article: AV/EDR 完全致盲 - 清除6大内核回调实现（Chinese）

Supports blinding/permanent shutdown: 360 Security Guard, 360 Enterprise Edition, Tianqing V10, Tencent Computer Manager, Tinder/Tinder Enterprise Edition, Kaspersky Endpoint Security, AsiaInfo EDR, Windows Defender, AnTian Zhijia.

Note: If you have other EDR products that need to be blinded, you can send me the installation package and I will implement it according to the situation.

Currently tested on 64-bit Windows 7/10/11 and Windows Server 2008R2/2012R2/2016/2019/2022. If you find a problem in a certain version, you can report it through issue and I will adapt it.

Introduction

This project implements the clearing of the following kernel callbacks:

Delete the callback registered by CmRegisterCallback(Ex)
Delete the callback registered by MiniFilter driver
Delete the callbacks registered by ObRegisterCallbacks()
Delete the callback registered by PsSetCreateProcessNotifyRoutine(Ex)
Delete the callback registered by PsSetCreateThreadNotifyRoutine(Ex)
Delete the callback registered by PsSetLoadImageNotifyRoutine(Ex)

After deleting the kernel callback, the following 3 effects can finally be achieved:

Blinding AV/EDR

While keeping the AV/EDR process running normally, it makes it impossible to monitor any process/thread activity, any file landing, registry deletion, high-privilege handle acquisition and many other sensitive behaviors. (Not killing directly is to ensure that EDR maintains communication with the master control and avoid being discovered due to disconnection)
Permanently turn off or disable AV/EDR

Since the registry and minifilter kernel notification callbacks are deleted, AV/EDR can be permanently turned off (even if the system is restarted) by modifying the registry or directly deleting the AV/EDR file.
Kill AV/EDR process

Since the object handle notification callback has been removed, it is now possible to terminate the AV/EDR process with normal administrator user rights.

Disclaimer

This project is not targeted at any AV/EDR manufacturers. The code examples are only for research and learning, and are not allowed to be used maliciously. If there is any malicious use, it has nothing to do with me.

Usage

Download the exe file from Releases and do anti-virus processing (you can convert the exe into shellcode and write a shellcode loader to load it)

This project currently supports 4 types of driver applications (corresponding to the corresponding application numbers):

echo_driver.sys (support win10+)
dbutil_2_3.sys (support win7+)
wnBio.sys (supports Windows Version 6.3+)
GPU-Z.sys(only supports Windows Version 6.1)

example:

Use the echo_driver.sys driver for blinding:

RealBlindingEDR.exe c:\echo_driver.sys 1
Use the wnBio.sys driver to permanently remove the anti-virus software (essentially renaming the key files of the anti-virus software):

RealBlindingEDR.exe c:\wnBio.sys 3 clear

Tips: If EDR marks these driver files, you can try to modify the hash value of the driver files without affecting the driver signature.

Effect

The following demonstration content is not specific to this AV manufacturer, but is only for educational and research purposes. Most AV/EDR manufacturers are affected.

DemoVideo

Delete AV/EDR object handle monitoring and kill AV process
Delete AV/EDR registry monitoring and delete AV registry to permanently shut down AV
Delete file landing monitoring and AV/EDR own file protection, delete AV files to permanently close AV

To be done

Clear the handles related to the Windows ETW event provider in the kernel.
Try removing WFP related callbacks.
...

Acknowledgments

Thanks to the following articles and projects for helping me.

moyu-corax / realblindingedr Goto Github PK