███████████████████████████████████████████████████████ █────█────█────█────██────██──█──█───███───█────██────█ █─████─██─█─██─█─██──█─██──██───██─█████─███─██──█─██─█ █─█──█─██─█─██─█─██──█────████─███───███───█─██──█────█ █─██─█─██─█─██─█─██──█─██──███─███─█████─███─██──█─█─██ █────█────█────█────██────████─███───███───█────██─█─██ ██████████████████████████████─████████████████████████

Disable & hook notifications of AV & EDR from events occurring in the system.

The project has the following features:

1. List
   • callbacks,
   • minifilters.
2. Removing callback functions:
   • create/exit of processes,
   • create/exit of threads.
3. Hook callback functions with filtering by process name:
   • create/exit of processes,
   • create/exit of threads.
4. Hook file system minifilters.
5. Abuse AV & EDR after remove or hook.

The assembly is a compilation of two great projects:

1. https://github.com/uf0o/windows-ps-callbacks-experiments (Fork deleted repository https://github.com/fdiskyou/windows-ps-callbacks-experiments).
2. https://github.com/SHA-MRIZ/FsMinfilterHooking

Additionally, added the ability to hook callback functions with filtering by the name of the process: create/exit of processes and threads & hook of file system minifilters.

The project is built for Visual Studio 2019 with SDK & DDK v10.0.22000.0 for x64.

After built put all files together in one directory and place the same directory install.bat:

• Dobro.sys - driver
• DobroCli.exe - cli for control driver
• Install.bat - install

Run install.bat as administrator.

Start driver:

sc start dobro

Stop driver:

sc start dobro

For control driver run DorbroCli.exe in cmd.exe:

Usage: DobroCli.exe <options>
Options:
  -h                        Show this message.
  -l                        Process & Thread Notify Callbacks Address's & FS Minifilters List.
<Process Callbacks>
  -zp                       Zero out Process Notify Callback's Array (Cowboy Mode).
  -dp <index>               Delete Specific Process Notify Callback (Red Team Mode).
  -pp <index>               Patch Specific Process Notify Callback (Threat Actor Mode).
  -rp <index>               Rollback to the original Process Notify Callback (Thoughtful Ninja Mode).
<Threads Callbacks>
  -zt                       Zero out Thread Notify Callback's Array (Cowboy Mode).
  -dt <index>               Delete Specific Thread Notify Callback (Red Team Mode).
  -pt <index>               Patch Specific Thread Notify Callback (Threat Actor Mode).
  -rt <index>               Rollback to the original Thread Notify Callback (Thoughtful Ninja Mode).
<Hook Notify Callback>
  -hps <index> <filter>     Hook PS notify routine.
  -ups                      Unhook PS notify routine.
  -hthr <index> <filter>    Hook THR notify routine.
  -uthr                     Unhook THR notify routine.
<FS Minifilters>
  -hm <index>               Hook FS Minifilter.
  -um                       Unhook FS Minifilter.
<Check>
  -chk                      Try AV/EDR for fun ;-) (Inject PS, need admin).
<Driver Debug>
  -dbg_lm                   List modules in Driver DbgPrint.
  -dbg_bsod                 BS0D.

Get list callbacks process and thread notify routine + file system minifilters:

DobroCli.exe -l

Hook thread and process callback notify routine with filter by name process, no problem:

DobroCli.exe -hthr 1 kxxx

DobroCli.exe -hps 7 kxxx

Hook file system minifilters, no problem:

DobroCli.exe -hm 1 kxxxxxx

Articles covering these issues in detail:

1. https://habr.com/ru/company/rostelecom/blog/597619/ [RU]
2. https://synzack.github.io/Blinding-EDR-On-Windows/
3. http://deniable.org/windows/windows-callbacks ---> https://web.archive.org/web/20200326040826/http://deniable.org/windows/windows-callbacks
4. https://aviadshamriz.medium.com/part-1-fs-minifilter-hooking-7e743b042a9d